build(deps): bump actions/checkout from 6 to 7#1288
Conversation
Bumps [actions/checkout](https://github.com/actions/checkout) from 6 to 7. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v6...v7) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
WalkthroughSix Changesactions/checkout v6 → v7 bump
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~2 minutes Suggested labels
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 4
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
.github/workflows/publish-components-for-e2e-tests.yml (1)
27-33:⚠️ Potential issue | 🔴 Critical
checkout@v7will break fork-based PR e2e testing.This workflow uses
actions/checkout@v7on bothpull_request_target(lines 27-33) and checks out fork repositories viaissue_comment(lines 47-53). As of June 2026, v7 blocks fork checkouts on these events by default to prevent "pwn request" vulnerabilities. External contributor e2e runs will fail unless you either revert to v6, or explicitly addallow-unsafe-pr-checkout: trueto both checkout steps with documented justification.Suggested change
- uses: actions/checkout@v7 + uses: actions/checkout@v6Apply to lines 27 and 48.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/publish-components-for-e2e-tests.yml around lines 27 - 33, The actions/checkout@v7 action blocks fork checkouts on pull_request_target and issue_comment events by default as a security measure, which will cause external contributor e2e runs to fail. Fix this by either downgrading both checkout actions from v7 to v6, or by explicitly adding the allow-unsafe-pr-checkout: true parameter to both the checkout step at lines 27-33 (for pull_request_target) and the checkout step at lines 47-53 (for issue_comment). Choose whichever approach aligns with your security posture and document the justification if using the unsafe flag.Source: Linked repositories
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/ci-build.yml:
- Around line 17-18: The actions/checkout step at the specified location uses a
mutable tag reference (v7) which creates a supply chain attack vector, and the
default behavior allows GITHUB_TOKEN credentials to persist across all
subsequent steps unnecessarily. Replace the mutable tag reference with a pinned
commit SHA for actions/checkout and add the persist-credentials parameter set to
false to the uses statement to disable credential persistence for this workflow
that only requires code checkout for linting and testing.
In @.github/workflows/ci-check-gomod.yml:
- Around line 14-15: The checkout action in the "Checkout code" step uses a
mutable version tag (v7) instead of a pinned SHA, and it's persisting git
credentials when they're not needed. Replace the `actions/checkout@v7` reference
with a pinned SHA commit hash and add `persist-credentials: false` as a
parameter to the checkout step to disable credential persistence and reduce the
attack surface.
In @.github/workflows/govulncheck.yml:
- Around line 13-14: The `actions/checkout` action is using a mutable tag (v7)
which presents a supply chain security risk. Pin the action to a specific commit
SHA instead of the v7 tag, and add the parameter `persist-credentials: false` to
the checkout action configuration since this job only requires read-only access
to the repository and does not need Git credentials to be persisted between
runs.
In @.github/workflows/publish-components-for-e2e-tests.yml:
- Line 28: Both checkout steps (actions/checkout@v7) in this workflow need to be
updated to handle fork pull request checkouts safely. Add
`allow-unsafe-pr-checkout: true` to both checkout steps to opt into the v7
breaking security change that requires explicit approval for checking out fork
PRs with pull_request_target events. Additionally, add `persist-credentials:
false` to both checkout steps as a best practice since the workflow only
performs read operations, and optionally pin to specific commit SHAs instead of
v7 for improved supply chain security.
---
Outside diff comments:
In @.github/workflows/publish-components-for-e2e-tests.yml:
- Around line 27-33: The actions/checkout@v7 action blocks fork checkouts on
pull_request_target and issue_comment events by default as a security measure,
which will cause external contributor e2e runs to fail. Fix this by either
downgrading both checkout actions from v7 to v6, or by explicitly adding the
allow-unsafe-pr-checkout: true parameter to both the checkout step at lines
27-33 (for pull_request_target) and the checkout step at lines 47-53 (for
issue_comment). Choose whichever approach aligns with your security posture and
document the justification if using the unsafe flag.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Enterprise
Run ID: 09769a18-de1c-465d-a046-6652884ed3b5
📒 Files selected for processing (4)
.github/workflows/ci-build.yml.github/workflows/ci-check-gomod.yml.github/workflows/govulncheck.yml.github/workflows/publish-components-for-e2e-tests.yml
🔗 Linked repositories identified
CodeRabbit considers these linked repositories for cross-repo context during reviews:
codeready-toolchain/api(manual)codeready-toolchain/toolchain-common(manual)codeready-toolchain/host-operator(manual)codeready-toolchain/toolchain-e2e(manual)
📜 Review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
- GitHub Check: Build & push operator bundles & dashboard image for e2e tests
🧰 Additional context used
🪛 zizmor (1.25.2)
.github/workflows/ci-check-gomod.yml
[warning] 14-15: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 15-15: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
.github/workflows/ci-build.yml
[warning] 17-18: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 18-18: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[warning] 37-38: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 38-38: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
.github/workflows/publish-components-for-e2e-tests.yml
[error] 28-28: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[error] 48-48: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
.github/workflows/govulncheck.yml
[warning] 13-14: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 14-14: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🔀 Multi-repo context codeready-toolchain/host-operator, codeready-toolchain/toolchain-common
Linked repositories findings
Critical Security Impact on Fork PR Testing
codeready-toolchain/host-operator [::codeready-toolchain/host-operator::]
Workflow affected by actions/checkout v7 fork protection:
The .github/workflows/publish-components-for-e2e-tests.yml workflow is explicitly designed to checkout code from fork repositories and will be blocked by the new fork protection in v7:
- Lines 5-6: Uses
pull_request_targetevent (one of the events with new fork blocking in v7) - Lines 24-29: First checkout step explicitly pulls from the fork:
with: ref: ${{github.event.pull_request.head.ref}} repository: ${{github.event.pull_request.head.repo.full_name}}
- Lines 45-51: Second checkout also retrieves fork repo details dynamically
- Lines 25, 46: Uses
actions/checkout@v6(not yet updated to v7)
Impact: When upgraded to v7, the actions/checkout action will reject checkout operations for fork pull requests on pull_request_target events. This will break the e2e testing pipeline for external contributors, preventing the workflow from checking out their code.
codeready-toolchain/toolchain-common and codeready-toolchain/host-operator [::codeready-toolchain/toolchain-common::] [::codeready-toolchain/host-operator::]
Workflows using workflow_run event (also affected by v7 fork protection):
Both repos have .github/workflows/upload-coverage.yml files that use the workflow_run event (lines 3-5 in both). These workflows do NOT perform explicit fork checkouts—they download artifacts from a completed workflow run. These are lower risk but should be monitored to ensure artifact downloads from forked workflow runs continue to work as expected.
Summary for Reviewers
The upgrade to actions/checkout v7 introduces a breaking security restriction that blocks checkout of fork repositories for pull_request_target and workflow_run events.
Two repositories are directly affected:
- host-operator: The
publish-components-for-e2e-tests.ymlworkflow will fail for all fork-based PRs because it explicitly checks out code from fork repositories duringpull_request_targetevents. This needs to be updated to use an alternative approach (e.g.,pull_requestevent + token handling or modified workflow logic). - toolchain-common and host-operator: The
upload-coverage.ymlworkflows should be tested to ensureworkflow_runevent artifact downloads still function correctly with v7.
Recommendation: Before merging this PR, ensure that the host-operator and toolchain-common repositories are updated to handle this breaking change, or revert to v6 if fork PR testing is essential to your CI/CD strategy.
MatousJobanek
left a comment
MatousJobanek
left a comment
There was a problem hiding this comment.
/ok-to-test
/lgtm
|
/retest |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dependabot[bot], MatousJobanek The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
1 participant
Bumps actions/checkout from 6 to 7.
Release notes
Sourced from actions/checkout's releases.
Changelog
Sourced from actions/checkout's changelog.
... (truncated)
Commits
9c091bbupdate error wording (#2467)1044a6dgetting ready for checkout v7 release (#2464)f028218Bump the minor-npm-dependencies group across 1 directory with 3 updates (#2462)d914b26upgrade module to esm and update dependencies (#2463)537c7efBump@actions/coreand@actions/tool-cacheand Remove uuid (#2459)130a169Bump js-yaml from 4.1.0 to 4.2.0 (#2461)7d09575Bump flatted from 3.3.1 to 3.4.2 (#2460)0f9f3aaBump actions/publish-immutable-action (#2458)f9e715ablock checking out fork pr for pull_request_target and workflow_run (#2454)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)Summary by CodeRabbit