Skip to content

Bump actions/checkout from 6 to 7#379

Merged
cmmarslender merged 1 commit into
mainfrom
dependabot/github_actions/actions/checkout-7
Jun 30, 2026
Merged

Bump actions/checkout from 6 to 7#379
cmmarslender merged 1 commit into
mainfrom
dependabot/github_actions/actions/checkout-7

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 30, 2026

Copy link
Copy Markdown
Contributor

Bumps actions/checkout from 6 to 7.

Release notes

Sourced from actions/checkout's releases.

v7.0.0

What's Changed

New Contributors

Full Changelog: actions/checkout@v6.0.3...v7.0.0

v6.0.3

What's Changed

New Contributors

Full Changelog: actions/checkout@v6...v6.0.3

v6.0.2

What's Changed

Full Changelog: actions/checkout@v6.0.1...v6.0.2

v6.0.1

What's Changed

Full Changelog: actions/checkout@v6...v6.0.1

Changelog

Sourced from actions/checkout's changelog.

Changelog

v7.0.0

v6.0.3

v6.0.2

v6.0.1

v6.0.0

v5.0.1

v5.0.0

v4.3.1

v4.3.0

v4.2.2

v4.2.1

... (truncated)

Commits

Most Recent Ignore Conditions Applied to This Pull Request
Dependency Name Ignore Conditions
actions/checkout [< 6.1, > 6]

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Note

Low Risk
Mechanical third-party action version bump with no application or build logic changes; main v7 behavior change (blocking fork PR checkout on pull_request_target/workflow_run) does not apply to these standard pull_request checkouts.

Overview
Updates every GitHub Actions workflow that checks out the repo (or the Chia-Network/mpir_gc_x64 dependency on Windows) from actions/checkout@v6 to actions/checkout@v7.

Touched workflows include build, build-packages, build-c-libraries, build-riscv64, codeql-analysis, and rust; step inputs such as fetch-depth and secondary-repo path/repository are unchanged.

Reviewed by Cursor Bugbot for commit 7a3cc98. Bugbot is set up for automated code reviews on this repo. Configure here.

Bumps [actions/checkout](https://github.com/actions/checkout) from 6 to 7.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v6...v7)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added Changed Required label for PR that categorizes merge commit message as "Changed" for changelog dependencies Pull requests that update a dependency file github_actions Pull requests that update Github_actions code labels Jun 30, 2026
@github-actions

Copy link
Copy Markdown

🤖 Cursor Dependency Analysis

Supply-Chain Malware Review

Reviewing how actions/checkout is used in workflows and analyzing upstream v7 changes for supply-chain risk.
Verdict: benign

This update matches a legitimate actions/checkout v7.0.0 release from GitHub’s official repo, not a supply-chain compromise.

Scanner vs. manual review: The malware scan reported warn with 166 heuristic hits, but 0 unicode, confusable, and IOC findings. Those heuristics are false positives:

  • charCodeAt/codePointAt hits are in bundled dist/index.js (HTTP/URL parsing from dependencies like undici), not hidden payload decoders.
  • shell_process_spawn hits match expected @actions/exec git usage and the dependency name "@actions/exec" in package.json — normal for a checkout action.

Checklist (all clear):

  • Obfuscation: No eval, Function, base64 decoders, or suspicious dynamic imports in upstream src/.
  • Network / persistence / exfiltration: Source URLs are GitHub-related (github.com, api.github.com, docs links). No startup writes or token exfil patterns.
  • Process spawning: Git subprocess calls via @actions/exec are expected and unchanged in purpose.
  • Unicode / GlassWorm: Scanner found none; no zero-width, bidi, or homoglyph issues in changed files.
  • Dependency integrity: v6→v7 is a tagged major (v7.0.0), with documented PRs from GitHub maintainers. Dependency changes are expected semver bumps of @actions/*, ESM migration, and removal of uuid — no new install lifecycle scripts (preinstall/postinstall absent in both v6 and v7).
  • Dependabot context: This repo’s PR should only bump workflow pins (actions/checkout@v6@v7). Upstream .github/workflows/ edits are in the action repo itself, not injected into chiavdf.

Notable v7 behavior (security improvement, not malware): v7 blocks checking out fork PR code in pull_request_target / workflow_run unless allow-unsafe-pr-checkout: true is set. This repo has no workflows using those triggers, so the change should not break CI.

Recommendation: Safe to merge from a supply-chain perspective. After merge, confirm CI passes on a normal pull_request workflow run (especially dependency-cursor-review.yml, which checks out Dependabot PR heads on pull_request, which remains allowed).

Compatibility Analysis

Reviewing how actions/checkout is used in this repo and what changed in v7 upstream.

Compatibility & adoption analysis: actions/checkout v6 → v7

1) Usage in this repo

19 references across 9 workflows (version-only bump in each):

Workflow Uses Notable inputs
build.yml 4 fetch-depth: 0
build-packages.yml 3 external repository: Chia-Network/mpir_gc_x64, path, fetch-depth: 1
build-c-libraries.yml 2 same mpir external checkout
build-riscv64.yml 2 fetch-depth: 0
rust.yml 4 default checkout
codeql-analysis.yml 1 fetch-depth: 0
check-commit-signing.yml 1 fetch-depth: 0
dependency-review.yml 1 default checkout
dependency-cursor-review.yml 2 ref: head_sha, persist-credentials: false; second checkout of upstream dep repo

Not used: stale-issue.yml (no checkout). No application/runtime dependency—GitHub Actions only.

Triggers in use: push, pull_request, release, workflow_dispatch, schedule.
Not used: pull_request_target, workflow_run.


2) Intersection with v7 changes

User-facing v7 change: blocks checking out fork PR head/merge refs when the workflow is triggered by pull_request_target or workflow_run, unless allow-unsafe-pr-checkout: true is set.

Impact here: none. No workflows use those triggers. The closest case—dependency-cursor-review.yml checking out ref: head_sha on Dependabot PRs—runs under plain pull_request, which is unaffected.

Other v7 changes (internal):

  • ESM migration, npm dep bumps (@actions/core, js-yaml, etc.) — no consumer API change
  • New optional input allow-unsafe-pr-checkout (default false) — additive only
  • action.yml inputs/outputs otherwise unchanged; runtime remains Node 24 (same as v6)

Inputs this repo actually uses: fetch-depth, repository, path, ref, persist-credentials. All unchanged in behavior for these trigger types.


3) Risks / unknowns

Risk Severity Notes
v7 fork-PR guard None Guard only applies to pull_request_target / workflow_run
Skipped v6.0.1–6.0.3 patches Low Dependabot ignore was [< 6.1, > 6]; v7 is built atop v6.0.3+ fixes (SHA-256, tag handling)
External repo checkouts (mpir, upstream deps) Low Same-org / public repos; standard repository + path pattern
Advanced checkout features None No submodules, lfs, ssh-key, sparse-checkout, or fetch-tags usage
Malware scan (warn) Low Heuristic hits on bundled dist/index.js only; no IOC/unicode findings
GHES / self-hosted Unknown No github-server-url usage; assumes github.com hosted runners

4) Recommendation: merge

This is a mechanical major-version pin update with no overlap with the only behavioral breaking change in v7. All usage is standard repo checkout on push / pull_request / release / workflow_dispatch, plus a few same-org secondary checkouts.

Test plan: let CI on this Dependabot PR run (build, rust, CodeQL, dependency-review). No workflow changes beyond the version bump are required.


Malware Scan Summary

  • Status: warn
  • Warn only mode: true
  • Changed upstream files scanned: 56
  • Resolution strategy: tag_range
  • Changed node/vendor paths: 0
  • Changed lockfiles: 1
  • Resolved upstream range: df4cb1c069e1874edd31b4311f1884172cec0e10..9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0
  • Resolved refs: from=df4cb1c069e1874edd31b4311f1884172cec0e10 to=9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0
  • Unicode findings (post-allowlist): 0
  • Confusable findings (post-allowlist): 0
  • IOC findings (post-allowlist): 0
  • Heuristic findings (post-allowlist): 166

Top findings

  • dist/index.js:7097 codepoint_decoder :: const code = this.code = key.charCodeAt(index)
  • dist/index.js:7121 codepoint_decoder :: const code = key.charCodeAt(index)
  • dist/index.js:7810 codepoint_decoder :: if (!isTokenCharCode(characters.charCodeAt(i))) {
  • dist/index.js:13927 codepoint_decoder :: for (let i = 'A'.charCodeAt(0); i <= 'Z'.charCodeAt(0); i++) {
  • dist/index.js:17018 codepoint_decoder :: const charCode = attributeValue.charCodeAt(0)
  • dist/index.js:17158 codepoint_decoder :: const code = value.charCodeAt(i)
  • dist/index.js:17182 codepoint_decoder :: const code = name.charCodeAt(i)
  • dist/index.js:17232 codepoint_decoder :: const code = value.charCodeAt(i++)
  • dist/index.js:17253 codepoint_decoder :: const code = path.charCodeAt(i)
  • dist/index.js:18351 codepoint_decoder :: if (value.charCodeAt(i) < 0x30 || value.charCodeAt(i) > 0x39) return false
  • dist/index.js:19483 codepoint_decoder :: if (data.charCodeAt(dataLength - 1) === 0x003D) {
  • dist/index.js:19485 codepoint_decoder :: if (data.charCodeAt(dataLength - 1) === 0x003D) {
  • dist/index.js:19683 codepoint_decoder :: while (lead < str.length && predicate(str.charCodeAt(lead))) lead++
  • dist/index.js:19687 codepoint_decoder :: while (trail > 0 && predicate(str.charCodeAt(trail))) trail--
  • dist/index.js:20001 codepoint_decoder :: if ((chars.charCodeAt(i) & ~0x7F) !== 0) {
  • dist/index.js:20024 codepoint_decoder :: const cp = boundary.charCodeAt(i)
  • dist/index.js:20801 codepoint_decoder :: while (j > i && isHTTPWhiteSpaceCharCode(potentialValue.charCodeAt(j - 1))) --j
  • dist/index.js:20802 codepoint_decoder :: while (j > i && isHTTPWhiteSpaceCharCode(potentialValue.charCodeAt(i))) ++i
  • dist/index.js:25492 codepoint_decoder :: const code = url.charCodeAt(i)
  • dist/index.js:25548 codepoint_decoder :: const c = statusText.charCodeAt(i)

@cmmarslender cmmarslender merged commit d5bbf1f into main Jun 30, 2026
67 checks passed
@cmmarslender cmmarslender deleted the dependabot/github_actions/actions/checkout-7 branch June 30, 2026 18:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Changed Required label for PR that categorizes merge commit message as "Changed" for changelog dependencies Pull requests that update a dependency file github_actions Pull requests that update Github_actions code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant