docs+ci: bump actions/checkout to v7#37
Conversation
…over) v7's only behavior change blocks fork-PR checkout under pull_request_target/workflow_run triggers (actions/checkout#2454); nothing here uses those. Coordinated with pgup-ai/jbot-review#90 and the landing site so every documented snippet pins the same major.
📝 WalkthroughWalkthroughThe pull request updates all listed ChangesCheckout action update
Estimated code review effort: 1 (Trivial) | ~5 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
PR Summary by Qododocs+ci: bump actions/checkout to v7
AI Description
Diagram
High-Level Assessment
Files changed (3)
|
22 occurrences across index.html (hero + setup, rendered <pre> and TEXTS copy strings) and all nine guide pages (rendered <pre> + TEXTS each). Coordinated with pgup-ai/jbot-review#90 and pgup-ai/jbot-review-action#37 so every documented snippet pins the same major. Safe for the documented setup: v7's only behavior change blocks fork-PR checkout under pull_request_target/workflow_run triggers (actions/checkout#2454) — every snippet here triggers on pull_request.
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
examples/jbot-review.yml (1)
140-145: 🔒 Security & Privacy | 🟡 Minor | ⚡ Quick winDisable checkout credential persistence. The workflow already passes
github-tokendirectly topgup-ai/jbot-review-action, soactions/checkoutdoesn’t need to leave its token in.git/config. Addpersist-credentials: false.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@examples/jbot-review.yml` around lines 140 - 145, The actions/checkout step should not persist its authentication token in the repository configuration. In the checkout step identified by actions/checkout@v7, add persist-credentials: false alongside the existing fetch-depth and ref options.Source: Linters/SAST tools
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Outside diff comments:
In `@examples/jbot-review.yml`:
- Around line 140-145: The actions/checkout step should not persist its
authentication token in the repository configuration. In the checkout step
identified by actions/checkout@v7, add persist-credentials: false alongside the
existing fetch-depth and ref options.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: c7c91b73-f457-4d09-8efa-a6f9d429450a
📒 Files selected for processing (3)
.github/workflows/move-v0-tag.ymlREADME.mdexamples/jbot-review.yml
|
Qodo found 1 finding(s) but none met the |
Kody Review CompleteGreat news! 🎉 Keep up the excellent work! 🚀 Kody Guide: Usage and ConfigurationInteracting with Kody
Current Kody ConfigurationReview OptionsThe following review options are enabled or disabled:
|
…ackends) (#14) * Landing: Grok Build CLI (7th seat) everywhere + pi SDK engine credits Sync with jbot-review PRs #88 (pi SDK engine) and #89 (Grok Build CLI), both published in the action's moving v0 tag (56fa59f). - Grok Build joins every CLI-subscription list: meta/OG/Twitter descriptions (index + x.html), JSON-LD SoftwareApplication featureList + FAQ (both copies), model-wall chip, hub lede/table/notes/FAQ, all six spokes' cross-links and counts, four compare tables, llms.txt - 28+ -> 29+ backends (a 7th distinct CLI backend exists; monotonic bump) - New spoke guides/grok-code-review-github-actions.html + on-brand og-guide-grok-20260710.png (rendered from the guide OG template via headless Chrome); guides index card + ItemList entry; sitemap entry - pi SDK credited as an engine, not marketed as a gateway: footer Resources link, llms.txt Engines fact + credit line. No public taxonomy change ("OpenCode gateways" stays; users bring the same keys) - sitemap lastmod bumped on every edited page - fix pre-existing FAQ sync drift found by verification: cubic JSON-LD "3x" -> "3×" to match the visible answer * Wall: drop the Claude chip from CLI subscriptions; optical sizes for Z.ai and Gemini The Claude chip sat in the CLI-subscriptions card since the redesign (#9), implying a Claude seat works as a CI credential — the FAQ says it doesn't. Claude stays in the OpenCode gateways card, where the claim is accurate. The card now shows exactly the seven supported seats. Z.ai's solid Z read heavy at the uniform 12px and Gemini's thin star read light; per-brand height modifiers (the existing .chip-ic--nv pattern) bring both to optical parity. Verified at 1280px and 375px — no overflow, scrollWidth == viewport. * Review feedback: finish the Grok Build list sweep missed by phrase greps - devin guide: "unlike Codex, Cline, and Kilo" secret-shape note had twin stale copies in the JSON-LD FAQ and visible FAQ (they matched each other, so the sync check passed) — both now include Grok Build - qodo + coderabbit compare pages: the seat list inside the PR-Agent and pricing FAQ answers (both copies each) now includes Grok Build - kilo guide: callout + rel-card were skipped in the first pass — the self-excluding list ends "Cline, and Command Code", which no stale pattern matched; both now include Grok Build - grok guide rel-card: "All seven seats side by side" instead of a six-name list that read as contradicting the "all seven" callout Not applied from review: grok-auth->GROK_AUTH_JSON rename (input vs secret — the table column is "Action input", matching codex-auth/kilo-auth rows and action.yml); checkout@v6->v7 on one page (upstream READMEs and all ~20 site snippets pin v6; needs a coordinated bump, not a one-page fork). * YAML snippets: actions/checkout v6 -> v7 site-wide 22 occurrences across index.html (hero + setup, rendered <pre> and TEXTS copy strings) and all nine guide pages (rendered <pre> + TEXTS each). Coordinated with pgup-ai/jbot-review#90 and pgup-ai/jbot-review-action#37 so every documented snippet pins the same major. Safe for the documented setup: v7's only behavior change blocks fork-PR checkout under pull_request_target/workflow_run triggers (actions/checkout#2454) — every snippet here triggers on pull_request.
Pull Request Description
This PR upgrades the
actions/checkoutGitHub Action from v6 to v7 across all references in the repository.Changes
.github/workflows/move-v0-tag.yml— Updated the checkout action used in the tag-moving CI workflow to v7.README.md— Updated the example workflow snippet to referenceactions/checkout@v7.examples/jbot-review.yml— Updated the example workflow file to referenceactions/checkout@v7.Purpose
Keeps all workflow definitions and documentation examples aligned with the latest major version of the checkout action, ensuring compatibility and access to the newest features/fixes provided by
actions/checkout@v7.