Bump actions/checkout from 6 to 7#379
Conversation
Bumps [actions/checkout](https://github.com/actions/checkout) from 6 to 7. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v6...v7) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
🤖 Cursor Dependency AnalysisSupply-Chain Malware ReviewReviewing how This update matches a legitimate Scanner vs. manual review: The malware scan reported warn with 166 heuristic hits, but 0 unicode, confusable, and IOC findings. Those heuristics are false positives:
Checklist (all clear):
Notable v7 behavior (security improvement, not malware): v7 blocks checking out fork PR code in Recommendation: Safe to merge from a supply-chain perspective. After merge, confirm CI passes on a normal Compatibility AnalysisReviewing how Compatibility & adoption analysis:
|
| Workflow | Uses | Notable inputs |
|---|---|---|
build.yml |
4 | fetch-depth: 0 |
build-packages.yml |
3 | external repository: Chia-Network/mpir_gc_x64, path, fetch-depth: 1 |
build-c-libraries.yml |
2 | same mpir external checkout |
build-riscv64.yml |
2 | fetch-depth: 0 |
rust.yml |
4 | default checkout |
codeql-analysis.yml |
1 | fetch-depth: 0 |
check-commit-signing.yml |
1 | fetch-depth: 0 |
dependency-review.yml |
1 | default checkout |
dependency-cursor-review.yml |
2 | ref: head_sha, persist-credentials: false; second checkout of upstream dep repo |
Not used: stale-issue.yml (no checkout). No application/runtime dependency—GitHub Actions only.
Triggers in use: push, pull_request, release, workflow_dispatch, schedule.
Not used: pull_request_target, workflow_run.
2) Intersection with v7 changes
User-facing v7 change: blocks checking out fork PR head/merge refs when the workflow is triggered by pull_request_target or workflow_run, unless allow-unsafe-pr-checkout: true is set.
Impact here: none. No workflows use those triggers. The closest case—dependency-cursor-review.yml checking out ref: head_sha on Dependabot PRs—runs under plain pull_request, which is unaffected.
Other v7 changes (internal):
- ESM migration, npm dep bumps (
@actions/core,js-yaml, etc.) — no consumer API change - New optional input
allow-unsafe-pr-checkout(defaultfalse) — additive only action.ymlinputs/outputs otherwise unchanged; runtime remains Node 24 (same as v6)
Inputs this repo actually uses: fetch-depth, repository, path, ref, persist-credentials. All unchanged in behavior for these trigger types.
3) Risks / unknowns
| Risk | Severity | Notes |
|---|---|---|
| v7 fork-PR guard | None | Guard only applies to pull_request_target / workflow_run |
| Skipped v6.0.1–6.0.3 patches | Low | Dependabot ignore was [< 6.1, > 6]; v7 is built atop v6.0.3+ fixes (SHA-256, tag handling) |
| External repo checkouts (mpir, upstream deps) | Low | Same-org / public repos; standard repository + path pattern |
| Advanced checkout features | None | No submodules, lfs, ssh-key, sparse-checkout, or fetch-tags usage |
Malware scan (warn) |
Low | Heuristic hits on bundled dist/index.js only; no IOC/unicode findings |
| GHES / self-hosted | Unknown | No github-server-url usage; assumes github.com hosted runners |
4) Recommendation: merge
This is a mechanical major-version pin update with no overlap with the only behavioral breaking change in v7. All usage is standard repo checkout on push / pull_request / release / workflow_dispatch, plus a few same-org secondary checkouts.
Test plan: let CI on this Dependabot PR run (build, rust, CodeQL, dependency-review). No workflow changes beyond the version bump are required.
Malware Scan Summary
- Status: warn
- Warn only mode:
true - Changed upstream files scanned:
56 - Resolution strategy:
tag_range - Changed node/vendor paths:
0 - Changed lockfiles:
1 - Resolved upstream range:
df4cb1c069e1874edd31b4311f1884172cec0e10..9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 - Resolved refs: from=
df4cb1c069e1874edd31b4311f1884172cec0e10to=9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 - Unicode findings (post-allowlist):
0 - Confusable findings (post-allowlist):
0 - IOC findings (post-allowlist):
0 - Heuristic findings (post-allowlist):
166
Top findings
dist/index.js:7097codepoint_decoder ::const code = this.code = key.charCodeAt(index)dist/index.js:7121codepoint_decoder ::const code = key.charCodeAt(index)dist/index.js:7810codepoint_decoder ::if (!isTokenCharCode(characters.charCodeAt(i))) {dist/index.js:13927codepoint_decoder ::for (let i = 'A'.charCodeAt(0); i <= 'Z'.charCodeAt(0); i++) {dist/index.js:17018codepoint_decoder ::const charCode = attributeValue.charCodeAt(0)dist/index.js:17158codepoint_decoder ::const code = value.charCodeAt(i)dist/index.js:17182codepoint_decoder ::const code = name.charCodeAt(i)dist/index.js:17232codepoint_decoder ::const code = value.charCodeAt(i++)dist/index.js:17253codepoint_decoder ::const code = path.charCodeAt(i)dist/index.js:18351codepoint_decoder ::if (value.charCodeAt(i) < 0x30 || value.charCodeAt(i) > 0x39) return falsedist/index.js:19483codepoint_decoder ::if (data.charCodeAt(dataLength - 1) === 0x003D) {dist/index.js:19485codepoint_decoder ::if (data.charCodeAt(dataLength - 1) === 0x003D) {dist/index.js:19683codepoint_decoder ::while (lead < str.length && predicate(str.charCodeAt(lead))) lead++dist/index.js:19687codepoint_decoder ::while (trail > 0 && predicate(str.charCodeAt(trail))) trail--dist/index.js:20001codepoint_decoder ::if ((chars.charCodeAt(i) & ~0x7F) !== 0) {dist/index.js:20024codepoint_decoder ::const cp = boundary.charCodeAt(i)dist/index.js:20801codepoint_decoder ::while (j > i && isHTTPWhiteSpaceCharCode(potentialValue.charCodeAt(j - 1))) --jdist/index.js:20802codepoint_decoder ::while (j > i && isHTTPWhiteSpaceCharCode(potentialValue.charCodeAt(i))) ++idist/index.js:25492codepoint_decoder ::const code = url.charCodeAt(i)dist/index.js:25548codepoint_decoder ::const c = statusText.charCodeAt(i)
Bumps actions/checkout from 6 to 7.
Release notes
Sourced from actions/checkout's releases.
Changelog
Sourced from actions/checkout's changelog.
... (truncated)
Commits
9c091bbupdate error wording (#2467)1044a6dgetting ready for checkout v7 release (#2464)f028218Bump the minor-npm-dependencies group across 1 directory with 3 updates (#2462)d914b26upgrade module to esm and update dependencies (#2463)537c7efBump@actions/coreand@actions/tool-cacheand Remove uuid (#2459)130a169Bump js-yaml from 4.1.0 to 4.2.0 (#2461)7d09575Bump flatted from 3.3.1 to 3.4.2 (#2460)0f9f3aaBump actions/publish-immutable-action (#2458)f9e715ablock checking out fork pr for pull_request_target and workflow_run (#2454)Most Recent Ignore Conditions Applied to This Pull Request
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)Note
Low Risk
Mechanical third-party action version bump with no application or build logic changes; main v7 behavior change (blocking fork PR checkout on
pull_request_target/workflow_run) does not apply to these standardpull_requestcheckouts.Overview
Updates every GitHub Actions workflow that checks out the repo (or the
Chia-Network/mpir_gc_x64dependency on Windows) fromactions/checkout@v6toactions/checkout@v7.Touched workflows include build, build-packages, build-c-libraries, build-riscv64, codeql-analysis, and rust; step inputs such as
fetch-depthand secondary-repopath/repositoryare unchanged.Reviewed by Cursor Bugbot for commit 7a3cc98. Bugbot is set up for automated code reviews on this repo. Configure here.