Skip to content

docs+ci: bump actions/checkout to v7#37

Merged
jingbof merged 1 commit into
mainfrom
docs/checkout-v7
Jul 11, 2026
Merged

docs+ci: bump actions/checkout to v7#37
jingbof merged 1 commit into
mainfrom
docs/checkout-v7

Conversation

@jingbof

@jingbof jingbof commented Jul 11, 2026

Copy link
Copy Markdown
Collaborator

Pull Request Description

This PR upgrades the actions/checkout GitHub Action from v6 to v7 across all references in the repository.

Changes

  • .github/workflows/move-v0-tag.yml — Updated the checkout action used in the tag-moving CI workflow to v7.
  • README.md — Updated the example workflow snippet to reference actions/checkout@v7.
  • examples/jbot-review.yml — Updated the example workflow file to reference actions/checkout@v7.

Purpose

Keeps all workflow definitions and documentation examples aligned with the latest major version of the checkout action, ensuring compatibility and access to the newest features/fixes provided by actions/checkout@v7.

…over)

v7's only behavior change blocks fork-PR checkout under
pull_request_target/workflow_run triggers (actions/checkout#2454); nothing
here uses those. Coordinated with pgup-ai/jbot-review#90 and the landing
site so every documented snippet pins the same major.
@coderabbitai

coderabbitai Bot commented Jul 11, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

The pull request updates all listed actions/checkout references from v6 to v7 in the tag-management workflow, example workflow, and README snippet.

Changes

Checkout action update

Layer / File(s) Summary
Update checkout action references
.github/workflows/move-v0-tag.yml, examples/jbot-review.yml, README.md
Workflow and documentation examples now use actions/checkout@v7 without other logic changes.

Estimated code review effort: 1 (Trivial) | ~5 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the main change: updating documented and workflow checkout references to actions/checkout v7.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch docs/checkout-v7

Comment @coderabbitai help to get the list of available commands.

@qodo-code-review

Copy link
Copy Markdown

PR Summary by Qodo

docs+ci: bump actions/checkout to v7

📝 Documentation ⚙️ Configuration changes 🕐 Less than 10 minutes

Grey Divider

AI Description

• Bump actions/checkout usage from v6 to v7 across documented workflows and CI.
• Keep README and example workflow snippets aligned with the project’s pinned major.
• Preserve current triggers (no pull_request_target/workflow_run fork checkout impact).
Diagram

graph TD
  A[".github/workflows/move-v0-tag.yml"] --> X(["actions/checkout@v7"])
  B["README.md"] --> X
  C["examples/jbot-review.yml"] --> X
Loading
High-Level Assessment

The following are alternative approaches to this PR:

1. Pin actions/checkout to a commit SHA
  • ➕ Stronger supply-chain security than major-version tags
  • ➕ Eliminates surprise changes if a major tag were ever repointed (rare, but possible)
  • ➖ More maintenance overhead to update SHAs
  • ➖ Less readable than @v7 and diverges from common GitHub Actions conventions
2. Delegate action bumps to Dependabot (github-actions ecosystem)
  • ➕ Automates future updates and keeps versions consistent
  • ➕ Produces focused PRs with changelog context
  • ➖ Adds tooling/process dependency
  • ➖ Still requires human review for behavioral changes (e.g., trigger-related security changes)

Recommendation: Keep the PR’s current approach (pin to actions/checkout@v7) since it aligns all user-facing snippets and CI with minimal churn. Consider adding Dependabot for ongoing GitHub Actions updates if this repo prefers automated version maintenance.

Files changed (3) +3 / -3

Documentation (2) +2 / -2
README.mdUpdate README workflow snippet to actions/checkout@v7 +1/-1

Update README workflow snippet to actions/checkout@v7

• Bumps the documented checkout step from v6 to v7 to match the project’s recommended configuration.

README.md

jbot-review.ymlUpdate example workflow to actions/checkout@v7 +1/-1

Update example workflow to actions/checkout@v7

• Updates the example workflow’s checkout step to actions/checkout@v7 to keep the example consistent with CI and README snippets.

examples/jbot-review.yml

Other (1) +1 / -1
move-v0-tag.ymlBump checkout action to v7 in v0 tag mover workflow +1/-1

Bump checkout action to v7 in v0 tag mover workflow

• Updates the workflow step to use actions/checkout@v7 instead of v6 while keeping fetch-depth and tag fetching behavior unchanged.

.github/workflows/move-v0-tag.yml

jingbof added a commit to pgup-ai/jbot-review-landing that referenced this pull request Jul 11, 2026
22 occurrences across index.html (hero + setup, rendered <pre> and TEXTS
copy strings) and all nine guide pages (rendered <pre> + TEXTS each).
Coordinated with pgup-ai/jbot-review#90 and pgup-ai/jbot-review-action#37
so every documented snippet pins the same major.

Safe for the documented setup: v7's only behavior change blocks fork-PR
checkout under pull_request_target/workflow_run triggers
(actions/checkout#2454) — every snippet here triggers on pull_request.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
examples/jbot-review.yml (1)

140-145: 🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win

Disable checkout credential persistence. The workflow already passes github-token directly to pgup-ai/jbot-review-action, so actions/checkout doesn’t need to leave its token in .git/config. Add persist-credentials: false.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@examples/jbot-review.yml` around lines 140 - 145, The actions/checkout step
should not persist its authentication token in the repository configuration. In
the checkout step identified by actions/checkout@v7, add persist-credentials:
false alongside the existing fetch-depth and ref options.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@examples/jbot-review.yml`:
- Around line 140-145: The actions/checkout step should not persist its
authentication token in the repository configuration. In the checkout step
identified by actions/checkout@v7, add persist-credentials: false alongside the
existing fetch-depth and ref options.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: c7c91b73-f457-4d09-8efa-a6f9d429450a

📥 Commits

Reviewing files that changed from the base of the PR and between 56fa59f and f8575a6.

📒 Files selected for processing (3)
  • .github/workflows/move-v0-tag.yml
  • README.md
  • examples/jbot-review.yml

@qodo-code-review

Copy link
Copy Markdown

Qodo found 1 finding(s) but none met the inline_comments_severity_threshold (current: 2). Lower the threshold or switch comments_location_policy to 'summary' or 'both' to see them.

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 3 files

Re-trigger cubic

@kody-ai

kody-ai Bot commented Jul 11, 2026

Copy link
Copy Markdown

Kody Review Complete

Great news! 🎉
No issues were found that match your current review configurations.

Keep up the excellent work! 🚀

Kody Guide: Usage and Configuration
Interacting with Kody
  • Request a Review: Ask Kody to review your PR manually by adding a comment with the @kody start-review command at the root of your PR.

  • Validate Business Logic: Ask Kody to validate your code against business rules by adding a comment with the @kody -v business-logic command.

  • Provide Feedback: Help Kody learn and improve by reacting to its comments with a 👍 for helpful suggestions or a 👎 if improvements are needed.

Current Kody Configuration
Review Options

The following review options are enabled or disabled:

Options Enabled
Bug
Performance
Security
Business Logic

Access your configuration settings here.

jingbof added a commit to pgup-ai/jbot-review-landing that referenced this pull request Jul 11, 2026
…ackends) (#14)

* Landing: Grok Build CLI (7th seat) everywhere + pi SDK engine credits

Sync with jbot-review PRs #88 (pi SDK engine) and #89 (Grok Build CLI),
both published in the action's moving v0 tag (56fa59f).

- Grok Build joins every CLI-subscription list: meta/OG/Twitter descriptions
  (index + x.html), JSON-LD SoftwareApplication featureList + FAQ (both
  copies), model-wall chip, hub lede/table/notes/FAQ, all six spokes'
  cross-links and counts, four compare tables, llms.txt
- 28+ -> 29+ backends (a 7th distinct CLI backend exists; monotonic bump)
- New spoke guides/grok-code-review-github-actions.html + on-brand
  og-guide-grok-20260710.png (rendered from the guide OG template via
  headless Chrome); guides index card + ItemList entry; sitemap entry
- pi SDK credited as an engine, not marketed as a gateway: footer
  Resources link, llms.txt Engines fact + credit line. No public taxonomy
  change ("OpenCode gateways" stays; users bring the same keys)
- sitemap lastmod bumped on every edited page
- fix pre-existing FAQ sync drift found by verification: cubic JSON-LD
  "3x" -> "3×" to match the visible answer

* Wall: drop the Claude chip from CLI subscriptions; optical sizes for Z.ai and Gemini

The Claude chip sat in the CLI-subscriptions card since the redesign (#9),
implying a Claude seat works as a CI credential — the FAQ says it doesn't.
Claude stays in the OpenCode gateways card, where the claim is accurate.
The card now shows exactly the seven supported seats.

Z.ai's solid Z read heavy at the uniform 12px and Gemini's thin star read
light; per-brand height modifiers (the existing .chip-ic--nv pattern) bring
both to optical parity. Verified at 1280px and 375px — no overflow,
scrollWidth == viewport.

* Review feedback: finish the Grok Build list sweep missed by phrase greps

- devin guide: "unlike Codex, Cline, and Kilo" secret-shape note had twin
  stale copies in the JSON-LD FAQ and visible FAQ (they matched each other,
  so the sync check passed) — both now include Grok Build
- qodo + coderabbit compare pages: the seat list inside the PR-Agent and
  pricing FAQ answers (both copies each) now includes Grok Build
- kilo guide: callout + rel-card were skipped in the first pass — the
  self-excluding list ends "Cline, and Command Code", which no stale
  pattern matched; both now include Grok Build
- grok guide rel-card: "All seven seats side by side" instead of a
  six-name list that read as contradicting the "all seven" callout

Not applied from review: grok-auth->GROK_AUTH_JSON rename (input vs secret
— the table column is "Action input", matching codex-auth/kilo-auth rows
and action.yml); checkout@v6->v7 on one page (upstream READMEs and all ~20
site snippets pin v6; needs a coordinated bump, not a one-page fork).

* YAML snippets: actions/checkout v6 -> v7 site-wide

22 occurrences across index.html (hero + setup, rendered <pre> and TEXTS
copy strings) and all nine guide pages (rendered <pre> + TEXTS each).
Coordinated with pgup-ai/jbot-review#90 and pgup-ai/jbot-review-action#37
so every documented snippet pins the same major.

Safe for the documented setup: v7's only behavior change blocks fork-PR
checkout under pull_request_target/workflow_run triggers
(actions/checkout#2454) — every snippet here triggers on pull_request.
@jingbof jingbof merged commit 20e039f into main Jul 11, 2026
3 checks passed
@jingbof jingbof deleted the docs/checkout-v7 branch July 11, 2026 06:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant