Skip to content

chore(deps): bump actions/checkout from 6 to 7#114

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/actions/checkout-7
Open

chore(deps): bump actions/checkout from 6 to 7#114
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/actions/checkout-7

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 22, 2026

Copy link
Copy Markdown
Contributor

Bumps actions/checkout from 6 to 7.

Release notes

Sourced from actions/checkout's releases.

v7.0.0

What's Changed

New Contributors

Full Changelog: actions/checkout@v6.0.3...v7.0.0

v6.0.3

What's Changed

New Contributors

Full Changelog: actions/checkout@v6...v6.0.3

v6.0.2

What's Changed

Full Changelog: actions/checkout@v6.0.1...v6.0.2

v6.0.1

What's Changed

Full Changelog: actions/checkout@v6...v6.0.1

Changelog

Sourced from actions/checkout's changelog.

Changelog

v7.0.0

v6.0.3

v6.0.2

v6.0.1

v6.0.0

v5.0.1

v5.0.0

v4.3.1

v4.3.0

v4.2.2

v4.2.1

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Summary by CodeRabbit

  • Chores
    • Updated continuous integration workflow tooling to latest versions for improved build pipeline reliability and security standards.

Bumps [actions/checkout](https://github.com/actions/checkout) from 6 to 7.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v6...v7)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @github

dependabot Bot commented on behalf of github Jun 22, 2026

Copy link
Copy Markdown
Contributor Author

Labels

The following labels could not be found: dependencies. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@coderabbitai

coderabbitai Bot commented Jun 22, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

The actions/checkout action version is bumped from @v6 to @v7 in three places: the phpstan job and ecs job in .github/workflows/static.yml, and the tests workflow in .github/workflows/tests.yml. No other workflow configuration is changed.

Changes

CI Workflow Checkout Bump

Layer / File(s) Summary
Bump actions/checkout@v6 → v7 in all CI jobs
.github/workflows/static.yml, .github/workflows/tests.yml
The checkout step in the phpstan and ecs jobs (static.yml) and the tests workflow (tests.yml) are all updated from actions/checkout@v6 to actions/checkout@v7.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐇 Hop, hop, a version's due,
From six to seven, shiny and new!
Three workflows checked, all neat in a row,
The checkout action gets a fresh glow.
Off I bound through the CI burrow! 🌿

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and accurately summarizes the main change: upgrading the actions/checkout dependency from version 6 to version 7 across multiple GitHub Actions workflows.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch dependabot/github_actions/actions/checkout-7

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (2)
.github/workflows/tests.yml (1)

28-28: 🧹 Nitpick | 🔵 Trivial | ⚡ Quick win

Version upgrade is consistent, but same security concerns apply.

The actions/checkout upgrade from v6 to v7 is clean and consistent with the other two workflows. However, the same zizmor warnings apply here: unpinned action reference and credential persistence not explicitly configured.

Align this with the recommendations in the previous comment if adopting commit hash pinning across your workflows.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/tests.yml at line 28, The `actions/checkout` action
reference uses a version tag (v7) instead of being pinned to a specific commit
hash, and does not explicitly configure credential persistence settings. To
address the security concerns, replace the version tag reference with a full
commit hash pinning approach and add the `with` section to explicitly set the
`persist-credentials` option to either true or false based on your security
requirements, following the same pattern recommended in previous workflow
improvements.

Source: Linters/SAST tools

.github/workflows/static.yml (1)

17-17: 🧹 Nitpick | 🔵 Trivial | ⚡ Quick win

✓ Version upgrades look good, but static analysis flagged security concerns.

Both actions/checkout references have been cleanly upgraded from v6 to v7. However, zizmor is reporting two issues:

  1. Unpinned action references – The action is not pinned to a commit hash. Security best practice recommends pinning GitHub Actions to specific commit hashes (e.g., actions/checkout@abc1234) rather than semantic versions, to prevent malicious version tag modifications.

  2. Credential persistence – Neither step explicitly sets persist-credentials: false, which may be appropriate depending on whether these jobs need git credentials.

If your organization enforces action hash pinning via policy, you'll need to add the commit hash for v7. You can find it on the actions/checkout releases page.

🔒 Example: Pinning to a commit hash (replace with actual v7 hash)
- uses: actions/checkout@v7
+ uses: actions/checkout@<v7-commit-hash>

Also applies to: 38-38

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/static.yml at line 17, The `actions/checkout` action
reference uses semantic version pinning (`@v7`) instead of a specific commit hash,
which creates a security vulnerability where malicious tag modifications could
affect your workflow. Replace the `@v7` version reference with the actual commit
hash for the v7.0.0 release (available from the actions/checkout releases page
on GitHub), so the action reference reads `actions/checkout@<commit-hash>`
instead of `actions/checkout@v7`. This same fix applies to both occurrences of
the checkout action in the workflow file (lines 17 and 38).

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/static.yml:
- Line 17: The `actions/checkout` action reference uses semantic version pinning
(`@v7`) instead of a specific commit hash, which creates a security vulnerability
where malicious tag modifications could affect your workflow. Replace the `@v7`
version reference with the actual commit hash for the v7.0.0 release (available
from the actions/checkout releases page on GitHub), so the action reference
reads `actions/checkout@<commit-hash>` instead of `actions/checkout@v7`. This
same fix applies to both occurrences of the checkout action in the workflow file
(lines 17 and 38).

In @.github/workflows/tests.yml:
- Line 28: The `actions/checkout` action reference uses a version tag (v7)
instead of being pinned to a specific commit hash, and does not explicitly
configure credential persistence settings. To address the security concerns,
replace the version tag reference with a full commit hash pinning approach and
add the `with` section to explicitly set the `persist-credentials` option to
either true or false based on your security requirements, following the same
pattern recommended in previous workflow improvements.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 3cb3ef91-60cf-46c3-b136-6f93921ab1b2

📥 Commits

Reviewing files that changed from the base of the PR and between e1b18b2 and b6213a1.

📒 Files selected for processing (2)
  • .github/workflows/static.yml
  • .github/workflows/tests.yml

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

0 participants