Bump actions/checkout from 6 to 7#101
Conversation
Bumps [actions/checkout](https://github.com/actions/checkout) from 6 to 7. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v6...v7) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Kusari Analysis Results:Caution Flagged Issues Detected The dependency analysis found no issues. However, the code analysis identified 6 high-severity supply chain security issues across all modified GitHub Actions workflow files. Every workflow uses mutable tag references (e.g., actions/checkout@v7) instead of immutable commit SHAs. For a repository under the Open Source Security Foundation (ossf), this is especially critical — mutable tags can be silently redirected to malicious code, compromising the integrity of CI pipelines and any artifacts they produce. We strongly recommend pinning each action reference to a full commit SHA (e.g., actions/checkout@<full-sha>) before merging. Affected files: .github/workflows/auto-comment.yml (line 18), check-links.yml (line 11), check-outdated-content.yaml (line 70), deploy-github-pages.yml (line 20), es-spellcheck.yml (line 26), and spellcheck.yml (line 25). Note View full detailed analysis result for more information on the output and the checks that were run. Required Code MitigationsUnpinned action reference: actions/checkout is pinned to a mutable tag (@v7) rather than an immutable commit SHA. Pin the action to a full commit SHA to prevent supply chain attacks.
Unpinned action reference: actions/checkout is pinned to a mutable tag (@v7) rather than an immutable commit SHA. Pin the action to a full commit SHA to prevent supply chain attacks.
Unpinned action reference: actions/checkout is pinned to a mutable tag (@v7) rather than an immutable commit SHA. Pin the action to a full commit SHA to prevent supply chain attacks.Unpinned action reference: actions/checkout is pinned to a mutable tag (@v7) rather than an immutable commit SHA. Pin the action to a full commit SHA to prevent supply chain attacks.Unpinned action reference: actions/checkout is pinned to a mutable tag (@v7) rather than an immutable commit SHA. Pin the action to a full commit SHA to prevent supply chain attacks.
Unpinned action reference: actions/checkout is pinned to a mutable tag (@v7) rather than an immutable commit SHA. Pin the action to a full commit SHA to prevent supply chain attacks.
Found this helpful? Give it a 👍 or 👎 reaction! |
| # Checkout the repository code to the runner. | ||
| - name: Checkout code | ||
| uses: actions/checkout@v6 | ||
| uses: actions/checkout@v7 |
There was a problem hiding this comment.
Unpinned action reference: actions/checkout is pinned to a mutable tag (@v7) rather than an immutable commit SHA. Pin the action to a full commit SHA to prevent supply chain attacks.
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v6 | ||
| - uses: actions/checkout@v7 |
There was a problem hiding this comment.
Unpinned action reference: actions/checkout is pinned to a mutable tag (@v7) rather than an immutable commit SHA. Pin the action to a full commit SHA to prevent supply chain attacks.
|
|
||
| - name: Checkout | ||
| uses: actions/checkout@v6 | ||
| uses: actions/checkout@v7 |
There was a problem hiding this comment.
Unpinned action reference: actions/checkout is pinned to a mutable tag (@v7) rather than an immutable commit SHA. Pin the action to a full commit SHA to prevent supply chain attacks.
| group: ${{ github.workflow }}-${{ github.ref }} | ||
| steps: | ||
| - uses: actions/checkout@v6 | ||
| - uses: actions/checkout@v7 |
There was a problem hiding this comment.
Unpinned action reference: actions/checkout is pinned to a mutable tag (@v7) rather than an immutable commit SHA. Pin the action to a full commit SHA to prevent supply chain attacks.
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v6 | ||
| - uses: actions/checkout@v7 |
There was a problem hiding this comment.
Unpinned action reference: actions/checkout is pinned to a mutable tag (@v7) rather than an immutable commit SHA. Pin the action to a full commit SHA to prevent supply chain attacks.
| steps: | ||
| # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it | ||
| - uses: actions/checkout@v6 | ||
| - uses: actions/checkout@v7 |
There was a problem hiding this comment.
Unpinned action reference: actions/checkout is pinned to a mutable tag (@v7) rather than an immutable commit SHA. Pin the action to a full commit SHA to prevent supply chain attacks.
Bumps actions/checkout from 6 to 7.
Release notes
Sourced from actions/checkout's releases.
Changelog
Sourced from actions/checkout's changelog.
... (truncated)
Commits
9c091bbupdate error wording (#2467)1044a6dgetting ready for checkout v7 release (#2464)f028218Bump the minor-npm-dependencies group across 1 directory with 3 updates (#2462)d914b26upgrade module to esm and update dependencies (#2463)537c7efBump@actions/coreand@actions/tool-cacheand Remove uuid (#2459)130a169Bump js-yaml from 4.1.0 to 4.2.0 (#2461)7d09575Bump flatted from 3.3.1 to 3.4.2 (#2460)0f9f3aaBump actions/publish-immutable-action (#2458)f9e715ablock checking out fork pr for pull_request_target and workflow_run (#2454)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)