Skip to content

build(deps): bump actions/checkout from 4 to 7#244

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/actions/checkout-7
Open

build(deps): bump actions/checkout from 4 to 7#244
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/actions/checkout-7

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 22, 2026
edited by coderabbitai Bot
Loading

Copy link
Copy Markdown
Contributor

Bumps actions/checkout from 4 to 7.

Release notes

Sourced from actions/checkout's releases.

v7.0.0

What's Changed

New Contributors

Full Changelog: actions/checkout@v6.0.3...v7.0.0

v6.0.3

What's Changed

New Contributors

Full Changelog: actions/checkout@v6...v6.0.3

v6.0.2

What's Changed

Full Changelog: actions/checkout@v6.0.1...v6.0.2

v6.0.1

What's Changed

Full Changelog: actions/checkout@v6...v6.0.1

v6.0.0

What's Changed

... (truncated)

Changelog

Sourced from actions/checkout's changelog.

Changelog

v7.0.0

v6.0.3

v6.0.2

v6.0.1

v6.0.0

v5.0.1

v5.0.0

v4.3.1

v4.3.0

v4.2.2

v4.2.1

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Summary by CodeRabbit

  • Chores
    • Updated internal continuous integration and deployment workflows to use updated versions of build tools and dependencies.

@dependabot
build(deps): bump actions/checkout from 4 to 7
53997df 
Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 7.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v4...v7)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jun 22, 2026
@coderabbitai

coderabbitai Bot commented Jun 22, 2026
edited
Loading

Copy link
Copy Markdown

Walkthrough

All actions/checkout references across three GitHub Actions workflow files (.github/workflows/commands.yml, release.yaml, and test.yaml) are updated from @v4 to @v7. Eight individual job steps are affected; no other workflow logic is changed.

Changes

actions/checkout version bump

Layer / File(s) Summary
Bump actions/checkout@v4 to @v7 in all workflow jobs
.github/workflows/commands.yml, .github/workflows/release.yaml, .github/workflows/test.yaml		 Eight checkout step references across the retest, Linux release, Windows release, lint, verify-vendor, build, test-linux, and test-win jobs are updated from actions/checkout@v4 to actions/checkout@v7.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error)

Check name Status Explanation Resolution
No-Sensitive-Data-In-Logs ❌ Error The entrypoint.sh script uses 'set -ex' enabling command trace logging, exposing GITHUB_TOKEN in Authorization headers via curl commands to CI logs. Replace 'set -ex' with 'set -e' and use 'set +x' before curl commands, or use curl's -H redacted flag to mask sensitive headers in logs.
✅ Passed checks (14 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'build(deps): bump actions/checkout from 4 to 7' directly and clearly describes the main change—upgrading the GitHub Actions checkout dependency from version 4 to 7 across multiple workflow files.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed PR only modifies GitHub Actions workflow files (.github/workflows/*), not Go test files. The custom check for Ginkgo test name stability is not applicable since no test definitions are modified.
Test Structure And Quality ✅ Passed This PR only updates actions/checkout versions in workflow files from v4 to v7; no Ginkgo test code was modified, making the test quality check inapplicable.
Microshift Test Compatibility ✅ Passed PR only updates GitHub Actions workflow files to bump actions/checkout from v4 to v7; no new Ginkgo e2e tests are added, so the MicroShift Test Compatibility check is not applicable.
Single Node Openshift (Sno) Test Compatibility ✅ Passed This PR only updates GitHub Actions workflow YAML files (actions/checkout v4→v7) and does not add any new Ginkgo e2e tests. The check is not applicable.
Topology-Aware Scheduling Compatibility ✅ Passed The PR only modifies GitHub Actions workflow files (.github/workflows/) to bump the actions/checkout version from v4 to v7. These are CI/CD configuration files, not Kubernetes deployment manifests,...
Ote Binary Stdout Contract ✅ Passed PR only modifies GitHub Actions workflow YAML files (.github/workflows/*.yml/yaml), not Go source code. OTE Binary Stdout Contract check is not applicable to workflow configuration changes.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed This PR only modifies GitHub Actions workflow YAML files (.github/workflows/commands.yml, release.yaml, test.yaml) to update the actions/checkout action from v4 to v7. No Ginkgo e2e tests are added...
No-Weak-Crypto ✅ Passed PR contains no weak cryptography, custom crypto implementations, or non-constant-time secret comparisons. Changes are only workflow config version bumps with no cryptographic code.
Container-Privileges ✅ Passed This PR modifies only GitHub Actions workflow files (commands.yml, release.yaml, test.yaml) to bump actions/checkout from v4 to v7. The custom check targets container/K8s manifests with privilege e...
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch dependabot/github_actions/actions/checkout-7

Comment @coderabbitai help to get the list of available commands and usage tips.

@openshift-ci openshift-ci Bot requested review from bpickard22 and s1061123 June 22, 2026 10:42
@openshift-ci

openshift-ci Bot commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: dependabot[bot]
Once this PR has been reviewed and has the lgtm label, please assign dougbtv for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Jun 22, 2026
@openshift-ci

openshift-ci Bot commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

Hi @dependabot[bot]. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

coderabbitai[bot]
coderabbitai Bot reviewed Jun 22, 2026
View reviewed changes

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/commands.yml:
- Line 12: The actions/checkout step uses a mutable tag (`@v7`) instead of a
pinned commit SHA, and lacks the persist-credentials configuration required for
security hardening. Replace the `uses: actions/checkout@v7` with a full commit
SHA in the format `uses: actions/checkout@<FULL_COMMIT_SHA>` and add
`persist-credentials: false` as a new parameter in the with section to ensure
immutable deployment and disable credential persistence.

In @.github/workflows/release.yaml:
- Line 17: The release workflow has two instances of actions/checkout@v7 (at
lines 17 and 72) that present security risks due to using version tags instead
of full SHAs and allowing default credential persistence. Replace both
`actions/checkout@v7` with the full SHA-pinned version and add
`persist-credentials: false` to each checkout step to disable credential
persistence and mitigate supply-chain and token-exposure risks.

In @.github/workflows/test.yaml:
- Line 15: All five checkout action steps using actions/checkout@v7 at lines 15,
31, 46, 77, and 108 need security hardening. Replace the mutable version tag `@v7`
with a pinned full commit SHA (the specific commit hash for that release) and
add the persist-credentials: false parameter to each checkout step to disable
credential persistence. This ensures reproducible deployments and reduces
security risk by not storing Git credentials in the runner environment.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 3416ea46-7001-4ac1-be4e-38e9dfe4db2f

📥 Commits

Reviewing files that changed from the base of the PR and between d6f7395 and 53997df.

📒 Files selected for processing (3)
  • .github/workflows/commands.yml
  • .github/workflows/release.yaml
  • .github/workflows/test.yaml

Comment thread .github/workflows/commands.yml
steps:
- name: Check out code
uses: actions/checkout@v4
uses: actions/checkout@v7

@coderabbitai coderabbitai Bot Jun 22, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify all checkout uses are SHA-pinned and have persist-credentials:false nearby.
rg -n --type=yaml 'uses:\s*actions/checkout@' .github/workflows
echo
echo "Potentially unpinned checkout references:"
rg -n --type=yaml 'uses:\s*actions/checkout@v[0-9]+' .github/workflows
echo
echo "Checkout steps missing persist-credentials:false (manual inspect from context):"
rg -n -C2 --type=yaml 'uses:\s*actions/checkout@' .github/workflows

Repository: openshift/containernetworking-plugins

Length of output: 3564

🏁 Script executed:

cat -n .github/workflows/commands.yml | head -20

Repository: openshift/containernetworking-plugins

Length of output: 574

Pin actions/checkout to an immutable SHA and disable credential persistence.

This step uses a mutable tag (@v7) instead of a full commit SHA and lacks the persist-credentials: false configuration. Both are required by the CI/CD security hardening guidelines.

Suggested patch 
      - name: Check out code
-       uses: actions/checkout@v7
+       uses: actions/checkout@<FULL_LENGTH_COMMIT_SHA_FOR_V7>
+       with:
+         persist-credentials: false
🧰 Tools
🪛 zizmor (1.25.2)

[warning] 11-12: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

[error] 12-12: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/commands.yml at line 12, The actions/checkout step uses a
mutable tag (`@v7`) instead of a pinned commit SHA, and lacks the
persist-credentials configuration required for security hardening. Replace the
`uses: actions/checkout@v7` with a full commit SHA in the format `uses:
actions/checkout@<FULL_COMMIT_SHA>` and add `persist-credentials: false` as a
new parameter in the with section to ensure immutable deployment and disable
credential persistence.

Sources: Coding guidelines, Linters/SAST tools

Comment thread .github/workflows/release.yaml
steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@v7

@coderabbitai coderabbitai Bot Jun 22, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/release.yaml | head -80

Repository: openshift/containernetworking-plugins

Length of output: 2930

Pin both actions/checkout steps to full SHAs and disable credential persistence.

Lines 17 and 72 both use actions/checkout@v7 with default credential persistence, which presents a supply-chain and token-exposure risk in this release workflow.

Suggested patch 
      - name: Checkout code
-       uses: actions/checkout@v7
+       uses: actions/checkout@<FULL_LENGTH_COMMIT_SHA_FOR_V7>
+       with:
+         persist-credentials: false

Per CI/CD security guidelines: pin actions by full SHA (not tag) and apply credential hardening controls in workflows.

🧰 Tools
🪛 zizmor (1.25.2)

[warning] 16-17: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

[error] 17-17: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yaml at line 17, The release workflow has two
instances of actions/checkout@v7 (at lines 17 and 72) that present security
risks due to using version tags instead of full SHAs and allowing default
credential persistence. Replace both `actions/checkout@v7` with the full
SHA-pinned version and add `persist-credentials: false` to each checkout step to
disable credential persistence and mitigate supply-chain and token-exposure
risks.

Sources: Coding guidelines, Linters/SAST tools

Comment thread .github/workflows/test.yaml
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v7

@coderabbitai coderabbitai Bot Jun 22, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/test.yaml | sed -n '10,120p'

Repository: openshift/containernetworking-plugins

Length of output: 3943

Pin all checkout actions to full commit SHA and disable credential persistence.

All five checkout steps at lines 15, 31, 46, 77, and 108 use the mutable tag @v7 and do not disable credential persistence, violating the CI/CD security baseline.

Suggested patch pattern (apply to each checkout step) 
-      - uses: actions/checkout@v7
+      - uses: actions/checkout@<FULL_LENGTH_COMMIT_SHA_FOR_V7>
+        with:
+          persist-credentials: false
🧰 Tools
🪛 zizmor (1.25.2)

[warning] 15-15: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

[error] 15-15: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/test.yaml at line 15, All five checkout action steps using
actions/checkout@v7 at lines 15, 31, 46, 77, and 108 need security hardening.
Replace the mutable version tag `@v7` with a pinned full commit SHA (the specific
commit hash for that release) and add the persist-credentials: false parameter
to each checkout step to disable credential persistence. This ensures
reproducible deployments and reduces security risk by not storing Git
credentials in the runner environment.

Sources: Coding guidelines, Linters/SAST tools

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments
@bpickard22 bpickard22 Awaiting requested review from bpickard22
@s1061123 s1061123 Awaiting requested review from s1061123

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants