build(deps): bump actions/checkout from 6 to 7

[dependabot]

Bumps actions/checkout from 6 to 7.

Release notes

Sourced from actions/checkout's releases.

v7.0.0

What's Changed

• block checking out fork pr for pull_request_target and workflow_run by @​aiqiaoy in actions/checkout#2454
• Bump actions/publish-immutable-action from 0.0.3 to 0.0.4 in the minor-actions-dependencies group across 1 directory by @​dependabot[bot] in actions/checkout#2458
• Bump flatted from 3.3.1 to 3.4.2 by @​dependabot[bot] in actions/checkout#2460
• Bump js-yaml from 4.1.0 to 4.2.0 by @​dependabot[bot] in actions/checkout#2461
• Bump @​actions/core and @​actions/tool-cache and Remove uuid by @​dependabot[bot] in actions/checkout#2459
• upgrade module to esm and update dependencies by @​aiqiaoy in actions/checkout#2463
• Bump the minor-npm-dependencies group across 1 directory with 3 updates by @​dependabot[bot] in actions/checkout#2462
• getting ready for checkout v7 release by @​aiqiaoy in actions/checkout#2464
• update error wording by @​aiqiaoy in actions/checkout#2467

New Contributors

• @​aiqiaoy made their first contribution in actions/checkout#2454

Full Changelog: actions/checkout@v6.0.3...v7.0.0

v6.0.3

What's Changed

• Update changelog by @​ericsciple in actions/checkout#2357
• fix: expand merge commit SHA regex and add SHA-256 test cases by @​yaananth in actions/checkout#2414
• Fix checkout init for SHA-256 repositories by @​yaananth in actions/checkout#2439
• Update changelog for v6.0.3 by @​yaananth in actions/checkout#2446

New Contributors

• @​yaananth made their first contribution in actions/checkout#2414

Full Changelog: actions/checkout@v6...v6.0.3

v6.0.2

What's Changed

• Add orchestration_id to git user-agent when ACTIONS_ORCHESTRATION_ID is set by @​TingluoHuang in actions/checkout#2355
• Fix tag handling: preserve annotations and explicit fetch-tags by @​ericsciple in actions/checkout#2356

Full Changelog: actions/checkout@v6.0.1...v6.0.2

v6.0.1

What's Changed

• Update all references from v5 and v4 to v6 by @​ericsciple in actions/checkout#2314
• Add worktree support for persist-credentials includeIf by @​ericsciple in actions/checkout#2327
• Clarify v6 README by @​ericsciple in actions/checkout#2328

Full Changelog: actions/checkout@v6...v6.0.1

Changelog

Sourced from actions/checkout's changelog.

Changelog

v7.0.0

• Block checking out fork PR for pull_request_target and workflow_run by @​aiqiaoy in actions/checkout#2454
• Bump actions/publish-immutable-action from 0.0.3 to 0.0.4 in the minor-actions-dependencies group across 1 directory by @​dependabot[bot] in actions/checkout#2458
• Bump flatted from 3.3.1 to 3.4.2 by @​dependabot[bot] in actions/checkout#2460
• Bump js-yaml from 4.1.0 to 4.2.0 by @​dependabot[bot] in actions/checkout#2461
• Bump @​actions/core and @​actions/tool-cache and Remove uuid by @​dependabot[bot] in actions/checkout#2459
• upgrade module to esm and update dependencies by @​aiqiaoy in actions/checkout#2463
• Bump the minor-npm-dependencies group across 1 directory with 3 updates by @​dependabot[bot] in actions/checkout#2462

v6.0.3

• Fix checkout init for SHA-256 repositories by @​yaananth in actions/checkout#2439
• fix: expand merge commit SHA regex and add SHA-256 test cases by @​yaananth in actions/checkout#2414

v6.0.2

• Fix tag handling: preserve annotations and explicit fetch-tags by @​ericsciple in actions/checkout#2356

v6.0.1

• Add worktree support for persist-credentials includeIf by @​ericsciple in actions/checkout#2327

v6.0.0

• Persist creds to a separate file by @​ericsciple in actions/checkout#2286
• Update README to include Node.js 24 support details and requirements by @​salmanmkc in actions/checkout#2248

v5.0.1

• Port v6 cleanup to v5 by @​ericsciple in actions/checkout#2301

v5.0.0

• Update actions checkout to use node 24 by @​salmanmkc in actions/checkout#2226

v4.3.1

• Port v6 cleanup to v4 by @​ericsciple in actions/checkout#2305

v4.3.0

• docs: update README.md by @​motss in actions/checkout#1971
• Add internal repos for checking out multiple repositories by @​mouismail in actions/checkout#1977
• Documentation update - add recommended permissions to Readme by @​benwells in actions/checkout#2043
• Adjust positioning of user email note and permissions heading by @​joshmgross in actions/checkout#2044
• Update README.md by @​nebuk89 in actions/checkout#2194
• Update CODEOWNERS for actions by @​TingluoHuang in actions/checkout#2224
• Update package dependencies by @​salmanmkc in actions/checkout#2236

v4.2.2

• url-helper.ts now leverages well-known environment variables by @​jww3 in actions/checkout#1941
• Expand unit test coverage for isGhes by @​jww3 in actions/checkout#1946

v4.2.1

• Check out other refs/* by commit if provided, fall back to ref by @​orhantoy in actions/checkout#1924

... (truncated)

Commits

• 9c091bb update error wording (#2467)
• 1044a6d getting ready for checkout v7 release (#2464)
• f028218 Bump the minor-npm-dependencies group across 1 directory with 3 updates (#2462)
• d914b26 upgrade module to esm and update dependencies (#2463)
• 537c7ef Bump @​actions/core and @​actions/tool-cache and Remove uuid (#2459)
• 130a169 Bump js-yaml from 4.1.0 to 4.2.0 (#2461)
• 7d09575 Bump flatted from 3.3.1 to 3.4.2 (#2460)
• 0f9f3aa Bump actions/publish-immutable-action (#2458)
• f9e715a block checking out fork pr for pull_request_target and workflow_run (#2454)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[coderabbitai]

Walkthrough

Two GitHub Actions workflow files have their repository checkout step updated from actions/checkout@v6 to actions/checkout@v7. No other workflow logic, job configuration, or action versions are modified.

Changes

actions/checkout version bump

Layer / File(s)	Summary
Bump actions/checkout to v7 .github/workflows/codeql-analysis.yml, .github/workflows/testing.yaml	Both workflows update the checkout step from actions/checkout@v6 to actions/checkout@v7; no other changes.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description is missing key required sections from the template: Summary, Change Type, and Check List Before Merging are not present.	Add Summary section describing what the PR accomplishes, specify Change Type (Breaking Change applies here), and include the pre-merge checklist with relevant items checked.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: bumping the actions/checkout dependency from version 6 to 7.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dependabot/github_actions/actions/checkout-7

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/codeql-analysis.yml:
- Line 36: Replace the mutable major tag `v7` in the `actions/checkout` action
with the specific commit SHA `9c091bb` to eliminate supply-chain risk. Change
`uses: actions/checkout@v7` to `uses: actions/checkout@9c091bb`. Additionally,
apply the same fix to the identical unpinned `actions/checkout` reference that
exists in the testing.yaml workflow file to ensure consistency across all
workflow files.

In @.github/workflows/testing.yaml:
- Line 22: Replace the mutable version tag `v7` in the `actions/checkout` action
reference with the full-length commit SHA of that version to prevent
tag-retargeting attacks. Pin the checkout action to its exact commit SHA and
include the v7 version tag as a comment within the uses line for future
maintainability and clarity.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: b8d95850-ad87-46f2-adc5-39a50163c981

📥 Commits

Reviewing files that changed from the base of the PR and between c87f3da and 94463f7.

📒 Files selected for processing (2)

• .github/workflows/codeql-analysis.yml
• .github/workflows/testing.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Read-only verification:
# 1) Confirm any remaining unpinned checkout references.
# 2) Resolve the commit SHA behind v7 so it can be pinned explicitly.

set -euo pipefail

echo "== Unpinned checkout references =="
rg -nP 'uses:\s*actions/checkout@v[0-9]+' .github/workflows

echo
echo "== Resolve v7 tag to commit SHA (GitHub API) =="
curl -fsSL https://api.github.com/repos/actions/checkout/git/ref/tags/v7 | jq -r '.object.sha'

Repository: package-operator/boxcutter

Length of output: 361

---

🌐 Web query:

actions/checkout v7 commit SHA release tag github

💡 Result:

As of today, June 18, 2026, the actions/checkout action has released version v7.0.0 [1]. The v7.0.0 release introduces support for ECMAScript Modules (ESM) to accommodate newer versions of @actions/* packages and includes security-focused updates, such as blocking the checkout of fork pull requests in pull_request_target and workflow_run contexts [1][2]. The specific commit SHA for the v7.0.0 release tag is 9c091bb [1]. For your workflow configuration, you can use the v7 tag as follows: yaml - uses: actions/checkout@v7 While v7.0.0 is the latest major release, always refer to the official repository releases page for the most current information and changelogs [1].

Citations:

• 1: https://github.com/actions/checkout/releases
• 2: https://github.com/actions/checkout/

---

Pin actions/checkout to a commit SHA (not a mutable major tag).

Line 36 currently uses actions/checkout@v7, which is mutable and poses a supply-chain risk. The v7 tag corresponds to commit 9c091bb. Pin to this commit SHA to prevent supply-chain drift.

Note: Multiple workflow files have unpinned checkout references (also at testing.yaml:22).

Suggested change

-      uses: actions/checkout@v7
+      uses: actions/checkout@9c091bb

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	uses: actions/checkout@v7
	uses: actions/checkout@9c091bb

🧰 Tools

🪛 zizmor (1.25.2)

[error] 36-36: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/codeql-analysis.yml at line 36, Replace the mutable major
tag `v7` in the `actions/checkout` action with the specific commit SHA `9c091bb`
to eliminate supply-chain risk. Change `uses: actions/checkout@v7` to `uses:
actions/checkout@9c091bb`. Additionally, apply the same fix to the identical
unpinned `actions/checkout` reference that exists in the testing.yaml workflow
file to ensure consistency across all workflow files.

Source: Linters/SAST tools

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# Check if the file exists and read it
if [ -f .github/workflows/testing.yaml ]; then
    echo "=== File found. Reading content ==="
    cat -n .github/workflows/testing.yaml
else
    echo "File not found"
fi

Repository: package-operator/boxcutter

Length of output: 2054

---

🏁 Script executed:

# Also check for other workflow files to understand the pattern
echo "=== Checking for other workflow files ==="
fd -e yaml -e yml .github/workflows/

Repository: package-operator/boxcutter

Length of output: 508

---

🏁 Script executed:

# Check for other workflow files properly
echo "=== Looking for other workflow files ==="
fd . '.github/workflows/' --type f

# Also check what other actions are used in this file to see pinning patterns
echo ""
echo "=== Other actions in testing.yaml ==="
grep -n "uses:" .github/workflows/testing.yaml

Repository: package-operator/boxcutter

Length of output: 414

---

🌐 Web query:

GitHub Actions pinning commit SHA security best practice v7 mutable

💡 Result:

Pinning GitHub Actions to a full-length commit SHA (e.g., 40 characters) is a critical security best practice for supply chain hardening [1][2][3]. While version tags (like @v7) are convenient, they are mutable references in Git, meaning an action author—or an attacker who gains write access to that repository—can silently update the tag to point to a different, potentially malicious commit [2][4][5][6]. Key points regarding this security practice: Immutable References: Pinning to a full-length commit SHA ensures that the exact, verified code you expect is executed every time [2][7][3]. This protects against tag-retargeting attacks [8]. Policy Enforcement: GitHub now supports organization-level policies that allow administrators to mandate SHA pinning for all actions [1][9][2]. When enforced, workflows using mutable tags will fail, requiring developers to switch to SHA pins [9][2]. This policy typically checks the entire dependency tree, including internal sub-actions [2]. Maintenance Strategy: To maintain security without excessive manual effort, it is standard practice to pin the SHA while including the original version tag as a comment [10][4][6][11]. This format (e.g., uses: actions/checkout@11bd719... # v4.2.2) enables automated tools like Dependabot or Renovate to correctly identify and propose updates when new versions are released [7][10][4][11]. Best Practices: - Always pin third-party actions to full commit SHAs [1][11][3]. - Use automated dependency management tools to keep SHAs updated, but remain cautious of auto-merging updates without review [8][7][6]. - Consider implementing repository-level or organization-level policies to enforce SHA pinning [1][9][6]. - When writing custom actions, pin your own internal sub-action references to SHAs to ensure your consumers are protected when they adopt SHA-pinning policies [2].

Citations:

• 1: https://docs.github.com/en/actions/reference/security/secure-use
• 2: https://www.romainlespinasse.dev/posts/github-actions-commit-sha-pinning/
• 3: https://www.stepsecurity.io/blog/pinning-github-actions-for-enhanced-security-a-complete-guide
• 4: CI/CD: all GitHub Actions pinned to mutable version tags, not commit SHAs — supply-chain risk for release artifacts router-for-me/CLIProxyAPI#3459
• 5: ci: Mitigate supply-chain risks by pinning mutable 3rd-party actions and enforcing least-privilege nektos/act#6041
• 6: https://safeguard.sh/resources/blog/github-actions-pinning-sha-vs-tag
• 7: https://nearform.com/insights/why-you-should-pin-your-github-actions-by-commit-hash/
• 8: https://emmer.dev/blog/pin-your-github-actions-to-protect-against-mutability/
• 9: https://github.blog/changelog/2025-08-15-github-actions-policy-now-supports-blocking-and-sha-pinning-actions/
• 10: Pin third-party GitHub Actions to commit SHAs sveltejs/kit#15528
• 11: https://safeguard.sh/resources/blog/how-to-pin-github-actions-to-shas-correctly

---

Pin the checkout action to an exact commit SHA for supply chain security.

Line 22 uses actions/checkout@v7, which is a mutable version tag. This violates the principle of pinning actions to full-length commit SHAs to prevent tag-retargeting attacks. Pin this reference to the exact commit SHA of v7, including the version tag as a comment for maintainability.

Suggested change

-    - name: Checkout
-      uses: actions/checkout@v7
+    - name: Checkout
+      uses: actions/checkout@<FULL_LENGTH_COMMIT_SHA> # v7

🧰 Tools

🪛 zizmor (1.25.2)

[error] 22-22: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/testing.yaml at line 22, Replace the mutable version tag
`v7` in the `actions/checkout` action reference with the full-length commit SHA
of that version to prevent tag-retargeting attacks. Pin the checkout action to
its exact commit SHA and include the v7 version tag as a comment within the uses
line for future maintainability and clarity.

Source: Linters/SAST tools