Thanks to visit codestin.com
Credit goes to github.com

Skip to content

build(deps): bump actions/checkout from 6 to 7#337

Merged
masutaka merged 1 commit into
mainfrom
dependabot/github_actions/actions/checkout-7
Jul 4, 2026
Merged

build(deps): bump actions/checkout from 6 to 7#337
masutaka merged 1 commit into
mainfrom
dependabot/github_actions/actions/checkout-7

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 1, 2026

Copy link
Copy Markdown
Contributor

Bumps actions/checkout from 6 to 7.

Release notes

Sourced from actions/checkout's releases.

v7.0.0

What's Changed

New Contributors

Full Changelog: actions/checkout@v6.0.3...v7.0.0

v6.0.3

What's Changed

New Contributors

Full Changelog: actions/checkout@v6...v6.0.3

v6.0.2

What's Changed

Full Changelog: actions/checkout@v6.0.1...v6.0.2

v6.0.1

What's Changed

Full Changelog: actions/checkout@v6...v6.0.1

Changelog

Sourced from actions/checkout's changelog.

Changelog

v7.0.0

v6.0.3

v6.0.2

v6.0.1

v6.0.0

v5.0.1

v5.0.0

v4.3.1

v4.3.0

v4.2.2

v4.2.1

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [actions/checkout](https://github.com/actions/checkout) from 6 to 7.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v6...v7)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jul 1, 2026
@dependabot dependabot Bot requested a review from masutaka as a code owner July 1, 2026 10:03
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jul 1, 2026

@masutaka masutaka left a comment

Copy link
Copy Markdown
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overview

  • Package: actions/checkout 6 → 7 (major: v7.0.0)
  • Dependency type: Development dependency (GitHub Actions / CI)
  • Version change: Major

Key Findings

  • Breaking Changes: Yes. In v7.0.0, checkout now refuses to check out fork PR code when triggered by pull_request_target / workflow_run (actions/checkout#2454; opting in requires the new input allow-unsafe-pr-checkout: true). However, this does not affect this repository (see "Impact Scope" below). There is also a change to convert the module to ESM and update dependencies (actions/checkout#2463), but it has no impact on the consuming workflows.
  • Security: None. No open Dependabot alert matches actions/checkout, so this PR is driven by a version bump, not a security fix. Note that #2454 in v7.0.0 is itself a security-hardening-oriented change that prevents fork PR checkout.
  • Supported versions: The execution runtime is Node 24 (migrated in v5.0.0; v7 is the same). GitHub-hosted runners already support it, so there is no issue.
  • CI status: Pass (actionlint / codeql / dependency_review / test all succeeded. CodeQL, pushover, and add-assignee are "skipping" as normal).
  • Cascading updates: None. The diff is only the @v6@v7 change in .github/workflows/release.yml (2 places) and .github/workflows/test.yml (1 place). No other dependency changes.

Impact Scope

All three changes in the diff are tag updates from actions/checkout@v6 to @v7. The impact of the breaking change (blocking fork PR checkout) was verified for each usage site:

  • test.yml: Triggered by pull_request. The block only targets pull_request_target / workflow_run, so it is out of scope.
  • release.yml: Triggered by workflow_run (a block target), but it is limited to branches: main and only fires when Test completes on the base repository's main branch. The checkout does not specify a fork PR ref / repository (the tagpr job uses a token, and the release job only uses fetch-tags: true), so it checks out the default branch and therefore does not fall under "checking out fork PR code" and is not blocked.

In all cases, fork PR code is not explicitly checked out, so no behavioral change from the v7.0.0 breaking change occurs. There is no impact on the application code (Go) either.

Conclusion

No issues (safe to merge).

Although this is a major version bump, the diff is only three tag updates, and the main breaking change (blocking fork PR checkout) does not apply to how this repository uses the action. All CI checks pass, and there is no associated security alert.

@masutaka masutaka merged commit 399d0ca into main Jul 4, 2026
8 checks passed
@masutaka masutaka deleted the dependabot/github_actions/actions/checkout-7 branch July 4, 2026 06:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant