Skip to content

chore: bump actions/checkout from 6 to 7 in the all group#638

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/all-640176b5ab
Closed

chore: bump actions/checkout from 6 to 7 in the all group#638
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/all-640176b5ab

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 1, 2026

Copy link
Copy Markdown
Contributor

Bumps the all group with 1 update: actions/checkout.

Updates actions/checkout from 6 to 7

Release notes

Sourced from actions/checkout's releases.

v7.0.0

What's Changed

New Contributors

Full Changelog: actions/checkout@v6.0.3...v7.0.0

v6.0.3

What's Changed

New Contributors

Full Changelog: actions/checkout@v6...v6.0.3

v6.0.2

What's Changed

Full Changelog: actions/checkout@v6.0.1...v6.0.2

v6.0.1

What's Changed

Full Changelog: actions/checkout@v6...v6.0.1

Changelog

Sourced from actions/checkout's changelog.

Changelog

v7.0.0

v6.0.3

v6.0.2

v6.0.1

v6.0.0

v5.0.1

v5.0.0

v4.3.1

v4.3.0

v4.2.2

v4.2.1

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the all group with 1 update: [actions/checkout](https://github.com/actions/checkout).


Updates `actions/checkout` from 6 to 7
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v6...v7)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: all
...

Signed-off-by: dependabot[bot] <support@github.com>
@mitchnielsen

Copy link
Copy Markdown
Member

TL;DR

⚠️ REVIEW NEEDED — checkout v7 blocks fork PR checkout under pull_request_target, and three workflows in this repo do exactly that, so external contributors' PR CI will fail after merge unless allow-unsafe-pr-checkout: true is added.

📋 Full Review

Changes

Dependency Old → New Type
actions/checkout (9 workflow files) v6 → v7 major

Key Updates

actions/checkout (v7.0.0 release notes)

  • Breaking: refuses to check out fork PR code when the trigger is pull_request_target or workflow_run, unless the workflow opts in with allow-unsafe-pr-checkout: true (actions/checkout#2454)
  • Module upgraded to ESM and dependencies updated (internal, no user-facing impact)

CI Status

✅ All 13 checks passed (lint-test matrix across k8s 1.31–1.34 for server/worker/exporter charts, plus unittest).

Note: CI passing here is not conclusive for the breaking change — Dependabot branches live in this repo, so the fork-checkout block never triggers on this PR.

Breaking Changes

Three workflows run on pull_request_target and check out the PR head via repository: ${{ github.event.pull_request.head.repo.full_name }} + head SHA:

  • .github/workflows/server-lint-and-test.yaml
  • .github/workflows/worker-lint-and-test.yaml
  • .github/workflows/prometheus-prefect-exporter-lint-and-test.yaml

With v7, the checkout step will hard-fail for any PR opened from a fork. Options:

  1. Add allow-unsafe-pr-checkout: true to those three checkout steps. The server and worker workflows already gate external forks behind the Acceptance Tests (External) environment approval, so opting in there preserves the existing security model. The prometheus-exporter workflow has no environment gate — add one before opting in, or accept the (pre-existing) exposure knowingly.
  2. Or switch those workflows to pull_request if secrets access is not actually needed.

The other six files (releases, unittest, updatecli) check out the repo's own ref and are unaffected.

Risk Assessment

Medium - No effect on published charts or rendered manifests (workflow-only change), and same-repo PRs keep working. But fork-based contributor PRs will start failing CI at checkout until the opt-in flag (or a trigger change) lands, ideally in the same PR.


Reviewed by Claude Code /review-deps skill

@mitchnielsen

Copy link
Copy Markdown
Member

Will tackle this as part of https://linear.app/prefect/issue/PLA-2852.

@dependabot @github

dependabot Bot commented on behalf of github Jul 8, 2026

Copy link
Copy Markdown
Contributor Author

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml

@dependabot dependabot Bot deleted the dependabot/github_actions/all-640176b5ab branch July 8, 2026 19:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant