chore(deps): bump actions/checkout from 6.0.2 to 7.0.0#53
chore(deps): bump actions/checkout from 6.0.2 to 7.0.0#53dependabot[bot] wants to merge 1 commit into
Conversation
Bumps [actions/checkout](https://github.com/actions/checkout) from 6.0.2 to 7.0.0. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@de0fac2...9c091bb) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 7.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
tps-sherlock
left a comment
There was a problem hiding this comment.
Security/Auth Review — APPROVE ✅
Lane: security/auth (hard gate). No issues — this is a Dependabot CI dependency bump.
What this is
Bumps actions/checkout from v6.0.2 (commit de0fac2) to v7.0.0 (commit 9c091bb) in two workflow files:
.github/workflows/ci.yml— 3 occurrences.github/workflows/codeql.yml— 1 occurrence
Security analysis
- Pinned to commit SHA (not a floating tag) — supply-chain safe, no tag-hijack risk
actions/checkoutv7.0.0 changelog: ESM module upgrade, dependency bumps, blocks fork PR checkout forpull_request_target/workflow_runevents (a security improvement)- No production code changes, no auth changes, no new dependencies in shipped packages
- Socket.dev supply chain check green
CI
Build, typecheck, CodeQL, Socket, unit tests all green. Dependency Audit shows FAILURE — pre-existing on main (same as #55), not related to this bump.
Verdict: APPROVE. Pure CI dependency bump, pinned to commit SHA, zero security impact.
tps-kern
left a comment
There was a problem hiding this comment.
Architecture & Correctness Review — PR #53 (tpsdev-ai/bob)
Verdict: APPROVE
Dependabot bump: actions/checkout v6.0.2 → v7.0.0, pinned to commit SHA 9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0. 2 workflow files, 4 occurrences updated. No code changes.
Diff analysis
All 4 occurrences replace the pinned SHA de0fac2e... (v6.0.2) with 9c091bb2... (v7.0.0) in .github/workflows/ci.yml (3) and .github/workflows/codeql.yml (1). Pinned to commit SHA — supply-chain safe, no tag-hijack risk.
v7.0.0 changes
Notable: blocks fork PR checkout for pull_request_target and workflow_run events (security improvement), ESM module upgrade, dependency bumps. No breaking changes for the existing workflow usage — all steps use standard actions/checkout with no advanced options.
CI
7/8 checks green:
- Build (TypeScript strict): ✅
- Unit Tests: ✅
- CodeQL: ✅
- Socket Security: ✅
Dependency Audit: ❌ — but this is the pre-existing Socket Firewall issue (same as #55), not caused by this PR. The actions/checkout bump doesn't affect the bun install / sfw audit step. mergeStateStatus: UNSTABLE confirms it's non-blocking.
Note on comment accuracy
The workflow comments still say # v4 next to the SHA pin. This is a cosmetic inaccuracy (the SHA is for v7.0.0) but doesn't affect functionality — the SHA is what matters, not the comment. Worth cleaning up in a follow-up but not a blocker.
No blockers. Ship it.
Bumps actions/checkout from 6.0.2 to 7.0.0.
Release notes
Sourced from actions/checkout's releases.
Changelog
Sourced from actions/checkout's changelog.
... (truncated)
Commits
9c091bbupdate error wording (#2467)1044a6dgetting ready for checkout v7 release (#2464)f028218Bump the minor-npm-dependencies group across 1 directory with 3 updates (#2462)d914b26upgrade module to esm and update dependencies (#2463)537c7efBump@actions/coreand@actions/tool-cacheand Remove uuid (#2459)130a169Bump js-yaml from 4.1.0 to 4.2.0 (#2461)7d09575Bump flatted from 3.3.1 to 3.4.2 (#2460)0f9f3aaBump actions/publish-immutable-action (#2458)f9e715ablock checking out fork pr for pull_request_target and workflow_run (#2454)df4cb1cUpdate changelog for v6.0.3 (#2446)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)