Skip to content

chore(deps): bump actions/checkout from 6 to 7#42

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/actions/checkout-7
Open

chore(deps): bump actions/checkout from 6 to 7#42
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/actions/checkout-7

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 22, 2026

Copy link
Copy Markdown
Contributor

Bumps actions/checkout from 6 to 7.

Release notes

Sourced from actions/checkout's releases.

v7.0.0

What's Changed

New Contributors

Full Changelog: actions/checkout@v6.0.3...v7.0.0

v6.0.3

What's Changed

New Contributors

Full Changelog: actions/checkout@v6...v6.0.3

v6.0.2

What's Changed

Full Changelog: actions/checkout@v6.0.1...v6.0.2

v6.0.1

What's Changed

Full Changelog: actions/checkout@v6...v6.0.1

Changelog

Sourced from actions/checkout's changelog.

Changelog

v7.0.0

v6.0.3

v6.0.2

v6.0.1

v6.0.0

v5.0.1

v5.0.0

v4.3.1

v4.3.0

v4.2.2

v4.2.1

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Summary by CodeRabbit

  • Chores
    • Updated continuous integration and deployment workflow dependencies to maintain compatibility and stability.

Bumps [actions/checkout](https://github.com/actions/checkout) from 6 to 7.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v6...v7)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @github

dependabot Bot commented on behalf of github Jun 22, 2026

Copy link
Copy Markdown
Contributor Author

Labels

The following labels could not be found: dependencies. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@coderabbitai

coderabbitai Bot commented Jun 22, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

Both GitHub Actions workflow files (.github/workflows/static.yml and .github/workflows/tests.yml) are updated to use actions/checkout@v7 instead of actions/checkout@v6 across all three job steps (phpstan, ecs, and the test job).

Changes

Checkout Action Version Bump

Layer / File(s) Summary
Upgrade actions/checkout to v7 in all workflows
.github/workflows/static.yml, .github/workflows/tests.yml
The phpstan and ecs jobs in static.yml and the test job in tests.yml all update their checkout step from actions/checkout@v6 to actions/checkout@v7.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐇 Hippity hop, a version goes up,
From v6 to v7, now fill up the cup!
Three little steps all pointing the same,
Checkout updated — what a tidy refrain.
The rabbit approves with a wiggle and cheer! 🎉

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and specifically summarizes the main change: upgrading the actions/checkout dependency from version 6 to version 7 across workflow files.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch dependabot/github_actions/actions/checkout-7

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/static.yml:
- Line 17: Replace all instances of the actions/checkout action reference
(appearing at the checkout steps) from the tag-based version `@v7` to a pinned
commit SHA for supply-chain security. Additionally, add a with configuration
parameter to the checkout steps to disable credential persistence by setting
persist-credentials to false. This needs to be applied to all occurrences of the
actions/checkout step in the workflow file.

In @.github/workflows/tests.yml:
- Line 28: The checkout action at line 28 uses an unpinned version tag (`@v7`)
which is a security vulnerability, and is missing the persist-credentials
configuration. Replace the actions/checkout@v7 reference with a pinned commit
SHA (immutable reference) and add persist-credentials: false as a configuration
option to the uses step. This ensures the workflow uses a specific, verified
version of the action and minimizes credential scope in the test workflow.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 1a247436-c435-4222-a8ff-064c068a0b40

📥 Commits

Reviewing files that changed from the base of the PR and between d3a4946 and e61c3c8.

📒 Files selected for processing (2)
  • .github/workflows/static.yml
  • .github/workflows/tests.yml

runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@v7

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cd .github/workflows && [ -f static.yml ] && cat -n static.yml || echo "File not found"

Repository: worksome/exchange

Length of output: 1359


Pin actions/checkout to a commit SHA and disable credential persistence.

Both checkout steps are currently tag-pinned (@v7) and keep default credential persistence. This weakens CI supply-chain hardening and token hygiene.

Suggested patch
-      - uses: actions/checkout@v7
+      - uses: actions/checkout@<FULL_LENGTH_V7_COMMIT_SHA>
+        with:
+          persist-credentials: false
...
-      - name: Checkout
-        uses: actions/checkout@v7
+      - name: Checkout
+        uses: actions/checkout@<FULL_LENGTH_V7_COMMIT_SHA>
+        with:
+          persist-credentials: false

Also applies to: 37-38

🧰 Tools
🪛 zizmor (1.25.2)

[warning] 17-17: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 17-17: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/static.yml at line 17, Replace all instances of the
actions/checkout action reference (appearing at the checkout steps) from the
tag-based version `@v7` to a pinned commit SHA for supply-chain security.
Additionally, add a with configuration parameter to the checkout steps to
disable credential persistence by setting persist-credentials to false. This
needs to be applied to all occurrences of the actions/checkout step in the
workflow file.

Source: Linters/SAST tools

steps:
- name: Checkout code
uses: actions/checkout@v6
uses: actions/checkout@v7

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/tests.yml | head -50

Repository: worksome/exchange

Length of output: 1793


🏁 Script executed:

rg -A 10 "actions/checkout" .github/workflows/tests.yml

Repository: worksome/exchange

Length of output: 359


🏁 Script executed:

if [ -f ".github/workflows/static.yml" ]; then
  rg -A 5 "actions/checkout" .github/workflows/static.yml
fi

Repository: worksome/exchange

Length of output: 348


Harden checkout step with SHA pinning and persist-credentials: false.

The checkout step at line 28 uses an unpinned version tag (@v7) and should be pinned to an immutable commit SHA. Additionally, add persist-credentials: false to disable credential persistence—this is a security best practice for test workflows, reducing the scope of the auto-generated GITHUB_TOKEN to the shortest necessary duration.

Suggested patch
       - name: Checkout code
-        uses: actions/checkout@v7
+        uses: actions/checkout@692adf48ddf1fed83e8512f30a5674cda2933dec
+        with:
+          persist-credentials: false
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
uses: actions/checkout@v7
- name: Checkout code
uses: actions/checkout@692adf48ddf1fed83e8512f30a5674cda2933dec
with:
persist-credentials: false
🧰 Tools
🪛 zizmor (1.25.2)

[warning] 27-28: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 28-28: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/tests.yml at line 28, The checkout action at line 28 uses
an unpinned version tag (`@v7`) which is a security vulnerability, and is missing
the persist-credentials configuration. Replace the actions/checkout@v7 reference
with a pinned commit SHA (immutable reference) and add persist-credentials:
false as a configuration option to the uses step. This ensures the workflow uses
a specific, verified version of the action and minimizes credential scope in the
test workflow.

Source: Linters/SAST tools

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

0 participants