ci: bump actions/checkout from 4.3.1 to 7.0.0#127
Conversation
Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 7.0.0. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v4.3.1...9c091bb) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 7.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
There was a problem hiding this comment.
Pull request overview
This is a Dependabot dependency bump that upgrades actions/checkout from v4.3.1 to v7.0.0 in the two remaining workflows that were still on the old version. All other workflows in the repo (ci.yml, freshness.yml, claude-routines.yml, bootstrap-test.yml, etc.) are already pinned to the same v7.0.0 SHA, so this change brings the last two files into alignment.
I verified the pinned SHA 9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 resolves exactly to the v7.0.0 tag via the GitHub API, and that the version comment matches. The v7 breaking change (blocking fork-PR checkout for pull_request_target/workflow_run) does not affect these workflows: release.yml triggers only on tag pushes, and sync-fanout.yml's workflow_run fires off the release workflow (also tag-push driven) while checking out an explicit base-repo tag ref rather than a fork PR head.
Changes:
- Bump
actions/checkoutto the SHA-pinned v7.0.0 insync-fanout.ymlandrelease.yml. - Completes repo-wide consistency, as all other workflows already use this SHA.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
.github/workflows/sync-fanout.yml |
Updates the "Check out Core at the released tag" step to checkout v7.0.0; unaffected by the fork-PR block since it uses an explicit tag ref. |
.github/workflows/release.yml |
Updates the publish job's checkout to v7.0.0; triggered only on tag push, so no breaking-change impact. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Bumps actions/checkout from 4.3.1 to 7.0.0.
Release notes
Sourced from actions/checkout's releases.
... (truncated)
Changelog
Sourced from actions/checkout's changelog.
... (truncated)
Commits
9c091bbupdate error wording (#2467)1044a6dgetting ready for checkout v7 release (#2464)f028218Bump the minor-npm-dependencies group across 1 directory with 3 updates (#2462)d914b26upgrade module to esm and update dependencies (#2463)537c7efBump@actions/coreand@actions/tool-cacheand Remove uuid (#2459)130a169Bump js-yaml from 4.1.0 to 4.2.0 (#2461)7d09575Bump flatted from 3.3.1 to 3.4.2 (#2460)0f9f3aaBump actions/publish-immutable-action (#2458)f9e715ablock checking out fork pr for pull_request_target and workflow_run (#2454)df4cb1cUpdate changelog for v6.0.3 (#2446)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)