Skip to content

chore: bump actions/checkout from 6 to 7 in the all group#687

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/all-640176b5ab
Closed

chore: bump actions/checkout from 6 to 7 in the all group#687
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/all-640176b5ab

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 1, 2026

Copy link
Copy Markdown
Contributor

Bumps the all group with 1 update: actions/checkout.

Updates actions/checkout from 6 to 7

Release notes

Sourced from actions/checkout's releases.

v7.0.0

What's Changed

New Contributors

Full Changelog: actions/checkout@v6.0.3...v7.0.0

v6.0.3

What's Changed

New Contributors

Full Changelog: actions/checkout@v6...v6.0.3

v6.0.2

What's Changed

Full Changelog: actions/checkout@v6.0.1...v6.0.2

v6.0.1

What's Changed

Full Changelog: actions/checkout@v6...v6.0.1

Changelog

Sourced from actions/checkout's changelog.

Changelog

v7.0.0

v6.0.3

v6.0.2

v6.0.1

v6.0.0

v5.0.1

v5.0.0

v4.3.1

v4.3.0

v4.2.2

v4.2.1

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the all group with 1 update: [actions/checkout](https://github.com/actions/checkout).


Updates `actions/checkout` from 6 to 7
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v6...v7)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: all
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
dependabot Bot requested a review from a team as a code owner July 1, 2026 03:22
@dependabot
dependabot Bot deployed to Acceptance Tests July 1, 2026 03:22 Active
@mitchnielsen

Copy link
Copy Markdown
Member

TL;DR

⚠️ REVIEW NEEDED — checkout v7 blocks fork-PR checkout in pull_request_target workflows by default, which will break acceptance-tests.yaml and build-terraform-docs.yaml for community fork PRs unless allow-unsafe-pr-checkout: true is added.

📋 Full Review

Changes

Dependency Old → New Type
actions/checkout v6 → v7 major

7 workflow files updated, all uses: actions/checkout@v6@v7.

Key Updates

actions/checkout (v7.0.0 release notes)

  • Breaking: checking out fork PR code from pull_request_target / workflow_run workflows is now blocked by default (#2454). A new allow-unsafe-pr-checkout: true input opts back in.
  • Module upgraded to ESM plus dependency bumps (no other behavior changes).

Breaking Changes

Two workflows in this repo do exactly what v7 now blocks:

Workflow Trigger Checkout
acceptance-tests.yaml pull_request_target ref: github.event.pull_request.head.sha
build-terraform-docs.yaml pull_request_target repository: head.repo.full_name + head SHA
  • Same-repo PRs (including Dependabot's) are unaffected, which is why CI on this PR looks fine.
  • Fork PRs from community contributors will fail at the checkout step in both workflows after merge.
  • Fix: add allow-unsafe-pr-checkout: true to those two checkout steps. Both jobs are environment-gated (Acceptance Tests / Docs), which is the mitigation checkout's warning is about — but confirm those environments require approval for untrusted contributors before opting in.

CI Status

⏳ Mostly passing, two pending:

  • ✅ Build and Test (ubuntu/macos/windows), Lint, Acceptance Tests - OSS, label
  • Acceptance Tests and Build Terraform Docs — the environment-gated pull_request_target workflows, likely awaiting environment approval

Recommend approving those runs and letting them finish before merging.

Risk Assessment

Medium — the bump itself is mechanical and same-repo CI passes, but merging as-is silently breaks fork-PR acceptance tests and docs builds. Add allow-unsafe-pr-checkout: true (after confirming environment approval gates) either in this PR or a fast follow-up.


Reviewed by Claude Code /review-deps skill

@mitchnielsen

Copy link
Copy Markdown
Member

Will tackle this as part of https://linear.app/prefect/issue/PLA-2852.

@dependabot @github

dependabot Bot commented on behalf of github Jul 8, 2026

Copy link
Copy Markdown
Contributor Author

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml

@dependabot
dependabot Bot deleted the dependabot/github_actions/all-640176b5ab branch July 8, 2026 19:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant