Skip to content

chore(deps): bump actions/checkout from 4 to 7#20

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/actions/checkout-7
Open

chore(deps): bump actions/checkout from 4 to 7#20
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/actions/checkout-7

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 23, 2026

Copy link
Copy Markdown

Bumps actions/checkout from 4 to 7.

Release notes

Sourced from actions/checkout's releases.

v7.0.0

What's Changed

New Contributors

Full Changelog: actions/checkout@v6.0.3...v7.0.0

v6.0.3

What's Changed

New Contributors

Full Changelog: actions/checkout@v6...v6.0.3

v6.0.2

What's Changed

Full Changelog: actions/checkout@v6.0.1...v6.0.2

v6.0.1

What's Changed

Full Changelog: actions/checkout@v6...v6.0.1

v6.0.0

What's Changed

... (truncated)

Changelog

Sourced from actions/checkout's changelog.

Changelog

v7.0.0

v6.0.3

v6.0.2

v6.0.1

v6.0.0

v5.0.1

v5.0.0

v4.3.1

v4.3.0

v4.2.2

v4.2.1

... (truncated)

Commits

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jun 23, 2026

@eitri-ccl eitri-ccl Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛡️ Eitrithe forge's second smith

🔒 Security scan

Ran semgrep, trivy · scoped to changed files · 0 blocking, 0 total.

No security findings in the changed files. ✅


VERDICT: APPROVE

This is a straightforward, well-scoped dependency bump in a single CI workflow. actions/checkout@v7 is confirmed as the latest stable release (released June 18, 2026), and the security scan is clean. The surrounding workflow is a simple typecheck + build job triggered on push/PR — no pull_request_target or workflow_run triggers, so v7's notable security hardening (blocking fork checkout in those high-privilege contexts) is not a breaking concern here, only a bonus. No pinning inconsistency with the other actions in the file (both pnpm/action-setup and actions/setup-node are already on v4 majors, which is fine independently).

Findings

No blocking issues found.

Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 7.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v4...v7)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot changed the title chore(deps): Bump actions/checkout from 4 to 7 chore(deps): bump actions/checkout from 4 to 7 Jul 3, 2026
@dependabot dependabot Bot force-pushed the dependabot/github_actions/actions/checkout-7 branch from f6106ca to 5ed3492 Compare July 3, 2026 00:50

@eitri-ccl eitri-ccl Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛡️ Eitrithe forge's second smith

🔒 Security scan

Ran semgrep, trivy · scoped to changed files · 6 blocking, 6 total.

Blocking — must fix:

  • 🟠 HIGH [semgrep] .github/workflows/ci.yml:13 — github-actions-mutable-action-tag. GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g. uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608.
  • 🟠 HIGH [semgrep] .github/workflows/ci.yml:14 — github-actions-mutable-action-tag. GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g. uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608.
  • 🟠 HIGH [semgrep] .github/workflows/ci.yml:15 — github-actions-mutable-action-tag. GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g. uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608.
  • 🟠 HIGH [semgrep] .github/workflows/codeql.yml:24 — github-actions-mutable-action-tag. GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g. uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608.
  • 🟠 HIGH [semgrep] .github/workflows/codeql.yml:25 — github-actions-mutable-action-tag. GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g. uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608.
  • 🟠 HIGH [semgrep] .github/workflows/codeql.yml:29 — github-actions-mutable-action-tag. GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g. uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608.

The diff shows a straightforward bump of actions/checkout from v4 to v7. The security scan identified a critical issue: both workflow files use mutable tag references (@v7) instead of pinned commit SHAs. This is a supply-chain attack vector—the tag can be silently repointed by the action owner.

The PR itself technically upgrades to a newer version, but it does NOT address the underlying security requirement: all GitHub Actions must be pinned to their full 40-character commit SHA, not version tags.


VERDICT: REQUEST_CHANGES

This PR upgrades actions/checkout from v4 to v7 but leaves the critical security vulnerability unresolved: both .github/workflows/ci.yml:13 and .github/workflows/codeql.yml:24 use a mutable tag reference (@v7) instead of a pinned commit SHA. GitHub Actions are vulnerable to tag repointing attacks (as seen in trivy-action and kics-github-action compromises). The fix is required before merge.

Findings

  • .github/workflows/ci.yml:13actions/checkout@v7 uses a mutable tag. Replace with a pinned commit SHA, e.g. actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 (resolve the actual SHA for v7 from the actions/checkout releases page).
  • .github/workflows/codeql.yml:24 — Same issue: actions/checkout@v7 must be pinned to a full 40-character commit SHA.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants