chore(deps): bump actions/checkout from 6 to 7#42
Conversation
Bumps [actions/checkout](https://github.com/actions/checkout) from 6 to 7. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v6...v7) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
📝 WalkthroughWalkthroughBoth GitHub Actions workflow files ( ChangesCheckout Action Version Bump
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~2 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/static.yml:
- Line 17: Replace all instances of the actions/checkout action reference
(appearing at the checkout steps) from the tag-based version `@v7` to a pinned
commit SHA for supply-chain security. Additionally, add a with configuration
parameter to the checkout steps to disable credential persistence by setting
persist-credentials to false. This needs to be applied to all occurrences of the
actions/checkout step in the workflow file.
In @.github/workflows/tests.yml:
- Line 28: The checkout action at line 28 uses an unpinned version tag (`@v7`)
which is a security vulnerability, and is missing the persist-credentials
configuration. Replace the actions/checkout@v7 reference with a pinned commit
SHA (immutable reference) and add persist-credentials: false as a configuration
option to the uses step. This ensures the workflow uses a specific, verified
version of the action and minimizes credential scope in the test workflow.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: 1a247436-c435-4222-a8ff-064c068a0b40
📒 Files selected for processing (2)
.github/workflows/static.yml.github/workflows/tests.yml
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v6 | ||
| - uses: actions/checkout@v7 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
cd .github/workflows && [ -f static.yml ] && cat -n static.yml || echo "File not found"Repository: worksome/exchange
Length of output: 1359
Pin actions/checkout to a commit SHA and disable credential persistence.
Both checkout steps are currently tag-pinned (@v7) and keep default credential persistence. This weakens CI supply-chain hardening and token hygiene.
Suggested patch
- - uses: actions/checkout@v7
+ - uses: actions/checkout@<FULL_LENGTH_V7_COMMIT_SHA>
+ with:
+ persist-credentials: false
...
- - name: Checkout
- uses: actions/checkout@v7
+ - name: Checkout
+ uses: actions/checkout@<FULL_LENGTH_V7_COMMIT_SHA>
+ with:
+ persist-credentials: falseAlso applies to: 37-38
🧰 Tools
🪛 zizmor (1.25.2)
[warning] 17-17: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 17-17: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/static.yml at line 17, Replace all instances of the
actions/checkout action reference (appearing at the checkout steps) from the
tag-based version `@v7` to a pinned commit SHA for supply-chain security.
Additionally, add a with configuration parameter to the checkout steps to
disable credential persistence by setting persist-credentials to false. This
needs to be applied to all occurrences of the actions/checkout step in the
workflow file.
Source: Linters/SAST tools
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v6 | ||
| uses: actions/checkout@v7 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
cat -n .github/workflows/tests.yml | head -50Repository: worksome/exchange
Length of output: 1793
🏁 Script executed:
rg -A 10 "actions/checkout" .github/workflows/tests.ymlRepository: worksome/exchange
Length of output: 359
🏁 Script executed:
if [ -f ".github/workflows/static.yml" ]; then
rg -A 5 "actions/checkout" .github/workflows/static.yml
fiRepository: worksome/exchange
Length of output: 348
Harden checkout step with SHA pinning and persist-credentials: false.
The checkout step at line 28 uses an unpinned version tag (@v7) and should be pinned to an immutable commit SHA. Additionally, add persist-credentials: false to disable credential persistence—this is a security best practice for test workflows, reducing the scope of the auto-generated GITHUB_TOKEN to the shortest necessary duration.
Suggested patch
- name: Checkout code
- uses: actions/checkout@v7
+ uses: actions/checkout@692adf48ddf1fed83e8512f30a5674cda2933dec
+ with:
+ persist-credentials: false📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| uses: actions/checkout@v7 | |
| - name: Checkout code | |
| uses: actions/checkout@692adf48ddf1fed83e8512f30a5674cda2933dec | |
| with: | |
| persist-credentials: false |
🧰 Tools
🪛 zizmor (1.25.2)
[warning] 27-28: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 28-28: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/tests.yml at line 28, The checkout action at line 28 uses
an unpinned version tag (`@v7`) which is a security vulnerability, and is missing
the persist-credentials configuration. Replace the actions/checkout@v7 reference
with a pinned commit SHA (immutable reference) and add persist-credentials:
false as a configuration option to the uses step. This ensures the workflow uses
a specific, verified version of the action and minimizes credential scope in the
test workflow.
Source: Linters/SAST tools
Bumps actions/checkout from 6 to 7.
Release notes
Sourced from actions/checkout's releases.
Changelog
Sourced from actions/checkout's changelog.
... (truncated)
Commits
9c091bbupdate error wording (#2467)1044a6dgetting ready for checkout v7 release (#2464)f028218Bump the minor-npm-dependencies group across 1 directory with 3 updates (#2462)d914b26upgrade module to esm and update dependencies (#2463)537c7efBump@actions/coreand@actions/tool-cacheand Remove uuid (#2459)130a169Bump js-yaml from 4.1.0 to 4.2.0 (#2461)7d09575Bump flatted from 3.3.1 to 3.4.2 (#2460)0f9f3aaBump actions/publish-immutable-action (#2458)f9e715ablock checking out fork pr for pull_request_target and workflow_run (#2454)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)Summary by CodeRabbit