Skip to content

build(deps): bump actions/checkout from 6 to 7#610

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/github_actions/actions/checkout-7
Open

build(deps): bump actions/checkout from 6 to 7#610
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/github_actions/actions/checkout-7

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 1, 2026

Copy link
Copy Markdown
Contributor

Bumps actions/checkout from 6 to 7.

Release notes

Sourced from actions/checkout's releases.

v7.0.0

What's Changed

New Contributors

Full Changelog: actions/checkout@v6.0.3...v7.0.0

v6.0.3

What's Changed

New Contributors

Full Changelog: actions/checkout@v6...v6.0.3

v6.0.2

What's Changed

Full Changelog: actions/checkout@v6.0.1...v6.0.2

v6.0.1

What's Changed

Full Changelog: actions/checkout@v6...v6.0.1

Changelog

Sourced from actions/checkout's changelog.

Changelog

v7.0.0

v6.0.3

v6.0.2

v6.0.1

v6.0.0

v5.0.1

v5.0.0

v4.3.1

v4.3.0

v4.2.2

v4.2.1

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [actions/checkout](https://github.com/actions/checkout) from 6 to 7.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v6...v7)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jul 1, 2026
@dependabot dependabot Bot requested a review from a team as a code owner July 1, 2026 03:36
@dependabot dependabot Bot requested review from matthieu526-scalingo and removed request for a team July 1, 2026 03:36
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jul 1, 2026
Comment thread .github/workflows/ci.yml
steps:
- name: 🛎 Checkout
uses: actions/checkout@v6
uses: actions/checkout@v7

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Semgrep identified an issue in your code:

actions/checkout@v7 uses a movable tag, so a repointed v7 release could make this CI job run attacker-controlled code.

More details about this

actions/checkout@v7 pulls whatever code the v7 tag points to at workflow runtime, not a fixed revision. If the owner of actions/checkout or anyone who compromises that repository moves v7 to a malicious commit, this 🛎 Checkout step will run the attacker’s code inside your unit-tests job on ubuntu-22.04.

A plausible attack looks like this:

  1. An attacker gains the ability to publish a new commit in the actions/checkout repository and repoints the v7 tag to it.
  2. Your workflow starts on push, pull_request, or workflow_dispatch and reaches uses: actions/checkout@v7.
  3. GitHub downloads the attacker-controlled version of the action because the workflow references the mutable v7 tag.
  4. That action runs before test/run, so it can read the job workspace, inspect environment data available to the step, and alter checked-out files or test behavior.
  5. The malicious action could, for example, exfiltrate the repository contents over the network or modify the checkout so later steps operate on attacker-changed code while the workflow still appears to be running normal CI.

Because this job runs automatically for repository events, a silently repointed tag turns a normal checkout step into a supply-chain entry point.

To resolve this comment:

✨ Commit fix suggestion

Suggested change
uses: actions/checkout@v7
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.7
View step-by-step instructions
  1. Replace the mutable version tag in the workflow step with a full 40-character commit SHA for actions/checkout.
    Change uses: actions/checkout@v7 to uses: actions/checkout@<full-40-character-commit-sha>.

  2. Get the correct SHA from the actions/checkout repository release or tag page, and pin the exact revision you intend to trust.
    For example, use the format uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608.

  3. Keep the action version in a comment next to the pinned SHA so future updates are easier to manage.
    For example, uses: actions/checkout@<sha> # v4.1.7.

  4. If you rely on a newer major version, verify that the pinned commit actually belongs to that version line before updating the reference. Pinning to a commit prevents the action owner from silently moving a tag or branch to different code.

Alternatively, if you need easier dependency maintenance, use Dependabot or Renovate to update pinned GitHub Action SHAs automatically while still keeping uses: locked to full commit hashes.

💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by github-actions-mutable-action-tag.

You can view more details about this finding in the Semgrep AppSec Platform.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants