Skip to content

build(deps): bump actions/checkout from 4 to 7 #244

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
dependabot wants to merge 1 commit into
base: main
Choose a base branch
from
+8 −8
Open

build(deps): bump actions/checkout from 4 to 7 #244

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/commands.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Check out code
uses: actions/checkout@v4
uses: actions/checkout@v7

@coderabbitai coderabbitai Bot Jun 22, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify all checkout uses are SHA-pinned and have persist-credentials:false nearby.
rg -n --type=yaml 'uses:\s*actions/checkout@' .github/workflows
echo
echo "Potentially unpinned checkout references:"
rg -n --type=yaml 'uses:\s*actions/checkout@v[0-9]+' .github/workflows
echo
echo "Checkout steps missing persist-credentials:false (manual inspect from context):"
rg -n -C2 --type=yaml 'uses:\s*actions/checkout@' .github/workflows

Repository: openshift/containernetworking-plugins

Length of output: 3564

🏁 Script executed:

cat -n .github/workflows/commands.yml | head -20

Repository: openshift/containernetworking-plugins

Length of output: 574

Pin actions/checkout to an immutable SHA and disable credential persistence.

This step uses a mutable tag (@v7) instead of a full commit SHA and lacks the persist-credentials: false configuration. Both are required by the CI/CD security hardening guidelines.

Suggested patch 
      - name: Check out code
-       uses: actions/checkout@v7
+       uses: actions/checkout@<FULL_LENGTH_COMMIT_SHA_FOR_V7>
+       with:
+         persist-credentials: false
🧰 Tools
🪛 zizmor (1.25.2)

[warning] 11-12: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

[error] 12-12: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/commands.yml at line 12, The actions/checkout step uses a
mutable tag (`@v7`) instead of a pinned commit SHA, and lacks the
persist-credentials configuration required for security hardening. Replace the
`uses: actions/checkout@v7` with a full commit SHA in the format `uses:
actions/checkout@<FULL_COMMIT_SHA>` and add `persist-credentials: false` as a
new parameter in the with section to ensure immutable deployment and disable
credential persistence.

Sources: Coding guidelines, Linters/SAST tools


- name: Re-Test Action
uses: ./.github/actions/retest-action
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/release.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ jobs:
goarch: [amd64, arm, arm64, mips64le, ppc64le, riscv64, s390x]
steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@v7

@coderabbitai coderabbitai Bot Jun 22, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/release.yaml | head -80

Repository: openshift/containernetworking-plugins

Length of output: 2930

Pin both actions/checkout steps to full SHAs and disable credential persistence.

Lines 17 and 72 both use actions/checkout@v7 with default credential persistence, which presents a supply-chain and token-exposure risk in this release workflow.

Suggested patch 
      - name: Checkout code
-       uses: actions/checkout@v7
+       uses: actions/checkout@<FULL_LENGTH_COMMIT_SHA_FOR_V7>
+       with:
+         persist-credentials: false

Per CI/CD security guidelines: pin actions by full SHA (not tag) and apply credential hardening controls in workflows.

🧰 Tools
🪛 zizmor (1.25.2)

[warning] 16-17: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

[error] 17-17: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yaml at line 17, The release workflow has two
instances of actions/checkout@v7 (at lines 17 and 72) that present security
risks due to using version tags instead of full SHAs and allowing default
credential persistence. Replace both `actions/checkout@v7` with the full
SHA-pinned version and add `persist-credentials: false` to each checkout step to
disable credential persistence and mitigate supply-chain and token-exposure
risks.

Sources: Coding guidelines, Linters/SAST tools


- name: Install Go
uses: actions/setup-go@v5
Expand Down Expand Up @@ -69,7 +69,7 @@ jobs:
run: sudo apt-get install dos2unix

- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@v7

- name: Install Go
uses: actions/setup-go@v5
Expand Down
10 changes: 5 additions & 5 deletions .github/workflows/test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ jobs:
name: Lint
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v7

@coderabbitai coderabbitai Bot Jun 22, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/test.yaml | sed -n '10,120p'

Repository: openshift/containernetworking-plugins

Length of output: 3943

Pin all checkout actions to full commit SHA and disable credential persistence.

All five checkout steps at lines 15, 31, 46, 77, and 108 use the mutable tag @v7 and do not disable credential persistence, violating the CI/CD security baseline.

Suggested patch pattern (apply to each checkout step) 
-      - uses: actions/checkout@v7
+      - uses: actions/checkout@<FULL_LENGTH_COMMIT_SHA_FOR_V7>
+        with:
+          persist-credentials: false
🧰 Tools
🪛 zizmor (1.25.2)

[warning] 15-15: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

[error] 15-15: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/test.yaml at line 15, All five checkout action steps using
actions/checkout@v7 at lines 15, 31, 46, 77, and 108 need security hardening.
Replace the mutable version tag `@v7` with a pinned full commit SHA (the specific
commit hash for that release) and add the persist-credentials: false parameter
to each checkout step to disable credential persistence. This ensures
reproducible deployments and reduces security risk by not storing Git
credentials in the runner environment.

Sources: Coding guidelines, Linters/SAST tools

- name: setup go
uses: actions/setup-go@v5
with:
Expand All @@ -28,7 +28,7 @@ jobs:
name: Verify vendor directory
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v7
- name: Install Go
uses: actions/setup-go@v5
with:
Expand All @@ -43,7 +43,7 @@ jobs:
needs: lint
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v7
- name: setup go
uses: actions/setup-go@v5
with:
Expand Down Expand Up @@ -74,7 +74,7 @@ jobs:
run: |
sudo apt-get install dnsmasq
sudo systemctl disable --now dnsmasq
- uses: actions/checkout@v4
- uses: actions/checkout@v7
- name: setup go
uses: actions/setup-go@v5
with:
Expand Down Expand Up @@ -105,7 +105,7 @@ jobs:
needs: build
runs-on: windows-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v7
- name: setup go
uses: actions/setup-go@v5
with:
Expand Down