chore(deps): update actions/checkout action to v7#1419
Conversation
✅ Deploy Preview for stranske-trip-planner canceled.
|
📝 WalkthroughWalkthroughAll Changesactions/checkout v6 → v7 bump
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes Suggested labels
Suggested reviewers
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 9
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/agents-71-codex-belt-dispatcher.yml:
- Line 170: The changes at line 170, line 186, and line 296 in the
agents-71-codex-belt-dispatcher.yml workflow file are modifications to a synced
workflow that should not be made locally. Per repo policy, revert all three
changes from this file and instead make those same modifications in the
stranske/Workflows repository. Once the changes are applied there, the sync
process will automatically update this agents-71-codex-belt-dispatcher.yml file,
preventing local drift that would otherwise be overwritten.
In @.github/workflows/agents-81-gate-followups.yml:
- Line 84: This is a synced workflow file from the stranske/Workflows repository
template, so changes must be applied to the source template instead of locally.
Navigate to stranske/Workflows and locate the template file at
templates/consumer-repo/.github/workflows/agents-81-gate-followups.yml. In that
file, add persist-credentials: false to the three
actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 instances (at lines
84, 384, and 547) to harden the workflow by reducing token exposure surface in
these read-only jobs that do not push commits.
In @.github/workflows/agents-auto-pilot.yml:
- Line 74: Revert the changes you made to the agents-auto-pilot.yml workflow
file (including the actions/checkout update at line 74 and the additional
changes at lines 158 and 184) since agents-*.yml workflows must be modified
upstream in the stranske/Workflows repository, not locally in this repo. Apply
these same changes to the corresponding agents-auto-pilot.yml file in the
stranske/Workflows repository instead, and then allow the sync process to
propagate the changes back down to this repository to avoid drift and unintended
overwrites during future syncs.
In @.github/workflows/autofix.yml:
- Line 70: Revert the actions/checkout action from v7.0.0 back to v6 in three
locations within the autofix.yml workflow file (lines 70, 94, and 521). Replace
each instance of `actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 #
v7.0.0` with `actions/checkout@v6` to maintain consistency with the reusable
workflow reusable-18-autofix.yml which still uses v6, ensuring version
compatibility across all consumer repositories that depend on these workflows.
In @.github/workflows/baseline-report.yml:
- Line 28: In the baseline-report.yml file, update the actions/checkout action
reference from the unpinned tag `@v7` to a pinned commit SHA format. Replace the
tag reference with the specific commit SHA used in other workflows in this
repository (mentioned as v7.0.0 format) and include an inline version comment to
maintain consistency with other workflow files that follow this pinning
convention.
In @.github/workflows/ci.yml:
- Line 43: The `actions/checkout@v7` reference in the workflow file uses an
unpinned tag instead of a specific commit SHA, which violates the repository's
security guideline for GitHub Actions. Replace the `@v7` tag reference with the
pinned commit SHA format for v7.0.0, including an inline version comment for
clarity, to match the pattern used consistently in other workflows in the
repository.
In @.github/workflows/cross-repo-smoke.yml:
- Line 32: Replace the unpinned tag reference `@v7` with the specific commit SHA
for the v7.0.0 release of actions/checkout on both line 32 and line 37. Use the
pinned commit SHA format with an inline version comment for consistency,
matching the pattern used by other workflows in the repository.
In @.github/workflows/maint-dependabot-auto-lock.yml:
- Line 23: The `actions/checkout@v7` action is using a mutable version tag
instead of being pinned to an immutable commit SHA, which does not match the
repository's standardization policy. Replace the mutable `@v7` reference in the
`actions/checkout` action with a pinned commit SHA format (such as the v7.0.0
commit SHA that other workflows in the repository already use) to ensure
consistency with the repository's security and reproducibility standards.
In @.github/workflows/pr-00-gate.yml:
- Around line 50-52: The checkout steps using the mutable `actions/checkout@v7`
action at lines 51, 95, and 132 need to be pinned to a specific SHA version and
configured to not persist credentials since these steps do not perform any git
push operations. Replace each instance of `uses: actions/checkout@v7` with the
pinned v7.0.0 SHA, and add the `persist-credentials: false` parameter to each of
the three checkout step definitions to improve workflow security and
reproducibility.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro Plus
Run ID: 4329ba98-3311-4812-bd34-1c23d307de9d
📒 Files selected for processing (27)
.github/workflows/agents-71-codex-belt-dispatcher.yml.github/workflows/agents-72-codex-belt-worker.yml.github/workflows/agents-73-codex-belt-conveyor.yml.github/workflows/agents-80-pr-event-hub.yml.github/workflows/agents-81-gate-followups.yml.github/workflows/agents-auto-label.yml.github/workflows/agents-auto-pilot.yml.github/workflows/agents-autofix-dispatcher.yml.github/workflows/agents-capability-check.yml.github/workflows/agents-decompose.yml.github/workflows/agents-dedup.yml.github/workflows/agents-guard.yml.github/workflows/agents-issue-optimizer.yml.github/workflows/agents-keepalive-loop-reporter.yml.github/workflows/agents-verifier.yml.github/workflows/agents-verify-to-new-pr.yml.github/workflows/agents-weekly-metrics.yml.github/workflows/autofix.yml.github/workflows/backplane-conformance.yml.github/workflows/baseline-report.yml.github/workflows/ci.yml.github/workflows/cross-repo-smoke.yml.github/workflows/maint-76-claude-code-review.yml.github/workflows/maint-coverage-guard.yml.github/workflows/maint-dependabot-auto-lock.yml.github/workflows/pr-00-gate.yml.github/workflows/reusable-pr-context.yml
🔗 Linked repositories identified
CodeRabbit considers these linked repositories for cross-repo context during reviews:
stranske/Workflows(auto-detected)
📜 Review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
- GitHub Check: Runtime CI
- GitHub Check: Cross-Repo Smoke / cross-repo-full-product
🧰 Additional context used
📓 Path-based instructions (8)
{pyproject.toml,.github/workflows/**/*.{yml,yaml}}
📄 CodeRabbit inference engine (.github/copilot-instructions.md)
Check both
pyproject.toml([tool.coverage.report] fail_under) AND workflow files forcoverage-minsettings; ensure these match or the lower value will be the effective threshold
Files:
.github/workflows/baseline-report.yml.github/workflows/agents-decompose.yml.github/workflows/agents-keepalive-loop-reporter.yml.github/workflows/reusable-pr-context.yml.github/workflows/agents-verify-to-new-pr.yml.github/workflows/maint-dependabot-auto-lock.yml.github/workflows/agents-capability-check.yml.github/workflows/agents-autofix-dispatcher.yml.github/workflows/cross-repo-smoke.yml.github/workflows/backplane-conformance.yml.github/workflows/agents-71-codex-belt-dispatcher.yml.github/workflows/agents-auto-label.yml.github/workflows/ci.yml.github/workflows/agents-weekly-metrics.yml.github/workflows/agents-73-codex-belt-conveyor.yml.github/workflows/agents-verifier.yml.github/workflows/maint-76-claude-code-review.yml.github/workflows/maint-coverage-guard.yml.github/workflows/agents-80-pr-event-hub.yml.github/workflows/agents-guard.yml.github/workflows/agents-auto-pilot.yml.github/workflows/pr-00-gate.yml.github/workflows/agents-dedup.yml.github/workflows/agents-72-codex-belt-worker.yml.github/workflows/autofix.yml.github/workflows/agents-issue-optimizer.yml.github/workflows/agents-81-gate-followups.yml
.github/workflows/**/*.{yml,yaml}
📄 CodeRabbit inference engine (.github/copilot-instructions.md)
For GitHub Actions workflow
startup_failureerrors with zero jobs, check for invalid YAML syntax, top-levelpermissions:block onworkflow_callreusable workflows (which conflicts with caller permissions), invalid permission scopes, or circular workflow references
Files:
.github/workflows/baseline-report.yml.github/workflows/agents-decompose.yml.github/workflows/agents-keepalive-loop-reporter.yml.github/workflows/reusable-pr-context.yml.github/workflows/agents-verify-to-new-pr.yml.github/workflows/maint-dependabot-auto-lock.yml.github/workflows/agents-capability-check.yml.github/workflows/agents-autofix-dispatcher.yml.github/workflows/cross-repo-smoke.yml.github/workflows/backplane-conformance.yml.github/workflows/agents-71-codex-belt-dispatcher.yml.github/workflows/agents-auto-label.yml.github/workflows/ci.yml.github/workflows/agents-weekly-metrics.yml.github/workflows/agents-73-codex-belt-conveyor.yml.github/workflows/agents-verifier.yml.github/workflows/maint-76-claude-code-review.yml.github/workflows/maint-coverage-guard.yml.github/workflows/agents-80-pr-event-hub.yml.github/workflows/agents-guard.yml.github/workflows/agents-auto-pilot.yml.github/workflows/pr-00-gate.yml.github/workflows/agents-dedup.yml.github/workflows/agents-72-codex-belt-worker.yml.github/workflows/autofix.yml.github/workflows/agents-issue-optimizer.yml.github/workflows/agents-81-gate-followups.yml
.github/workflows/*.yml
📄 CodeRabbit inference engine (CLAUDE.md)
In consumer repositories, reference reusable workflows with
@mainunless intentionally pinning to an exact commit SHA for a controlled reason
Files:
.github/workflows/baseline-report.yml.github/workflows/agents-decompose.yml.github/workflows/agents-keepalive-loop-reporter.yml.github/workflows/reusable-pr-context.yml.github/workflows/agents-verify-to-new-pr.yml.github/workflows/maint-dependabot-auto-lock.yml.github/workflows/agents-capability-check.yml.github/workflows/agents-autofix-dispatcher.yml.github/workflows/cross-repo-smoke.yml.github/workflows/backplane-conformance.yml.github/workflows/agents-71-codex-belt-dispatcher.yml.github/workflows/agents-auto-label.yml.github/workflows/ci.yml.github/workflows/agents-weekly-metrics.yml.github/workflows/agents-73-codex-belt-conveyor.yml.github/workflows/agents-verifier.yml.github/workflows/maint-76-claude-code-review.yml.github/workflows/maint-coverage-guard.yml.github/workflows/agents-80-pr-event-hub.yml.github/workflows/agents-guard.yml.github/workflows/agents-auto-pilot.yml.github/workflows/pr-00-gate.yml.github/workflows/agents-dedup.yml.github/workflows/agents-72-codex-belt-worker.yml.github/workflows/autofix.yml.github/workflows/agents-issue-optimizer.yml.github/workflows/agents-81-gate-followups.yml
**/.github/workflows/*.yml
📄 CodeRabbit inference engine (AGENTS.md)
Reference reusable workflows with
@mainunless intentionally pinning to an exact commit SHA for a controlled reason
Files:
.github/workflows/baseline-report.yml.github/workflows/agents-decompose.yml.github/workflows/agents-keepalive-loop-reporter.yml.github/workflows/reusable-pr-context.yml.github/workflows/agents-verify-to-new-pr.yml.github/workflows/maint-dependabot-auto-lock.yml.github/workflows/agents-capability-check.yml.github/workflows/agents-autofix-dispatcher.yml.github/workflows/cross-repo-smoke.yml.github/workflows/backplane-conformance.yml.github/workflows/agents-71-codex-belt-dispatcher.yml.github/workflows/agents-auto-label.yml.github/workflows/ci.yml.github/workflows/agents-weekly-metrics.yml.github/workflows/agents-73-codex-belt-conveyor.yml.github/workflows/agents-verifier.yml.github/workflows/maint-76-claude-code-review.yml.github/workflows/maint-coverage-guard.yml.github/workflows/agents-80-pr-event-hub.yml.github/workflows/agents-guard.yml.github/workflows/agents-auto-pilot.yml.github/workflows/pr-00-gate.yml.github/workflows/agents-dedup.yml.github/workflows/agents-72-codex-belt-worker.yml.github/workflows/autofix.yml.github/workflows/agents-issue-optimizer.yml.github/workflows/agents-81-gate-followups.yml
.github/workflows/agents-*.yml
📄 CodeRabbit inference engine (CLAUDE.md)
agents-*.yml workflows should be fixed in stranske/Workflows, not locally
Synced workflows with
agents-*.ymlfilenames should be fixed instranske/Workflows, not edited locally
Files:
.github/workflows/agents-decompose.yml.github/workflows/agents-keepalive-loop-reporter.yml.github/workflows/agents-verify-to-new-pr.yml.github/workflows/agents-capability-check.yml.github/workflows/agents-autofix-dispatcher.yml.github/workflows/agents-71-codex-belt-dispatcher.yml.github/workflows/agents-auto-label.yml.github/workflows/agents-weekly-metrics.yml.github/workflows/agents-73-codex-belt-conveyor.yml.github/workflows/agents-verifier.yml.github/workflows/agents-80-pr-event-hub.yml.github/workflows/agents-guard.yml.github/workflows/agents-auto-pilot.yml.github/workflows/agents-dedup.yml.github/workflows/agents-72-codex-belt-worker.yml.github/workflows/agents-issue-optimizer.yml.github/workflows/agents-81-gate-followups.yml
.github/workflows/ci.yml
📄 CodeRabbit inference engine (CLAUDE.md)
Keep ci.yml as repo-specific and edit locally
ci.ymlis repo-specific and should be edited locally, not synced fromstranske/Workflows
Files:
.github/workflows/ci.yml
.github/workflows/pr-00-gate.yml
📄 CodeRabbit inference engine (CLAUDE.md)
pr-00-gate.yml is a create-only standard file; keep it aligned with the standard gate in stranske/Workflows unless this repo has a documented reason to diverge
pr-00-gate.ymlis a create-only standard file that should be kept aligned with the Workflows standard unless this repo has a documented reason to diverge
Files:
.github/workflows/pr-00-gate.yml
.github/workflows/autofix.yml
📄 CodeRabbit inference engine (CLAUDE.md)
autofix.yml workflow should be fixed in stranske/Workflows, not locally
autofix.ymlshould be fixed instranske/Workflows, not edited locally
Files:
.github/workflows/autofix.yml
🪛 zizmor (1.25.2)
.github/workflows/baseline-report.yml
[warning] 28-30: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 28-28: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
.github/workflows/agents-decompose.yml
[warning] 22-23: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
.github/workflows/maint-dependabot-auto-lock.yml
[warning] 23-26: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 23-23: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
.github/workflows/agents-capability-check.yml
[warning] 27-28: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
.github/workflows/cross-repo-smoke.yml
[error] 32-32: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[error] 37-37: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
.github/workflows/backplane-conformance.yml
[warning] 28-28: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
.github/workflows/agents-auto-label.yml
[warning] 55-57: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
.github/workflows/ci.yml
[warning] 43-43: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 43-43: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
.github/workflows/maint-coverage-guard.yml
[warning] 120-121: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
.github/workflows/pr-00-gate.yml
[warning] 50-51: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 51-51: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[warning] 95-95: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 95-95: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[error] 132-132: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
.github/workflows/agents-dedup.yml
[warning] 31-32: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
.github/workflows/agents-81-gate-followups.yml
[warning] 83-84: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[warning] 383-384: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[warning] 546-547: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
🔀 Multi-repo context stranske/Workflows
Based on my comprehensive exploration of the stranske/Workflows repository, I have identified critical cross-repository context relevant to this PR.
Linked repositories findings
stranske/Workflows [::stranske/Workflows::]
This is a reusable workflows repository that serves 13 active first-party consumer repositories: Travel-Plan-Permission, Template, trip-planner, Manager-Database, Portable-Alpha-Extension-Model, Trend_Model_Project, Collab-Admin, Counter_Risk, Pension-Data, Inv-Man-Intake, Ready, learning-management-system, and Fine-Art-Archive. The actions/checkout v6→v7 upgrade will directly impact all consumer repositories' CI/CD pipelines.
Critical Finding: Security Breaking Change in v7.0.0
The v7.0.0 release includes a significant security enhancement: "Blocks checking out fork pull requests for pull_request_target and workflow_run events." This is highly relevant because:
-
Multiple workflows explicitly handle fork PRs in protected event contexts: [::stranske/Workflows::]
.github/workflows/autofix.ymlis triggered bypull_request_targetevents (line:pull_request_target: types: [labeled])- It calls
.github/workflows/reusable-18-autofix.yml(a reusable workflow distributed to all 13 consumer repos) withpr_head_refparameter reusable-18-autofix.ymlincludes explicit fork PR detection logic (line 208:reason="fork-context") and passes the head ref to checkout:ref: ${{ env.PR_HEAD_REF || github.ref }}.github/workflows/reusable-70-orchestrator-main.ymlhas explicit fork detection withhead_is_forkflag and conditional dispatch behavior
-
Repository-wide impact: [::stranske/Workflows::]
- 214 total
actions/checkoutusages found - 27+ workflows use
pull_request_targetorworkflow_runevents that are affected by the v7.0.0 security change - Key reusable workflows affected:
reusable-18-autofix,reusable-20-pr-meta,reusable-70-orchestrator-init,reusable-70-orchestrator-main,reusable-agents-verifier, and agent runner workflows
- 214 total
-
Cascading impact to consumers: [::stranske/Workflows::]
- All 13 consumer repositories inherit these workflows and will experience the same behavior change
- Consumer repos reference workflows at
@main(latest) or pinned commits, so they will receive the security change immediately upon update
Potential Breaking Change:
The v7.0.0 security restriction may prevent actions/checkout from checking out fork PR branches in pull_request_target contexts, even when explicitly passing a ref parameter. This could break:
- Autofix workflows that process fork PRs
- Verification and keepalive workflows that depend on fork PR checkout
- Agent automation pipelines in both this repo and all 13 consumer repositories
Recommendation for Review:
Verify whether v7.0.0's fork PR blocking behavior respects explicitly-provided ref parameters, or if it enforces a blanket ban. If the latter, workflows will need refactoring to avoid using pull_request_target for operations that must support fork PRs.
🔇 Additional comments (15)
.github/workflows/agents-72-codex-belt-worker.yml (1)
293-293: Duplicate of synced-workflow source-of-truth issue already raised.Also applies to: 309-309, 572-577, 579-580
.github/workflows/agents-73-codex-belt-conveyor.yml (1)
187-187: Duplicate of synced-workflow source-of-truth issue already raised..github/workflows/agents-80-pr-event-hub.yml (1)
75-75: Duplicate of synced-workflow source-of-truth issue already raised.Also applies to: 255-255, 317-317
.github/workflows/agents-81-gate-followups.yml (1)
84-84: Duplicate of synced-workflow source-of-truth issue already raised.Also applies to: 846-846, 1283-1283, 1353-1353, 1551-1551
.github/workflows/agents-auto-label.yml (2)
36-36: Duplicate of synced-workflow source-of-truth issue already raised.Also applies to: 57-57
36-44: This fix should be applied tostranske/Workflows, not locally in this repository.According to the project's coding guidelines, synced workflows with the
agents-*.ymlfilename pattern must be fixed in the sharedstranske/Workflowsrepository, not edited locally in consumer repositories. Theagents-auto-label.ymlfile exists in both repositories and is maintained as a shared workflow.Additionally, the version divergence is problematic: the trip-planner version uses
actions/checkout@v7.0.0while the source instranske/Workflowsstill usesv6.0.3. If thepersist-credentials: falsehardening is appropriate, it should be applied to the source workflow instranske/Workflowsso all consumers inherit the improvement consistently.> Likely an incorrect or invalid review comment..github/workflows/agents-guard.yml (1)
34-34: Remove this concern—the workflow safely checks out the base branch, not fork code.This workflow uses
actions/checkout@v7.0.0in apull_request_targetcontext, but explicitly checks outgithub.event.pull_request.base.sha(the base repository's branch), not the fork's code. The v7.0.0 fork-blocking restriction only applies when checking out untrusted fork refs; checking out the base branch is unaffected. The workflow's design is intentionally safe and compatible with v7.0.0.> Likely an incorrect or invalid review comment..github/workflows/agents-keepalive-loop-reporter.yml (1)
27-27: This workflow correctly handles theactions/checkout@v7.0.0security restriction.The job uses
workflow_runcontext but omits therefparameter in the checkout step, which means it defaults to checking out the base branch—the officially recommended secure approach forworkflow_runevents. The v7.0.0 fork PR blocking behavior will not prevent this checkout from succeeding..github/workflows/agents-verifier.yml (1)
89-89: LGTM!Also applies to: 333-333
.github/workflows/agents-verify-to-new-pr.yml (1)
69-69: LGTM!.github/workflows/agents-weekly-metrics.yml (1)
30-30: LGTM!.github/workflows/backplane-conformance.yml (1)
28-28: LGTM!.github/workflows/maint-76-claude-code-review.yml (1)
29-29: LGTM!Also applies to: 117-117, 185-185
.github/workflows/maint-coverage-guard.yml (1)
36-36: LGTM!Also applies to: 121-121
.github/workflows/reusable-pr-context.yml (1)
138-138: LGTM!
|
|
||
| - name: Checkout repo (for retry helpers) | ||
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | ||
| uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 |
There was a problem hiding this comment.
Do not patch synced agents-* workflows locally.
Line 170, Line 186, and Line 296 update a synced agents-*.yml workflow in this repo. Per repo policy, this change needs to be made in stranske/Workflows and then synced here; otherwise local drift will be overwritten.
As per coding guidelines, .github/workflows/agents-*.yml workflows should be fixed in stranske/Workflows, not locally.
Also applies to: 186-186, 296-296
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/agents-71-codex-belt-dispatcher.yml at line 170, The
changes at line 170, line 186, and line 296 in the
agents-71-codex-belt-dispatcher.yml workflow file are modifications to a synced
workflow that should not be made locally. Per repo policy, revert all three
changes from this file and instead make those same modifications in the
stranske/Workflows repository. Once the changes are applied there, the sync
process will automatically update this agents-71-codex-belt-dispatcher.yml file,
preventing local drift that would otherwise be overwritten.
Sources: Coding guidelines, Linked repositories
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | ||
| uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 |
There was a problem hiding this comment.
🧹 Nitpick | 🔵 Trivial
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Check if the file exists and get its location
find . -name "agents-81-gate-followups.yml" -type fRepository: stranske/trip-planner
Length of output: 114
🏁 Script executed:
#!/bin/bash
# If file exists, read the relevant lines around 84, 384, and 547
if [ -f ".github/workflows/agents-81-gate-followups.yml" ]; then
echo "=== Lines 80-90 (around line 84) ==="
sed -n '80,90p' ".github/workflows/agents-81-gate-followups.yml"
echo ""
echo "=== Lines 380-390 (around line 384) ==="
sed -n '380,390p' ".github/workflows/agents-81-gate-followups.yml"
echo ""
echo "=== Lines 543-553 (around line 547) ==="
sed -n '543,553p' ".github/workflows/agents-81-gate-followups.yml"
fiRepository: stranske/trip-planner
Length of output: 1353
🏁 Script executed:
#!/bin/bash
# Check if the file also exists in stranske/Workflows
find . -name "agents-81-gate-followups.yml" -type fRepository: stranske/Workflows
Length of output: 135
🏁 Script executed:
#!/bin/bash
# Get the job context for all three checkout instances
echo "=== Context for Line 84 checkout (job name and full job) ==="
sed -n '1,84p' ".github/workflows/agents-81-gate-followups.yml" | tail -30
echo ""
echo "=== Context for Line 384 checkout ==="
sed -n '370,390p' ".github/workflows/agents-81-gate-followups.yml"
echo ""
echo "=== Context for Line 547 checkout ==="
sed -n '535,560p' ".github/workflows/agents-81-gate-followups.yml"Repository: stranske/trip-planner
Length of output: 3692
🏁 Script executed:
#!/bin/bash
# Search for git push commands in this workflow file
echo "=== Looking for git push, git commit, or write operations ==="
rg -n "git (push|commit|add)" ".github/workflows/agents-81-gate-followups.yml" || echo "No direct git push/commit found"Repository: stranske/trip-planner
Length of output: 159
🏁 Script executed:
#!/bin/bash
# Check the template file in Workflows repo
echo "=== Template file in Workflows repo ==="
if [ -f "templates/consumer-repo/.github/workflows/agents-81-gate-followups.yml" ]; then
echo "File exists. Checking for persist-credentials setting:"
rg "persist-credentials" "templates/consumer-repo/.github/workflows/agents-81-gate-followups.yml" || echo "No persist-credentials found in template"
fiRepository: stranske/Workflows
Length of output: 198
🏁 Script executed:
#!/bin/bash
# Get exact job names
echo "=== Job name for line 84 ==="
sed -n '50,90p' ".github/workflows/agents-81-gate-followups.yml" | grep -E "^ [a-z-]+:" | tail -1
echo ""
echo "=== Full job for line 384 ==="
sed -n '370,395p' ".github/workflows/agents-81-gate-followups.yml" | head -20
echo ""
echo "=== Full job name for line 547 ==="
sed -n '510,550p' ".github/workflows/agents-81-gate-followups.yml" | grep -E "^ [a-z-]+:" | tail -1Repository: stranske/trip-planner
Length of output: 836
🏁 Script executed:
#!/bin/bash
# Check the full file for any git operations that might be hidden in steps
echo "=== All step names in this workflow ==="
rg "name:" ".github/workflows/agents-81-gate-followups.yml" | head -40Repository: stranske/trip-planner
Length of output: 1571
🏁 Script executed:
#!/bin/bash
# Get the complete list of what each of the three jobs does after checkout
echo "=== Job at line 84 (full context) ==="
sed -n '1,150p' ".github/workflows/agents-81-gate-followups.yml" | tail -60
echo ""
echo "=== Job at line 384 ==="
sed -n '375,430p' ".github/workflows/agents-81-gate-followups.yml"Repository: stranske/trip-planner
Length of output: 4935
Apply this security hardening to the source template in stranske/Workflows instead.
This is a synced workflow from the Workflows repository template. Per the coding guidelines, agents-*.yml workflows should be fixed in stranske/Workflows, not locally. The three checkout instances (lines 84, 384, 547) are in read-only jobs that do not push commits—persist-credentials: false is a valid hardening measure to reduce token exposure surface.
Apply the following patch to stranske/Workflows/templates/consumer-repo/.github/workflows/agents-81-gate-followups.yml:
Proposed hardening patch for Workflows template
- name: Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+ with:
+ persist-credentials: false🧰 Tools
🪛 zizmor (1.25.2)
[warning] 83-84: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/agents-81-gate-followups.yml at line 84, This is a synced
workflow file from the stranske/Workflows repository template, so changes must
be applied to the source template instead of locally. Navigate to
stranske/Workflows and locate the template file at
templates/consumer-repo/.github/workflows/agents-81-gate-followups.yml. In that
file, add persist-credentials: false to the three
actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 instances (at lines
84, 384, and 547) to harden the workflow by reducing token exposure surface in
these read-only jobs that do not push commits.
Source: Linters/SAST tools
| steps: | ||
| - name: Checkout eligibility action | ||
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | ||
| uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 |
There was a problem hiding this comment.
Update synced agents-*.yml workflows in stranske/Workflows, not in this repo.
These changes should be made upstream in stranske/Workflows and then synced down; local edits here risk drift and overwrite on next sync.
As per coding guidelines, "agents-*.yml workflows should be fixed in stranske/Workflows, not locally".
Also applies to: 158-158, 184-184
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/agents-auto-pilot.yml at line 74, Revert the changes you
made to the agents-auto-pilot.yml workflow file (including the actions/checkout
update at line 74 and the additional changes at lines 158 and 184) since
agents-*.yml workflows must be modified upstream in the stranske/Workflows
repository, not locally in this repo. Apply these same changes to the
corresponding agents-auto-pilot.yml file in the stranske/Workflows repository
instead, and then allow the sync process to propagate the changes back down to
this repository to avoid drift and unintended overwrites during future syncs.
Source: Coding guidelines
| steps: | ||
| - name: Checkout eligibility action | ||
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | ||
| uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
GitHub Actions checkout v7.0.0 fork pull request blocking behavior and whether explicit ref parameter bypasses fork blocking for pull_request_target events
💡 Result:
In version 7.0.0 and later, the actions/checkout action implements security guardrails that block the checkout of fork pull request code when the workflow is triggered by pull_request_target or workflow_run [1][2]. This change was introduced to prevent "pwn request" vulnerabilities, where executing untrusted fork code in a privileged context (i.e., one with access to base repository secrets and the GITHUB_TOKEN) could lead to unauthorized access [1][2]. Regarding the behavior of the ref parameter: 1. Blocking Mechanism: By default, the checkout action will refuse to fetch fork-based content in these privileged triggers [1][3]. Attempting to use an explicit ref parameter (such as a pull request head SHA) without the required opt-in will result in a failure [1][2]. 2. Bypassing the Block: To legitimately check out fork code in these scenarios, you must explicitly opt in by setting the allow-unsafe-pr-checkout input to true [1][2]. This should only be done after reviewing the associated security risks, as it effectively authorizes the execution of untrusted fork code in a trusted, privileged environment [1]. 3. Trusted Base-Branch Checkouts: Recent updates have refined this security validation [4]. The action now recognizes explicit checkout configurations targeting the base repository and its trusted base references as safe [4]. Specifically, checkouts are treated as safe if the repository is the base repository (or omitted) and the ref refers to the base SHA or base ref [4]. These safe patterns do not trigger the security block and do not require setting allow-unsafe-pr-checkout to true [4]. In summary, an explicit ref pointing to a fork's head SHA does not bypass the security block; rather, the block is enforced to prevent such unsafe checkouts unless you explicitly acknowledge the risk by enabling the safety bypass [1][2].
Citations:
- 1: https://github.com/actions/checkout/
- 2: block checking out fork pr for pull_request_target and workflow_run actions/checkout#2454
- 3: actions/checkout@f9e715a
- 4: Allow trusted base-branch checkout in
pull_request_targetvalidation github/gh-aw#37099
🏁 Script executed:
#!/bin/bash
# Check reusable-18-autofix.yml for allow-unsafe-pr-checkout configuration
rg -A 5 "actions/checkout" .github/workflows/reusable-18-autofix.yml || trueRepository: stranske/Workflows
Length of output: 964
🏁 Script executed:
#!/bin/bash
# Search for any allow-unsafe-pr-checkout usage in the workflows
rg "allow-unsafe-pr-checkout" .github/workflows/ || trueRepository: stranske/Workflows
Length of output: 44
🏁 Script executed:
#!/bin/bash
# Check the checkout actions in trip-planner's autofix.yml
sed -n '65,100p' .github/workflows/autofix.ymlRepository: stranske/trip-planner
Length of output: 1755
🏁 Script executed:
#!/bin/bash
# Check context around line 521 for the third checkout
sed -n '515,530p' .github/workflows/autofix.ymlRepository: stranske/trip-planner
Length of output: 584
🏁 Script executed:
#!/bin/bash
# Also check the full event trigger context for the resolve job
sed -n '80,95p' .github/workflows/autofix.ymlRepository: stranske/trip-planner
Length of output: 840
Remove upgrade to v7.0.0—stay with v6 to maintain compatibility with reusable-18-autofix.yml.
The reusable-18-autofix.yml in stranske/Workflows still uses actions/checkout@v6 and will not be updated as part of this PR. Since this reusable workflow is called on line 495 and handles fork PR scenarios by passing ref: ${{ env.PR_HEAD_REF || github.ref }}, upgrading to v7.0.0 in the caller workflow while the reusable workflow remains on v6 creates version mismatch inconsistency. Additionally, to maintain backward compatibility across all 13 consumer repositories that depend on these workflows, version consistency is preferable. Revert lines 70, 94, and 521 to @v6.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/autofix.yml at line 70, Revert the actions/checkout action
from v7.0.0 back to v6 in three locations within the autofix.yml workflow file
(lines 70, 94, and 521). Replace each instance of
`actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0` with
`actions/checkout@v6` to maintain consistency with the reusable workflow
reusable-18-autofix.yml which still uses v6, ensuring version compatibility
across all consumer repositories that depend on these workflows.
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v6 | ||
| - uses: actions/checkout@v7 |
There was a problem hiding this comment.
Pin checkout action to commit SHA instead of @v7 tag.
This file uses an unpinned tag reference (@v7) which violates the coding guideline that .github/workflows/*.yml files should pin action references to specific commit SHAs. Other workflows in this PR correctly use the pinned v7.0.0 commit SHA format.
Update line 28 to use the commit SHA with an inline version comment for consistency across the repository.
🔧 Proposed fix
- - uses: actions/checkout@v7
+ - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - uses: actions/checkout@v7 | |
| - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 |
🧰 Tools
🪛 zizmor (1.25.2)
[warning] 28-30: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 28-28: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/baseline-report.yml at line 28, In the baseline-report.yml
file, update the actions/checkout action reference from the unpinned tag `@v7` to
a pinned commit SHA format. Replace the tag reference with the specific commit
SHA used in other workflows in this repository (mentioned as v7.0.0 format) and
include an inline version comment to maintain consistency with other workflow
files that follow this pinning convention.
Source: Coding guidelines
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v6 | ||
| - uses: actions/checkout@v7 |
There was a problem hiding this comment.
Pin checkout action to commit SHA instead of @v7 tag.
This file uses an unpinned tag reference (@v7) which violates the coding guideline that .github/workflows/*.yml files should pin action references to specific commit SHAs. Other workflows in this PR correctly use the pinned v7.0.0 commit SHA format.
Update line 43 to use the commit SHA with an inline version comment for consistency across the repository.
🔧 Proposed fix
- - uses: actions/checkout@v7
+ - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - uses: actions/checkout@v7 | |
| - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 |
🧰 Tools
🪛 zizmor (1.25.2)
[warning] 43-43: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 43-43: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/ci.yml at line 43, The `actions/checkout@v7` reference in
the workflow file uses an unpinned tag instead of a specific commit SHA, which
violates the repository's security guideline for GitHub Actions. Replace the
`@v7` tag reference with the pinned commit SHA format for v7.0.0, including an
inline version comment for clarity, to match the pattern used consistently in
other workflows in the repository.
Source: Coding guidelines
| steps: | ||
| - name: Checkout trip-planner (PR head) | ||
| uses: actions/checkout@v6 | ||
| uses: actions/checkout@v7 |
There was a problem hiding this comment.
Pin checkout actions to commit SHA instead of @v7 tag.
Both actions/checkout references on lines 32 and 37 use unpinned tag references (@v7) which violate the coding guideline that .github/workflows/*.yml files should pin action references to specific commit SHAs. Other workflows in this PR correctly use the pinned v7.0.0 commit SHA format.
Update both lines to use the commit SHA with an inline version comment for consistency across the repository.
🔧 Proposed fix
- name: Checkout trip-planner (PR head)
- uses: actions/checkout@v7
+ uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
path: trip-planner
- name: Checkout Travel-Plan-Permission at pinned ref
- uses: actions/checkout@v7
+ uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0Also applies to: 37-37
🧰 Tools
🪛 zizmor (1.25.2)
[error] 32-32: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/cross-repo-smoke.yml at line 32, Replace the unpinned tag
reference `@v7` with the specific commit SHA for the v7.0.0 release of
actions/checkout on both line 32 and line 37. Use the pinned commit SHA format
with an inline version comment for consistency, matching the pattern used by
other workflows in the repository.
Source: Coding guidelines
|
|
||
| steps: | ||
| - uses: actions/checkout@v6 | ||
| - uses: actions/checkout@v7 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Check the actual content of the workflow file
cat -n .github/workflows/maint-dependabot-auto-lock.yml | head -30Repository: stranske/trip-planner
Length of output: 1014
🏁 Script executed:
#!/bin/bash
# Check other actions/checkout usages in the repository
rg 'actions/checkout@' --type yaml -A 1 -B 1Repository: stranske/trip-planner
Length of output: 47
🏁 Script executed (no clone):
# Verify if the suggested SHA is actually v7.0.0 of actions/checkout
curl -s 'https://api.github.com/repos/actions/checkout/releases/tags/v7.0.0' | jq '.target_commitish' 2>/dev/null || echo "Checking alternate approach..."
curl -s 'https://api.github.com/repos/actions/checkout/git/refs/tags/v7.0.0' | jq '.object.sha' 2>/dev/null
Length of output: 41
🏁 Script executed:
#!/bin/bash
# Find all workflow files and check actions/checkout patterns
find .github/workflows -name "*.yml" -o -name "*.yaml" | while read file; do
echo "=== $file ==="
grep -n "actions/checkout" "$file" || echo "(no checkout found)"
doneRepository: stranske/trip-planner
Length of output: 6154
🏁 Script executed:
#!/bin/bash
# Check if there's any documentation about pinning policy
find . -type f \( -name "*.md" -o -name "*.txt" \) | xargs grep -l "pin\|SHA\|commit" 2>/dev/null | head -5Repository: stranske/trip-planner
Length of output: 288
🏁 Script executed (no clone):
# Verify the commit SHA for v7.0.0 of actions/checkout
# Try multiple approaches
echo "=== Attempting to get v7.0.0 info ==="
# Get all releases to find v7.0.0
curl -s 'https://api.github.com/repos/actions/checkout/releases?per_page=50' | jq '.[] | select(.tag_name == "v7.0.0") | {tag: .tag_name, commit: .target_commitish, sha: (.body | capture("(?<sha>[a-f0-9]{40})") | .sha)}' 2>/dev/null || echo "API approach failed"
echo "=== Trying direct tag lookup ==="
curl -s 'https://api.github.com/repos/actions/checkout/refs/tags/v7.0.0' 2>/dev/null | jq '.object | {sha, type}' || echo "Tag lookup failed"
Length of output: 156
Pin actions/checkout to an immutable commit SHA to match repository policy.
Line 23 uses mutable @v7. The repository has standardized on pinned SHAs for actions/checkout; most workflows already use the v7.0.0 pin while a few others (including this one) remain unpinned.
Suggested fix
- - uses: actions/checkout@v7
+ - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - uses: actions/checkout@v7 | |
| - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 |
🧰 Tools
🪛 zizmor (1.25.2)
[warning] 23-26: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 23-23: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/maint-dependabot-auto-lock.yml at line 23, The
`actions/checkout@v7` action is using a mutable version tag instead of being
pinned to an immutable commit SHA, which does not match the repository's
standardization policy. Replace the mutable `@v7` reference in the
`actions/checkout` action with a pinned commit SHA format (such as the v7.0.0
commit SHA that other workflows in the repository already use) to ensure
consistency with the repository's security and reproducibility standards.
Source: Linters/SAST tools
| - name: Checkout repository | ||
| uses: actions/checkout@v6 | ||
| uses: actions/checkout@v7 | ||
|
|
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# First, let's look at the actual pr-00-gate.yml file
cat -n .github/workflows/pr-00-gate.yml | head -160Repository: stranske/trip-planner
Length of output: 6717
🏁 Script executed:
#!/bin/bash
# Check the standard pr-00-gate.yml in the Workflows repo
cat -n .github/workflows/pr-00-gate.yml | head -160Repository: stranske/Workflows
Length of output: 177
🏁 Script executed (no clone):
#!/bin/bash
# Verify the SHA for actions/checkout v7.0.0
curl -s https://api.github.com/repos/actions/checkout/commits?per_page=1 | jq -r '.[0] | "\(.sha) - \(.commit.message)"'
# Also check specific v7.0.0 release
curl -s https://api.github.com/repos/actions/checkout/releases/tags/v7.0.0 | jq -r '.target_commitish, .body' | head -20
Length of output: 117
🏁 Script executed:
#!/bin/bash
# Fetch the standard pr-00-gate.yml
head -160 .github/workflows/pr-00-gate.ymlRepository: stranske/Workflows
Length of output: 177
🏁 Script executed (no clone):
#!/bin/bash
# Get v7.0.0 release details for actions/checkout
curl -s "https://api.github.com/repos/actions/checkout/releases/tags/v7.0.0" | jq -r '.target_commitish'
Length of output: 36
🏁 Script executed (no clone):
#!/bin/bash
# Try a different approach to get v7.0.0 info
curl -s "https://github.com/actions/checkout/releases/tag/v7.0.0" -H "Accept: application/vnd.github.v3.raw" 2>/dev/null | grep -i "commit\|sha" | head -5
# Also try git to get the tag info
git ls-remote --tags https://github.com/actions/checkout.git | grep "v7.0.0"
Length of output: 6627
🏁 Script executed:
#!/bin/bash
# Check if there are any existing pinned references to actions/checkout in the repo for comparison
rg "actions/checkout@" .github/workflows/ -A 2Repository: stranske/trip-planner
Length of output: 14338
🏁 Script executed:
#!/bin/bash
# Verify the event type in pr-00-gate.yml and check if v7.0.0 fork blocking applies
head -35 .github/workflows/pr-00-gate.yml | grep -A 5 "^on:"Repository: stranske/trip-planner
Length of output: 190
🏁 Script executed (no clone):
#!/bin/bash
# Get more details on v7.0.0 release notes regarding fork PR restrictions
curl -s "https://api.github.com/repos/actions/checkout/releases/tags/v7.0.0" | python3 - <<'PY'
import json, sys
data = json.load(sys.stdin)
print("Release body (first 1500 chars):")
print(data.get('body', 'N/A')[:1500])
PY
Length of output: 752
Pin SHA and add credential persistence setting to all checkout steps.
Lines 51, 95, and 132 use mutable @v7. Pin to the v7.0.0 SHA and set persist-credentials: false on all three steps since they do not push changes.
Suggested fix
- - name: Checkout repository
- uses: actions/checkout@v7
+ - name: Checkout repository
+ uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+ with:
+ persist-credentials: false- - uses: actions/checkout@v7
+ - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+ with:
+ persist-credentials: false- - name: Checkout repository
- uses: actions/checkout@v7
+ - name: Checkout repository
+ uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
+ persist-credentials: false
sparse-checkout: |
.github/scripts
sparse-checkout-cone-mode: false📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - name: Checkout repository | |
| uses: actions/checkout@v6 | |
| uses: actions/checkout@v7 | |
| - name: Checkout repository | |
| uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | |
| with: | |
| persist-credentials: false |
🧰 Tools
🪛 zizmor (1.25.2)
[warning] 50-51: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 51-51: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/pr-00-gate.yml around lines 50 - 52, The checkout steps
using the mutable `actions/checkout@v7` action at lines 51, 95, and 132 need to
be pinned to a specific SHA version and configured to not persist credentials
since these steps do not perform any git push operations. Replace each instance
of `uses: actions/checkout@v7` with the pinned v7.0.0 SHA, and add the
`persist-credentials: false` parameter to each of the three checkout step
definitions to improve workflow security and reproducibility.
Source: Linters/SAST tools
This PR contains the following updates:
v6.0.3→v7.0.0v6→v7Release Notes
actions/checkout (actions/checkout)
v7.0.0Compare Source
v7Compare Source
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR was generated by Mend Renovate. View the repository job log.
Summary by CodeRabbit