Skip to content

Update actions/checkout action to v7#155

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/actions-checkout-7.x
Open

Update actions/checkout action to v7#155
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/actions-checkout-7.x

Conversation

@renovate

@renovate renovate Bot commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Type Update Change
actions/checkout action major v6v7

Release Notes

actions/checkout (actions/checkout)

v7.0.0

Compare Source

v7

Compare Source


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@github-actions

github-actions Bot commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

MegaLinter analysis: Error

Descriptor Linter Files Fixed Errors Warnings Elapsed time
⚠️ ACTION actionlint 4 4 0 0.36s
❌ ACTION zizmor 4 0 1 0 0.46s
✅ COPYPASTE jscpd yes no no 2.05s
✅ JSON jsonlint 5 0 0 0.13s
✅ JSON npm-package-json-lint yes no no 0.48s
✅ JSON prettier 9 0 0 0 0.37s
✅ JSON v8r 9 0 0 9.2s
⚠️ MARKDOWN markdownlint 5 0 2 0 0.75s
✅ MARKDOWN markdown-table-formatter 5 0 0 0 0.29s
✅ REPOSITORY checkov yes no no 20.79s
✅ REPOSITORY gitleaks yes no no 8.61s
✅ REPOSITORY git_diff yes no no 0.01s
✅ REPOSITORY grype yes no no 54.84s
❌ REPOSITORY osv-scanner yes 17 no 2.08s
✅ REPOSITORY secretlint yes no no 0.85s
✅ REPOSITORY syft yes no no 3.31s
✅ REPOSITORY trivy yes no no 12.45s
✅ REPOSITORY trivy-sbom yes no no 0.26s
✅ REPOSITORY trufflehog yes no no 9.36s
✅ SPELL cspell 34 0 0 4.03s
⚠️ SPELL lychee 19 3 0 1.15s
✅ TYPESCRIPT prettier 9 0 0 0 1.05s
✅ YAML prettier 6 0 0 0 0.55s
✅ YAML v8r 6 0 0 6.35s
✅ YAML yamllint 6 0 0 0.61s

Detailed Issues

❌ REPOSITORY / osv-scanner - 17 errors
Scanning dir .
Starting filesystem walk for root: /
Scanned yarn.lock file and found 619 packages
End status: 29 dirs visited, 110 inodes visited, 1 Extract calls, 26.138268ms elapsed, 26.138438ms wall time

Total 11 packages affected by 17 known vulnerabilities (0 Critical, 6 High, 9 Medium, 2 Low, 0 Unknown) from 1 ecosystem.
17 vulnerabilities can be fixed.

+-------------------------------------+------+-----------+-------------------+---------+---------------+-----------+
| OSV URL                             | CVSS | ECOSYSTEM | PACKAGE           | VERSION | FIXED VERSION | SOURCE    |
+-------------------------------------+------+-----------+-------------------+---------+---------------+-----------+
| https://osv.dev/GHSA-4x5r-pxfx-6jf8 | 3.2  | npm       | @babel/core       | 7.25.2  | 7.29.6        | yarn.lock |
| https://osv.dev/GHSA-vpq2-c234-7xj6 | 3.3  | npm       | @tootallnate/once | 1.1.2   | 2.0.1         | yarn.lock |
| https://osv.dev/GHSA-f886-m6hf-6m8v | 6.5  | npm       | brace-expansion   | 1.1.12  | 1.1.13        | yarn.lock |
| https://osv.dev/GHSA-jxxr-4gwj-5jf2 | 6.5  | npm       | brace-expansion   | 5.0.5   | 5.0.6         | yarn.lock |
| https://osv.dev/GHSA-h67p-54hq-rp68 | 5.3  | npm       | js-yaml           | 3.14.1  | 4.2.0         | yarn.lock |
| https://osv.dev/GHSA-mh29-5h37-fv8m | 5.3  | npm       | js-yaml           | 3.14.1  | 3.14.2        | yarn.lock |
| https://osv.dev/GHSA-h67p-54hq-rp68 | 5.3  | npm       | js-yaml           | 3.14.2  | 4.2.0         | yarn.lock |
| https://osv.dev/GHSA-f23m-r3pf-42rh | 6.5  | npm       | lodash            | 4.17.23 | 4.18.0        | yarn.lock |
| https://osv.dev/GHSA-r5fr-rjxr-66jc | 8.1  | npm       | lodash            | 4.17.23 | 4.18.0        | yarn.lock |
| https://osv.dev/GHSA-3v7f-55p6-f55p | 5.3  | npm       | picomatch         | 2.3.1   | 2.3.2         | yarn.lock |
| https://osv.dev/GHSA-c2c7-rcm5-vvqj | 7.5  | npm       | picomatch         | 2.3.1   | 2.3.2         | yarn.lock |
| https://osv.dev/GHSA-3v7f-55p6-f55p | 5.3  | npm       | picomatch         | 4.0.3   | 4.0.4         | yarn.lock |
| https://osv.dev/GHSA-c2c7-rcm5-vvqj | 7.5  | npm       | picomatch         | 4.0.3   | 4.0.4         | yarn.lock |
| https://osv.dev/GHSA-9ppj-qmqm-q256 | 8.2  | npm       | tar               | 7.5.9   | 7.5.11        | yarn.lock |
| https://osv.dev/GHSA-qffp-2rhf-9h96 | 8.2  | npm       | tar               | 7.5.9   | 7.5.10        | yarn.lock |
| https://osv.dev/GHSA-vmf3-w455-68vh | 6.9  | npm       | tar               | 7.5.9   | 7.5.16        | yarn.lock |
| https://osv.dev/GHSA-w5hq-g745-h8pq | 7.5  | npm       | uuid              | 8.3.2   | 11.1.1        | yarn.lock |
+-------------------------------------+------+-----------+-------------------+---------+---------------+-----------+
❌ ACTION / zizmor - 1 error
INFO zizmor: 🌈 zizmor v1.25.0
fatal: no audit was performed
'ref-confusion' audit failed on file://.github/workflows/deploy.yml

Caused by:
    0: error in 'ref-confusion' audit
    1: couldn't list branches for actions/checkout
    2: request error while accessing GitHub API
    3: HTTP status client error (401 Unauthorized) for url (https://github.com/actions/checkout.git/git-upload-pack)


[ZizmorLinter] Zizmor failed to reach the GitHub API.
To allow zizmor to use GITHUB_TOKEN, add the following to your .mega-linter.yml:
ACTION_ZIZMOR_UNSECURED_ENV_VARIABLES:
  - GITHUB_TOKEN
⚠️ ACTION / actionlint - 4 errors
.github/workflows/deploy.yml:38:11: input "always-auth" is not defined in action "actions/setup-node@v6". available inputs are "architecture", "cache", "cache-dependency-path", "check-latest", "mirror", "mirror-token", "node-version", "node-version-file", "package-manager-cache", "registry-url", "scope", "token" [action]
   |
38 |           always-auth: true
   |           ^~~~~~~~~~~~
.github/workflows/deploy.yml:64:11: input "always-auth" is not defined in action "actions/setup-node@v6". available inputs are "architecture", "cache", "cache-dependency-path", "check-latest", "mirror", "mirror-token", "node-version", "node-version-file", "package-manager-cache", "registry-url", "scope", "token" [action]
   |
64 |           always-auth: true
   |           ^~~~~~~~~~~~
.github/workflows/github-dependents-info.yml:54:9: shellcheck reported issue in this script: SC2086:info:1:15: Double quote to prevent globbing and word splitting [shellcheck]
   |
54 |         run: sudo chown -R $USER:$USER .
   |         ^~~~
.github/workflows/github-dependents-info.yml:54:9: shellcheck reported issue in this script: SC2086:info:1:21: Double quote to prevent globbing and word splitting [shellcheck]
   |
54 |         run: sudo chown -R $USER:$USER .
   |         ^~~~
⚠️ SPELL / lychee - 3 errors
📝 Summary
---------------------
🔍 Total...........49
🔗 Unique..........43
✅ Successful......33
⏳ Timeouts.........0
🔀 Redirected......10
👻 Excluded........13
❓ Unknown..........0
🚫 Errors...........3
⛔ Unsupported......3

Errors in README.md
[403] https://npmjs.org/package/node-sarif-builder (at 3:1) | Rejected status code: 403 Forbidden | Followed 1 redirect. Redirects: https://npmjs.org/package/node-sarif-builder --[301]--> https://www.npmjs.com/package/node-sarif-builder
[403] https://npmjs.org/package/node-sarif-builder (at 4:1) | Rejected status code: 403 Forbidden | Followed 1 redirect. Redirects: https://npmjs.org/package/node-sarif-builder --[301]--> https://www.npmjs.com/package/node-sarif-builder
[403] https://npmjs.org/package/node-sarif-builder (at 5:1) | Rejected status code: 403 Forbidden | Followed 1 redirect. Redirects: https://npmjs.org/package/node-sarif-builder --[301]--> https://www.npmjs.com/package/node-sarif-builder

Hint: Followed 10 redirects. You might want to consider replacing redirecting URLs with the resolved URLs. Use verbose mode (`-v`/`-vv`) to see redirection details.
Hint: You can configure accepted/rejected response codes with `-a` or `--accept`
⚠️ MARKDOWN / markdownlint - 2 errors
.github/ISSUE_TEMPLATE.md:1 error MD041/first-line-heading/first-line-h1 First line in a file should be a top-level heading [Context: "- **I'm submitting a ...**"]
.github/PULL_REQUEST_TEMPLATE.md:1 error MD041/first-line-heading/first-line-h1 First line in a file should be a top-level heading [Context: "- **What kind of change does t..."]

Notices

⚠️ ESLint v10 flat-config migration required - the following linters are disabled until you migrate: JAVASCRIPT_ES, JSON_ESLINT_PLUGIN_JSONC, JSX_ESLINT, TSX_ESLINT, TYPESCRIPT_ES. Only legacy .eslintrc.json was detected; ESLint v10 dropped support for the .eslintrc.* format. Please migrate to eslint.config.mjs. See the ESLint migration guide.

📣 MegaLinter 9.5.0 is out! Discover the new features and security recommendations in the release announcement. (Skip this info by defining SECURITY_SUGGESTIONS: false)

See detailed reports in MegaLinter artifacts

Your project could benefit from a custom flavor, which would allow you to run only the linters you need, and thus improve runtime performances. (Skip this info by defining FLAVOR_SUGGESTIONS: false)

  • Documentation: Custom Flavors
  • Command: npx mega-linter-runner@9.5.0 --custom-flavor-setup --custom-flavor-linters ACTION_ACTIONLINT,ACTION_ZIZMOR,COPYPASTE_JSCPD,JSON_JSONLINT,JSON_V8R,JSON_PRETTIER,JSON_NPM_PACKAGE_JSON_LINT,MARKDOWN_MARKDOWNLINT,MARKDOWN_MARKDOWN_TABLE_FORMATTER,REPOSITORY_CHECKOV,REPOSITORY_GIT_DIFF,REPOSITORY_GITLEAKS,REPOSITORY_GRYPE,REPOSITORY_OSV_SCANNER,REPOSITORY_SECRETLINT,REPOSITORY_SYFT,REPOSITORY_TRIVY,REPOSITORY_TRIVY_SBOM,REPOSITORY_TRUFFLEHOG,SPELL_CSPELL,SPELL_LYCHEE,TYPESCRIPT_PRETTIER,YAML_PRETTIER,YAML_YAMLLINT,YAML_V8R

MegaLinter is graciously provided by OX Security
Show us your support by starring ⭐ the repository

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants