Skip to content

chore(deps): bump actions/checkout from 6 to 7#1238

Merged
github-actions[bot] merged 2 commits into
masterfrom
dependabot/github_actions/actions/checkout-7
Jul 9, 2026
Merged

chore(deps): bump actions/checkout from 6 to 7#1238
github-actions[bot] merged 2 commits into
masterfrom
dependabot/github_actions/actions/checkout-7

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 1, 2026

Copy link
Copy Markdown
Contributor

Bumps actions/checkout from 6 to 7.

Release notes

Sourced from actions/checkout's releases.

v7.0.0

What's Changed

New Contributors

Full Changelog: actions/checkout@v6.0.3...v7.0.0

v6.0.3

What's Changed

New Contributors

Full Changelog: actions/checkout@v6...v6.0.3

v6.0.2

What's Changed

Full Changelog: actions/checkout@v6.0.1...v6.0.2

v6.0.1

What's Changed

Full Changelog: actions/checkout@v6...v6.0.1

Changelog

Sourced from actions/checkout's changelog.

Changelog

v7.0.0

v6.0.3

v6.0.2

v6.0.1

v6.0.0

v5.0.1

v5.0.0

v4.3.1

v4.3.0

v4.2.2

v4.2.1

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [actions/checkout](https://github.com/actions/checkout) from 6 to 7.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v6...v7)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jul 1, 2026
@dependabot dependabot Bot requested a review from a team as a code owner July 1, 2026 00:03
@dependabot dependabot Bot added the github_actions Pull requests that update GitHub Actions code label Jul 1, 2026
@dependabot dependabot Bot requested review from sc-david-voisin and removed request for a team July 1, 2026 00:03
@github-actions github-actions Bot enabled auto-merge July 1, 2026 00:03
runs-on: windows-latest
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@v7

@semgrep-code-scalingo semgrep-code-scalingo Bot Jul 1, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g. uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608.

🥳 Fixed in commit cd345ef 🥳

Comment thread .github/workflows/publish.yml Outdated
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@v7

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Semgrep identified an issue in your code:

actions/checkout@v7 is a mutable tag, so a repointed tag could run attacker-controlled code in your release jobs with repository write access.

More details about this

actions/checkout@v7 pulls whatever code the v7 tag points to at runtime instead of a specific commit. In this releases job, that action runs before GoReleaser and has access to the checked-out repository plus the job’s contents: write permission, so if the v7 tag were ever repointed to attacker-controlled code, that code would execute during your release pipeline.

A plausible attack looks like this:

  1. An attacker compromises the actions/checkout action or gains the ability to move its v7 tag to a different commit.
  2. Your workflow starts on a tag push (if: ${{ github.ref_type == 'tag' }}) and runs - uses: actions/checkout@v7 in the releases job.
  3. GitHub resolves @v7 to the attacker’s commit, and the malicious action code runs on ubuntu-24.04 inside your release job.
  4. That code can read the repository contents fetched by actions/checkout, use the job’s contents: write permission to alter release artifacts or create/update a GitHub release, and access GITHUB_TOKEN later exposed to the GoReleaser step.
  5. The result is a supply-chain compromise where users download a release produced or modified by attacker-controlled code, even though your workflow file still says actions/checkout@v7.

The same risk also appears in the releases-windows job, which uses the same mutable actions/checkout@v7 reference before building Windows releases.

To resolve this comment:

✨ Commit fix suggestion

Suggested change
- uses: actions/checkout@v7
- uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
with:
fetch-depth: 0 # required by GoReleaser (https://goreleaser.com/ci/actions/#fetch-all-history)
View step-by-step instructions
  1. Replace the mutable action reference actions/checkout@v7 with a full 40-character commit SHA for the exact release you want to trust, for example actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608.
  2. Apply the same change to the other actions/checkout@v7 step shown in this workflow so both checkout steps use the same pinned commit.
  3. Keep the existing with: block unchanged, so the step still uses fetch-depth: 0 after pinning. Pinning to a commit SHA prevents the action owner from silently changing what code runs under the same tag name.
  4. Alternatively, if you need a newer actions/checkout release than the example SHA, look up the commit behind that release on the action's GitHub releases page and pin uses: to that 40-character SHA instead of the version tag.
💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by github-actions-mutable-action-tag.

You can view more details about this finding in the Semgrep AppSec Platform.

@semgrep-code-scalingo

Copy link
Copy Markdown

Legal Risk

The following dependencies were released under a license that
has been flagged by your organization for consideration.

Recommendation

While merging is not directly blocked, it's best to pause and consider what it means to use this license before continuing. If you are unsure, reach out to your security team or Semgrep admin to address this issue.

MPL-2.0

@github-actions github-actions Bot merged commit 9e97cdd into master Jul 9, 2026
7 checks passed
@github-actions github-actions Bot deleted the dependabot/github_actions/actions/checkout-7 branch July 9, 2026 09:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant