build(deps): bump actions/checkout from 6 to 7#610
Conversation
Bumps [actions/checkout](https://github.com/actions/checkout) from 6 to 7. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v6...v7) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
| steps: | ||
| - name: 🛎 Checkout | ||
| uses: actions/checkout@v6 | ||
| uses: actions/checkout@v7 |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
actions/checkout@v7 uses a movable tag, so a repointed v7 release could make this CI job run attacker-controlled code.
More details about this
actions/checkout@v7 pulls whatever code the v7 tag points to at workflow runtime, not a fixed revision. If the owner of actions/checkout or anyone who compromises that repository moves v7 to a malicious commit, this 🛎 Checkout step will run the attacker’s code inside your unit-tests job on ubuntu-22.04.
A plausible attack looks like this:
- An attacker gains the ability to publish a new commit in the
actions/checkoutrepository and repoints thev7tag to it. - Your workflow starts on
push,pull_request, orworkflow_dispatchand reachesuses: actions/checkout@v7. - GitHub downloads the attacker-controlled version of the action because the workflow references the mutable
v7tag. - That action runs before
test/run, so it can read the job workspace, inspect environment data available to the step, and alter checked-out files or test behavior. - The malicious action could, for example, exfiltrate the repository contents over the network or modify the checkout so later steps operate on attacker-changed code while the workflow still appears to be running normal CI.
Because this job runs automatically for repository events, a silently repointed tag turns a normal checkout step into a supply-chain entry point.
To resolve this comment:
✨ Commit fix suggestion
| uses: actions/checkout@v7 | |
| uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.7 |
View step-by-step instructions
-
Replace the mutable version tag in the workflow step with a full 40-character commit SHA for
actions/checkout.
Changeuses: actions/checkout@v7touses: actions/checkout@<full-40-character-commit-sha>. -
Get the correct SHA from the
actions/checkoutrepository release or tag page, and pin the exact revision you intend to trust.
For example, use the formatuses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608. -
Keep the action version in a comment next to the pinned SHA so future updates are easier to manage.
For example,uses: actions/checkout@<sha> # v4.1.7. -
If you rely on a newer major version, verify that the pinned commit actually belongs to that version line before updating the reference. Pinning to a commit prevents the action owner from silently moving a tag or branch to different code.
Alternatively, if you need easier dependency maintenance, use Dependabot or Renovate to update pinned GitHub Action SHAs automatically while still keeping uses: locked to full commit hashes.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by github-actions-mutable-action-tag.
You can view more details about this finding in the Semgrep AppSec Platform.
Bumps actions/checkout from 6 to 7.
Release notes
Sourced from actions/checkout's releases.
Changelog
Sourced from actions/checkout's changelog.
... (truncated)
Commits
9c091bbupdate error wording (#2467)1044a6dgetting ready for checkout v7 release (#2464)f028218Bump the minor-npm-dependencies group across 1 directory with 3 updates (#2462)d914b26upgrade module to esm and update dependencies (#2463)537c7efBump@actions/coreand@actions/tool-cacheand Remove uuid (#2459)130a169Bump js-yaml from 4.1.0 to 4.2.0 (#2461)7d09575Bump flatted from 3.3.1 to 3.4.2 (#2460)0f9f3aaBump actions/publish-immutable-action (#2458)f9e715ablock checking out fork pr for pull_request_target and workflow_run (#2454)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)