Skip to content

chore(ci): bump actions/checkout from 6 to 7#123

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/actions/checkout-7
Open

chore(ci): bump actions/checkout from 6 to 7#123
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/actions/checkout-7

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 22, 2026

Copy link
Copy Markdown
Contributor

Bumps actions/checkout from 6 to 7.

Release notes

Sourced from actions/checkout's releases.

v7.0.0

What's Changed

New Contributors

Full Changelog: actions/checkout@v6.0.3...v7.0.0

v6.0.3

What's Changed

New Contributors

Full Changelog: actions/checkout@v6...v6.0.3

v6.0.2

What's Changed

Full Changelog: actions/checkout@v6.0.1...v6.0.2

v6.0.1

What's Changed

Full Changelog: actions/checkout@v6...v6.0.1

Changelog

Sourced from actions/checkout's changelog.

Changelog

v7.0.0

v6.0.3

v6.0.2

v6.0.1

v6.0.0

v5.0.1

v5.0.0

v4.3.1

v4.3.0

v4.2.2

v4.2.1

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Summary by CodeRabbit

  • Chores
    • Updated GitHub Actions infrastructure to use the latest checkout tooling, enhancing build pipeline reliability and security across all automated workflows.
    • Strengthened deployment safety by improving failure detection in critical validation steps.

Bumps [actions/checkout](https://github.com/actions/checkout) from 6 to 7.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v6...v7)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @github

dependabot Bot commented on behalf of github Jun 22, 2026

Copy link
Copy Markdown
Contributor Author

Labels

The following labels could not be found: automerge-candidate, dependencies, github-actions. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@coderabbitai

coderabbitai Bot commented Jun 22, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

All GitHub Actions workflow files update the actions/checkout step from @v6 to @v7. The change is applied uniformly across 15 workflow files and approximately 30 job steps, with no other logic, triggers, permissions, or job configurations modified.

Changes

actions/checkout v6 → v7 bump

Layer / File(s) Summary
Bump actions/checkout@v6 to @v7 in all workflows
.github/workflows/audit.yml, .github/workflows/auto-fix-adr.yml, .github/workflows/ci-quality.yml, .github/workflows/ci.yml, .github/workflows/codeql.yml, .github/workflows/compliance.yml, .github/workflows/contracts.yml, .github/workflows/dev-layer-gmp.yml, .github/workflows/docker-build.yml, .github/workflows/docs-code-sync.yml, .github/workflows/k8s-deploy.yml, .github/workflows/pr-review-enforcement.yml, .github/workflows/refactoring-validation.yml, .github/workflows/supply-chain.yml, .github/workflows/terminology-guard.yml
Every actions/checkout step across all workflow files is updated from @v6 to @v7. No other job logic, triggers, permissions, or step configurations are changed.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐇 Hippity hop, a version we chase,
From v6 to v7 at a comfortable pace.
Fifteen workflows all updated with care,
The same little line changed everywhere.
A carrot for each — now perfectly in place! 🥕

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'chore(ci): bump actions/checkout from 6 to 7' clearly and accurately summarizes the main change across all modified workflow files.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch dependabot/github_actions/actions/checkout-7

Comment @coderabbitai help to get the list of available commands and usage tips.

@sonarqubecloud

Copy link
Copy Markdown

@github-actions

Copy link
Copy Markdown

PR size is within recommended limits

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/codeql.yml:
- Line 45: The actions/checkout action is using a mutable version tag (`@v7`)
instead of a pinned commit SHA, which violates security best practices. Replace
the mutable `@v7` tag in the uses field with a full commit SHA to ensure
reproducibility and security. Additionally, add a with section to the
actions/checkout step to set persist-credentials to false, which disables the
default credential persistence and reduces token exposure risk from potential
artifact or log leakage scenarios.

In @.github/workflows/docker-build.yml:
- Line 56: The actions/checkout step uses the mutable version tag `@v7` instead of
pinning to an immutable commit SHA, which poses a security risk. Replace the
version tag `@v7` with a full 40-character commit SHA to ensure reproducible and
secure builds. Additionally, add the persist-credentials input parameter and set
it to false to disable default token persistence, enhancing security by
preventing credentials from being stored in the git config.

In @.github/workflows/k8s-deploy.yml:
- Line 56: Replace the mutable version tag in the actions/checkout action with a
specific SHA hash pin to improve security consistency. Instead of using
actions/checkout@v7, pin it to a specific commit SHA (format:
actions/checkout@[SHA]) to match the pattern already used by other actions in
the workflow at lines 59 and 64. This prevents unexpected changes from mutable
tags and ensures deterministic deployments.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: da55c8d1-5c43-4905-a137-b3d2e84f1850

📥 Commits

Reviewing files that changed from the base of the PR and between 35306fd and 55e6592.

📒 Files selected for processing (15)
  • .github/workflows/audit.yml
  • .github/workflows/auto-fix-adr.yml
  • .github/workflows/ci-quality.yml
  • .github/workflows/ci.yml
  • .github/workflows/codeql.yml
  • .github/workflows/compliance.yml
  • .github/workflows/contracts.yml
  • .github/workflows/dev-layer-gmp.yml
  • .github/workflows/docker-build.yml
  • .github/workflows/docs-code-sync.yml
  • .github/workflows/k8s-deploy.yml
  • .github/workflows/pr-review-enforcement.yml
  • .github/workflows/refactoring-validation.yml
  • .github/workflows/supply-chain.yml
  • .github/workflows/terminology-guard.yml

steps:
- name: Checkout Repository
uses: actions/checkout@v6
uses: actions/checkout@v7

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# Check if the file exists and examine line 45 context
cat -n .github/workflows/codeql.yml | sed -n '40,50p'

Repository: cryptoxdog/Cognitive.Engine.Graphs

Length of output: 404


🏁 Script executed:

# Also check the full file size to understand context
wc -l .github/workflows/codeql.yml

Repository: cryptoxdog/Cognitive.Engine.Graphs

Length of output: 110


🌐 Web query:

GitHub Actions actions/checkout version pinning security best practices commit SHA

💡 Result:

GitHub Actions security best practice for actions/checkout (and any third-party action) is to pin the action reference to a full-length immutable commit SHA (40 hex chars) rather than a tag or branch, and to update those pins intentionally via an automated tool. 1) Use full-length commit SHA pins (immutable) - GitHub states that “Pinning an action to a full-length commit SHA is currently the only way to use an action as an immutable release,” and that pinning mitigates backdoor risk because the attacker would need a SHA-1 collision for a valid Git object payload; also verify the SHA comes from the action’s repository, not a fork [1]. - GitHub also introduced a policy/enforcement feature: administrators can enforce SHA pinning so workflows using an action that isn’t pinned to a full commit SHA will fail [2]. Example (actions/checkout) - Recommended: uses: actions/checkout@<FULL_COMMIT_SHA> # optional comment with the human version - Avoid: uses: actions/checkout@v7, @main, @master, @latest (mutable references) [1][2]. 2) Don’t rely on tags/branches even if you “trust” the author - GitHub warns that tags are only convenient and can be moved or deleted by a bad actor, even if you trust the author [1]. 3) Keep pins from going stale (process) - Because SHA pins don’t auto-move, you need a renewal mechanism. GitHub/Dependabot support updating SHA-pinned GitHub Actions [2]. - Renovate also supports auto-updating SHA-pinned action digests (via helpers:pinGitHubActionDigests) [3]. If you share a snippet of your current workflow (the specific uses: actions/checkout@... lines), I can rewrite it to SHA pins and suggest an update strategy (Dependabot vs Renovate) that matches your setup.

Citations:


Pin actions/checkout to a full commit SHA and disable persisted credentials.

Using @v7 is mutable and violates GitHub's security recommendations for SHA pinning. Default credential persistence increases token exposure risk in artifact/log leakage scenarios.

🔧 Suggested patch
       - name: Checkout Repository
-        uses: actions/checkout@v7
+        uses: actions/checkout@<FULL_40_CHAR_COMMIT_SHA>
+        with:
+          persist-credentials: false
🧰 Tools
🪛 zizmor (1.25.2)

[warning] 44-45: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 45-45: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/codeql.yml at line 45, The actions/checkout action is
using a mutable version tag (`@v7`) instead of a pinned commit SHA, which violates
security best practices. Replace the mutable `@v7` tag in the uses field with a
full commit SHA to ensure reproducibility and security. Additionally, add a with
section to the actions/checkout step to set persist-credentials to false, which
disables the default credential persistence and reduces token exposure risk from
potential artifact or log leakage scenarios.

Source: Linters/SAST tools

steps:
- name: Checkout Repository
uses: actions/checkout@v6
uses: actions/checkout@v7

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/docker-build.yml | grep -A 2 -B 2 "checkout"

Repository: cryptoxdog/Cognitive.Engine.Graphs

Length of output: 219


🌐 Web query:

actions/checkout v7 security best practices commit SHA pinning vs version tag

💡 Result:

As of June 22, 2026, actions/checkout v7 is the latest major version [1][2]. Regardless of the version (v7 or earlier), the security best practice for using GitHub Actions is to pin references to a full-length commit SHA rather than a version tag [3][4][5]. Security Context: Commit SHA Pinning vs. Version Tags Version tags (e.g., @v7, @v7.0.0) are mutable pointers that maintainers or attackers can move to different commits at any time [6][7][5]. Pinning to a tag relies on the assumption that the upstream maintainer will never maliciously or accidentally update the tag to point to compromised code [3][8]. Commit SHA pinning provides an immutable reference [3][6][7]. When you pin to a full-length 40-character commit SHA, your workflow is guaranteed to run the exact code you audited, regardless of any changes made to the action's repository or its tags [4][6][5]. Recommended Implementation To maintain readability while ensuring security, use the following pattern [9][5]: - uses: actions/checkout@b4ffde6 # v7.0.0 This approach locks the execution to a specific, immutable hash while the inline comment preserves the human-readable version for ease of maintenance [9][5]. Tools such as Dependabot and Renovate support this convention and will automatically propose updates by bumping both the SHA and the version comment in a single pull request, allowing you to review changes before merging [9][8][6]. Special Considerations for actions/checkout v7 actions/checkout v7 introduces a critical security update regarding fork pull requests [10][1][11]: - Default Protection: v7 refuses to check out fork pull request code in pull_request_target and workflow_run workflows by default to prevent "pwn request" vulnerabilities [10][12][11]. - Opt-out: If your workflow requires this functionality for legitimate reasons (e.g., generating reports from fork code), you can opt out by adding the allow-unsafe-pr-checkout: true input [10][12][11]. This should be treated as a deliberate and risky security decision [10]. Even with v7's improved defaults, pinning to a commit SHA remains the industry-standard best practice to ensure the integrity of the action's code itself [3][5]. Organizations can enforce this at scale using GitHub's repository or organization-level policies, which can be configured to require full commit SHA pinning for all actions [3][4].

Citations:


Pin checkout action to immutable commit SHA and disable default token persistence.

Current step uses mutable version tag (@v7), which can be moved by maintainers or attackers. Industry best practice is to pin to a full 40-character commit SHA for security integrity.

🔧 Suggested patch
       - name: Checkout Repository
-        uses: actions/checkout@v7
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v7.0.0
+        with:
+          persist-credentials: false
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
uses: actions/checkout@v7
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v7.0.0
with:
persist-credentials: false
🧰 Tools
🪛 zizmor (1.25.2)

[warning] 55-56: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 56-56: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/docker-build.yml at line 56, The actions/checkout step
uses the mutable version tag `@v7` instead of pinning to an immutable commit SHA,
which poses a security risk. Replace the version tag `@v7` with a full
40-character commit SHA to ensure reproducible and secure builds. Additionally,
add the persist-credentials input parameter and set it to false to disable
default token persistence, enhancing security by preventing credentials from
being stored in the git config.

Source: Linters/SAST tools

steps:
- name: Checkout Repository
uses: actions/checkout@v6
uses: actions/checkout@v7

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/k8s-deploy.yml | head -70

Repository: cryptoxdog/Cognitive.Engine.Graphs

Length of output: 2674


🏁 Script executed:

# Check context around checkout and other actions
cat -n .github/workflows/k8s-deploy.yml | sed -n '54,68p'

Repository: cryptoxdog/Cognitive.Engine.Graphs

Length of output: 643


🌐 Web query:

GitHub Actions checkout v7 security best practices persist-credentials persist-token

💡 Result:

The actions/checkout action, including in v7, uses persist-credentials as a configuration option to control whether the GITHUB_TOKEN or other authentication credentials are configured in the local Git environment [1][2]. Security Best Practices: - Explicitly disable when not needed: Use persist-credentials: false unless your workflow specifically requires running authenticated Git commands (e.g., git push) [3][4]. By default, this option is set to true [1][4]. - Understand the risks: When enabled, credentials are made available to all subsequent steps in the job [4]. This exposes them to any malicious or compromised third-party actions running in the same job [4]. - Improved v7 handling: In recent versions, including v7, the action has improved security by storing credentials in a separate file under $RUNNER_TEMP instead of directly in.git/config [1][2]. While this mitigates some risks, such as accidental leakage through artifact publishing, it does not remove the fundamental risk that the credentials remain accessible to other steps in the job context [5]. - Use minimal permissions: If you must enable persistence to push commits, ensure the GITHUB_TOKEN has the minimum permissions necessary for the task [4]. Regarding v7 security changes: - In addition to credential handling, v7 introduces safer defaults for workflows using the pull_request_target and workflow_run events [6]. It now refuses to check out fork pull request code in these contexts by default to prevent "pwn request" vulnerabilities [6]. Workflows that genuinely need this access must explicitly opt in using the allow-unsafe-pr-checkout input [6]. In summary, persist-credentials: false is the recommended best practice for most workflows to minimize the attack surface [3][4]. Do not rely on the default behavior; explicitly set this parameter to enforce security [4].

Citations:


Secure checkout in deployment workflow with SHA pinning and credential hardening.

actions/checkout@v7 uses a mutable version tag and leaves credential persistence enabled by default. Other actions in this workflow already use SHA pinning (lines 59, 64); checkout should follow the same pattern for consistency and security.

🔧 Suggested patch
       - name: Checkout Repository
-        uses: actions/checkout@v7
+        uses: actions/checkout@<FULL_40_CHAR_COMMIT_SHA>
+        with:
+          persist-credentials: false
🧰 Tools
🪛 zizmor (1.25.2)

[warning] 55-56: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 56-56: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/k8s-deploy.yml at line 56, Replace the mutable version tag
in the actions/checkout action with a specific SHA hash pin to improve security
consistency. Instead of using actions/checkout@v7, pin it to a specific commit
SHA (format: actions/checkout@[SHA]) to match the pattern already used by other
actions in the workflow at lines 59 and 64. This prevents unexpected changes
from mutable tags and ensures deterministic deployments.

Source: Linters/SAST tools

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants