Skip to content

chore(deps): bump actions/checkout from 6 to 7#1238

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/github_actions/actions/checkout-7
Open

chore(deps): bump actions/checkout from 6 to 7#1238
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/github_actions/actions/checkout-7

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 1, 2026

Copy link
Copy Markdown
Contributor

Bumps actions/checkout from 6 to 7.

Release notes

Sourced from actions/checkout's releases.

v7.0.0

What's Changed

New Contributors

Full Changelog: actions/checkout@v6.0.3...v7.0.0

v6.0.3

What's Changed

New Contributors

Full Changelog: actions/checkout@v6...v6.0.3

v6.0.2

What's Changed

Full Changelog: actions/checkout@v6.0.1...v6.0.2

v6.0.1

What's Changed

Full Changelog: actions/checkout@v6...v6.0.1

Changelog

Sourced from actions/checkout's changelog.

Changelog

v7.0.0

v6.0.3

v6.0.2

v6.0.1

v6.0.0

v5.0.1

v5.0.0

v4.3.1

v4.3.0

v4.2.2

v4.2.1

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [actions/checkout](https://github.com/actions/checkout) from 6 to 7.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v6...v7)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jul 1, 2026
@dependabot dependabot Bot requested a review from a team as a code owner July 1, 2026 00:03
@dependabot dependabot Bot added the github_actions Pull requests that update GitHub Actions code label Jul 1, 2026
@dependabot dependabot Bot requested review from sc-david-voisin and removed request for a team July 1, 2026 00:03
@github-actions github-actions Bot enabled auto-merge July 1, 2026 00:03
runs-on: windows-latest
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@v7

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Semgrep identified an issue in your code:

actions/checkout@v7 is a mutable tag, so a repointed action could run attacker code in these release jobs and tamper with published artifacts.

More details about this

actions/checkout@v7 is a movable reference in this release workflow, so the code that runs in the releases and releases-windows jobs can change without any diff in this repository. If the owner of actions/checkout — or anyone who gains control of that action's publishing — repoints v7 to a malicious commit, that new code would run before goreleaser/goreleaser-action@v7 and before the jobs use ${{ secrets.GITHUB_TOKEN }}.

A plausible attack looks like this:

  1. An attacker compromises the action supply chain and moves the v7 tag for actions/checkout to attacker-controlled code.
  2. You push a new Git tag, so the releases and releases-windows jobs start because of if: ${{ github.ref_type == 'tag' }}.
  3. The step - uses: actions/checkout@v7 downloads and executes the attacker's updated action code on both runners.
  4. That malicious code can read the checked-out repository, inspect the workspace, and use the job's network access to exfiltrate data.
  5. In the same job, the attacker can target ${{ secrets.GITHUB_TOKEN }} from the Run GoReleaser step or tamper with files that GoReleaser will package, turning your release process into a backdoor distribution channel.

Because this workflow builds tagged releases, a silently repointed actions/checkout@v7 could let an attacker alter the exact code and artifacts you publish.

To resolve this comment:

✨ Commit fix suggestion

Suggested change
- uses: actions/checkout@v7
- uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
View step-by-step instructions
  1. Replace the mutable action reference actions/checkout@v7 with a full 40-character commit SHA for the exact actions/checkout release you want to trust.
    For example, change it to uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 only if that SHA matches the release you intend to use.

  2. Get the correct SHA from the actions/checkout GitHub releases or tags page, then copy the commit ID that the v7 tag points to.
    Pinning to a commit SHA prevents the action owner from silently moving the tag later.

  3. Apply the same replacement to each actions/checkout@v7 step shown in this workflow so both jobs use the pinned commit:
    - uses: actions/checkout@<40-character-commit-sha>

  4. Keep the existing with: block unchanged, including fetch-depth: 0, because only the uses: reference needs to be pinned.

💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by github-actions-mutable-action-tag.

You can view more details about this finding in the Semgrep AppSec Platform.

runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@v7

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Semgrep identified an issue in your code:

actions/checkout@v7 is a mutable tag, so a repointed tag could run attacker-controlled code in your release jobs with repository write access.

More details about this

actions/checkout@v7 pulls whatever code the v7 tag points to at runtime instead of a specific commit. In this releases job, that action runs before GoReleaser and has access to the checked-out repository plus the job’s contents: write permission, so if the v7 tag were ever repointed to attacker-controlled code, that code would execute during your release pipeline.

A plausible attack looks like this:

  1. An attacker compromises the actions/checkout action or gains the ability to move its v7 tag to a different commit.
  2. Your workflow starts on a tag push (if: ${{ github.ref_type == 'tag' }}) and runs - uses: actions/checkout@v7 in the releases job.
  3. GitHub resolves @v7 to the attacker’s commit, and the malicious action code runs on ubuntu-24.04 inside your release job.
  4. That code can read the repository contents fetched by actions/checkout, use the job’s contents: write permission to alter release artifacts or create/update a GitHub release, and access GITHUB_TOKEN later exposed to the GoReleaser step.
  5. The result is a supply-chain compromise where users download a release produced or modified by attacker-controlled code, even though your workflow file still says actions/checkout@v7.

The same risk also appears in the releases-windows job, which uses the same mutable actions/checkout@v7 reference before building Windows releases.

To resolve this comment:

✨ Commit fix suggestion

Suggested change
- uses: actions/checkout@v7
- uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
with:
fetch-depth: 0 # required by GoReleaser (https://goreleaser.com/ci/actions/#fetch-all-history)
View step-by-step instructions
  1. Replace the mutable action reference actions/checkout@v7 with a full 40-character commit SHA for the exact release you want to trust, for example actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608.
  2. Apply the same change to the other actions/checkout@v7 step shown in this workflow so both checkout steps use the same pinned commit.
  3. Keep the existing with: block unchanged, so the step still uses fetch-depth: 0 after pinning. Pinning to a commit SHA prevents the action owner from silently changing what code runs under the same tag name.
  4. Alternatively, if you need a newer actions/checkout release than the example SHA, look up the commit behind that release on the action's GitHub releases page and pin uses: to that 40-character SHA instead of the version tag.
💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by github-actions-mutable-action-tag.

You can view more details about this finding in the Semgrep AppSec Platform.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants