build(deps): bump actions/checkout from 6 to 7#91
Conversation
Bumps [actions/checkout](https://github.com/actions/checkout) from 6 to 7. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v6...v7) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
masutaka
left a comment
There was a problem hiding this comment.
Overview
- Package: actions/checkout 6 → 7
- Dependency type: GitHub Actions (CI only; not a runtime dependency)
- Version change: Major
Key Findings
- Breaking Changes: Yes. The main breaking change in v7.0.0 is that fork PR checkout is now blocked for
pull_request_targetandworkflow_run(actions/checkout#2454). However,actions/checkoutis only used in the rspec job of.github/workflows/test.yml, which is triggered bypush/pull_request, so it is not affected by this change. The internal implementation was also migrated to ESM (actions/checkout#2463), but no changes are required on the caller side. - Security: None. Cross-checked against open Dependabot alerts (
state=open), but there are none linked toactions/checkout, so this PR is a regular version bump rather than a security fix. - Supported versions: No additional impact. v7 requires the Node.js 24 runner, but this was already required in v5/v6 and is not a new requirement introduced by the v6 → v7 bump.
- CI status: Pass (rspec 3.0–4.0, actionlint, codeql, and dependency_review all succeeded).
- Cascading updates: None. The diff is a single line in
test.yml, changing@v6→@v7(+1 / -1).
Scope of Impact
The change is limited to the single checkout reference tag line in .github/workflows/test.yml. There is no impact on application code (e.g., lib/); it is confined to the CI execution environment. The only job that uses it performs a simple checkout of its own repository, so it is unaffected by the fork PR restriction or the ESM migration.
Conclusion
No issues.
Although this is a major version bump, the breaking change in v7.0.0 (blocking fork PR checkout) applies to pull_request_target / workflow_run triggers, which do not match this repository's usage (a self-repository checkout in the rspec job under push / pull_request). There is no linked security alert, and CI passes across the board, so it is safe to merge as is.
Bumps actions/checkout from 6 to 7.
Release notes
Sourced from actions/checkout's releases.
Changelog
Sourced from actions/checkout's changelog.
... (truncated)
Commits
9c091bbupdate error wording (#2467)1044a6dgetting ready for checkout v7 release (#2464)f028218Bump the minor-npm-dependencies group across 1 directory with 3 updates (#2462)d914b26upgrade module to esm and update dependencies (#2463)537c7efBump@actions/coreand@actions/tool-cacheand Remove uuid (#2459)130a169Bump js-yaml from 4.1.0 to 4.2.0 (#2461)7d09575Bump flatted from 3.3.1 to 3.4.2 (#2460)0f9f3aaBump actions/publish-immutable-action (#2458)f9e715ablock checking out fork pr for pull_request_target and workflow_run (#2454)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)