-
Notifications
You must be signed in to change notification settings - Fork 0
chore(deps): update actions/checkout action to v7 #1419
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -81,7 +81,7 @@ jobs: | |
| fingerprint_current_hash: ${{ steps.fingerprint.outputs.current_hash }} | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | ||
| uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🧹 Nitpick | 🔵 Trivial 🧩 Analysis chain🏁 Script executed: #!/bin/bash
# Check if the file exists and get its location
find . -name "agents-81-gate-followups.yml" -type fRepository: stranske/trip-planner Length of output: 114 🏁 Script executed: #!/bin/bash
# If file exists, read the relevant lines around 84, 384, and 547
if [ -f ".github/workflows/agents-81-gate-followups.yml" ]; then
echo "=== Lines 80-90 (around line 84) ==="
sed -n '80,90p' ".github/workflows/agents-81-gate-followups.yml"
echo ""
echo "=== Lines 380-390 (around line 384) ==="
sed -n '380,390p' ".github/workflows/agents-81-gate-followups.yml"
echo ""
echo "=== Lines 543-553 (around line 547) ==="
sed -n '543,553p' ".github/workflows/agents-81-gate-followups.yml"
fiRepository: stranske/trip-planner Length of output: 1353 🏁 Script executed: #!/bin/bash
# Check if the file also exists in stranske/Workflows
find . -name "agents-81-gate-followups.yml" -type fRepository: stranske/Workflows Length of output: 135 🏁 Script executed: #!/bin/bash
# Get the job context for all three checkout instances
echo "=== Context for Line 84 checkout (job name and full job) ==="
sed -n '1,84p' ".github/workflows/agents-81-gate-followups.yml" | tail -30
echo ""
echo "=== Context for Line 384 checkout ==="
sed -n '370,390p' ".github/workflows/agents-81-gate-followups.yml"
echo ""
echo "=== Context for Line 547 checkout ==="
sed -n '535,560p' ".github/workflows/agents-81-gate-followups.yml"Repository: stranske/trip-planner Length of output: 3692 🏁 Script executed: #!/bin/bash
# Search for git push commands in this workflow file
echo "=== Looking for git push, git commit, or write operations ==="
rg -n "git (push|commit|add)" ".github/workflows/agents-81-gate-followups.yml" || echo "No direct git push/commit found"Repository: stranske/trip-planner Length of output: 159 🏁 Script executed: #!/bin/bash
# Check the template file in Workflows repo
echo "=== Template file in Workflows repo ==="
if [ -f "templates/consumer-repo/.github/workflows/agents-81-gate-followups.yml" ]; then
echo "File exists. Checking for persist-credentials setting:"
rg "persist-credentials" "templates/consumer-repo/.github/workflows/agents-81-gate-followups.yml" || echo "No persist-credentials found in template"
fiRepository: stranske/Workflows Length of output: 198 🏁 Script executed: #!/bin/bash
# Get exact job names
echo "=== Job name for line 84 ==="
sed -n '50,90p' ".github/workflows/agents-81-gate-followups.yml" | grep -E "^ [a-z-]+:" | tail -1
echo ""
echo "=== Full job for line 384 ==="
sed -n '370,395p' ".github/workflows/agents-81-gate-followups.yml" | head -20
echo ""
echo "=== Full job name for line 547 ==="
sed -n '510,550p' ".github/workflows/agents-81-gate-followups.yml" | grep -E "^ [a-z-]+:" | tail -1Repository: stranske/trip-planner Length of output: 836 🏁 Script executed: #!/bin/bash
# Check the full file for any git operations that might be hidden in steps
echo "=== All step names in this workflow ==="
rg "name:" ".github/workflows/agents-81-gate-followups.yml" | head -40Repository: stranske/trip-planner Length of output: 1571 🏁 Script executed: #!/bin/bash
# Get the complete list of what each of the three jobs does after checkout
echo "=== Job at line 84 (full context) ==="
sed -n '1,150p' ".github/workflows/agents-81-gate-followups.yml" | tail -60
echo ""
echo "=== Job at line 384 ==="
sed -n '375,430p' ".github/workflows/agents-81-gate-followups.yml"Repository: stranske/trip-planner Length of output: 4935 Apply this security hardening to the source template in stranske/Workflows instead. This is a synced workflow from the Workflows repository template. Per the coding guidelines, Apply the following patch to Proposed hardening patch for Workflows template - name: Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+ with:
+ persist-credentials: false🧰 Tools🪛 zizmor (1.25.2)[warning] 83-84: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false (artipacked) 🤖 Prompt for AI AgentsSource: Linters/SAST tools |
||
|
|
||
| - name: Setup API client | ||
| uses: ./.github/actions/setup-api-client | ||
|
|
@@ -381,7 +381,7 @@ jobs: | |
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | ||
| uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | ||
|
|
||
| - name: Setup API client | ||
| uses: ./.github/actions/setup-api-client | ||
|
|
@@ -483,7 +483,7 @@ jobs: | |
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout runner library | ||
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | ||
| uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | ||
| with: | ||
| sparse-checkout: | | ||
| scripts/runner_lib | ||
|
|
@@ -544,7 +544,7 @@ jobs: | |
| environment: agent-standard | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | ||
| uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | ||
|
|
||
| - name: Setup API client | ||
| uses: ./.github/actions/setup-api-client | ||
|
|
@@ -843,7 +843,7 @@ jobs: | |
| dispatch_reason: ${{ steps.runner_dispatch.outputs.reason }} | ||
| steps: | ||
| - name: Checkout (for security gate + agent registry) | ||
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | ||
| uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | ||
| with: | ||
| sparse-checkout: | | ||
| .github/actions/setup-api-client | ||
|
|
@@ -1280,7 +1280,7 @@ jobs: | |
| environment: agent-standard | ||
| steps: | ||
| - name: Checkout (for retry helpers) | ||
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | ||
| uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | ||
| with: | ||
| sparse-checkout: | | ||
| .github/scripts/github-api-with-retry.js | ||
|
|
@@ -1350,7 +1350,7 @@ jobs: | |
| environment: agent-standard | ||
| steps: | ||
| - name: Checkout (for retry helpers) | ||
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | ||
| uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | ||
| with: | ||
| sparse-checkout: | | ||
| .github/scripts/github-api-with-retry.js | ||
|
|
@@ -1548,7 +1548,7 @@ jobs: | |
| steps: | ||
| # Do not remove checkout; the retry helper is required. | ||
| - name: Checkout (for retry helpers) | ||
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | ||
| uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | ||
| with: | ||
| sparse-checkout: | | ||
| .github/scripts/github-api-with-retry.js | ||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -71,7 +71,7 @@ jobs: | |
| proceed: ${{ steps.eligibility.outputs.should-run }} | ||
| steps: | ||
| - name: Checkout eligibility action | ||
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | ||
| uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Update synced These changes should be made upstream in As per coding guidelines, " Also applies to: 158-158, 184-184 🤖 Prompt for AI AgentsSource: Coding guidelines |
||
| with: | ||
| ref: >- | ||
| ${{ github.event.pull_request.base.sha || | ||
|
|
@@ -155,7 +155,7 @@ jobs: | |
|
|
||
| - name: Checkout repository | ||
| if: steps.check_enabled.outputs.enabled == 'true' | ||
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | ||
| uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | ||
| with: | ||
| token: ${{ steps.app_token.outputs.token || github.token }} | ||
|
|
||
|
|
@@ -181,7 +181,7 @@ jobs: | |
|
|
||
| - name: Checkout Workflows scripts | ||
| if: steps.check_enabled.outputs.enabled == 'true' | ||
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | ||
| uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | ||
| with: | ||
| token: ${{ steps.app_token.outputs.token || github.token }} | ||
| repository: stranske/Workflows | ||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -67,7 +67,7 @@ jobs: | |
| dispatch_reason: ${{ steps.runner_dispatch.outputs.reason }} | ||
| steps: | ||
| - name: Checkout eligibility action | ||
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | ||
| uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🧩 Analysis chain🌐 Web query:
💡 Result: In version 7.0.0 and later, the actions/checkout action implements security guardrails that block the checkout of fork pull request code when the workflow is triggered by pull_request_target or workflow_run [1][2]. This change was introduced to prevent "pwn request" vulnerabilities, where executing untrusted fork code in a privileged context (i.e., one with access to base repository secrets and the GITHUB_TOKEN) could lead to unauthorized access [1][2]. Regarding the behavior of the ref parameter: 1. Blocking Mechanism: By default, the checkout action will refuse to fetch fork-based content in these privileged triggers [1][3]. Attempting to use an explicit ref parameter (such as a pull request head SHA) without the required opt-in will result in a failure [1][2]. 2. Bypassing the Block: To legitimately check out fork code in these scenarios, you must explicitly opt in by setting the allow-unsafe-pr-checkout input to true [1][2]. This should only be done after reviewing the associated security risks, as it effectively authorizes the execution of untrusted fork code in a trusted, privileged environment [1]. 3. Trusted Base-Branch Checkouts: Recent updates have refined this security validation [4]. The action now recognizes explicit checkout configurations targeting the base repository and its trusted base references as safe [4]. Specifically, checkouts are treated as safe if the repository is the base repository (or omitted) and the ref refers to the base SHA or base ref [4]. These safe patterns do not trigger the security block and do not require setting allow-unsafe-pr-checkout to true [4]. In summary, an explicit ref pointing to a fork's head SHA does not bypass the security block; rather, the block is enforced to prevent such unsafe checkouts unless you explicitly acknowledge the risk by enabling the safety bypass [1][2]. Citations:
🏁 Script executed: #!/bin/bash
# Check reusable-18-autofix.yml for allow-unsafe-pr-checkout configuration
rg -A 5 "actions/checkout" .github/workflows/reusable-18-autofix.yml || trueRepository: stranske/Workflows Length of output: 964 🏁 Script executed: #!/bin/bash
# Search for any allow-unsafe-pr-checkout usage in the workflows
rg "allow-unsafe-pr-checkout" .github/workflows/ || trueRepository: stranske/Workflows Length of output: 44 🏁 Script executed: #!/bin/bash
# Check the checkout actions in trip-planner's autofix.yml
sed -n '65,100p' .github/workflows/autofix.ymlRepository: stranske/trip-planner Length of output: 1755 🏁 Script executed: #!/bin/bash
# Check context around line 521 for the third checkout
sed -n '515,530p' .github/workflows/autofix.ymlRepository: stranske/trip-planner Length of output: 584 🏁 Script executed: #!/bin/bash
# Also check the full event trigger context for the resolve job
sed -n '80,95p' .github/workflows/autofix.ymlRepository: stranske/trip-planner Length of output: 840 Remove upgrade to v7.0.0—stay with v6 to maintain compatibility with The 🤖 Prompt for AI Agents |
||
| with: | ||
| ref: >- | ||
| ${{ github.event.pull_request.base.sha || | ||
|
|
@@ -91,7 +91,7 @@ jobs: | |
|
|
||
| - name: Checkout for API helpers | ||
| if: steps.eligibility.outputs.should-run == 'true' | ||
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | ||
| uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | ||
| with: | ||
| sparse-checkout: | | ||
| .github/actions/setup-api-client | ||
|
|
@@ -518,7 +518,7 @@ jobs: | |
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout runner library | ||
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | ||
| uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | ||
| with: | ||
| sparse-checkout: | | ||
| scripts/runner_lib | ||
|
|
||
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
|
|
@@ -25,7 +25,7 @@ jobs: | |||||
| refresh: | ||||||
| runs-on: ubuntu-latest | ||||||
| steps: | ||||||
| - uses: actions/checkout@v6 | ||||||
| - uses: actions/checkout@v7 | ||||||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Pin checkout action to commit SHA instead of This file uses an unpinned tag reference ( Update line 28 to use the commit SHA with an inline version comment for consistency across the repository. 🔧 Proposed fix- - uses: actions/checkout@v7
+ - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0📝 Committable suggestion
Suggested change
🧰 Tools🪛 zizmor (1.25.2)[warning] 28-30: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false (artipacked) [error] 28-28: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy) (unpinned-uses) 🤖 Prompt for AI AgentsSource: Coding guidelines |
||||||
| with: | ||||||
| token: ${{ secrets.ACTIONS_BOT_PAT || secrets.GITHUB_TOKEN }} | ||||||
|
|
||||||
|
|
||||||
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
|
|
@@ -40,7 +40,7 @@ jobs: | |||||
| name: Runtime CI | ||||||
| runs-on: ubuntu-latest | ||||||
| steps: | ||||||
| - uses: actions/checkout@v6 | ||||||
| - uses: actions/checkout@v7 | ||||||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Pin checkout action to commit SHA instead of This file uses an unpinned tag reference ( Update line 43 to use the commit SHA with an inline version comment for consistency across the repository. 🔧 Proposed fix- - uses: actions/checkout@v7
+ - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0📝 Committable suggestion
Suggested change
🧰 Tools🪛 zizmor (1.25.2)[warning] 43-43: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false (artipacked) [error] 43-43: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy) (unpinned-uses) 🤖 Prompt for AI AgentsSource: Coding guidelines |
||||||
|
|
||||||
| - name: Set up Python | ||||||
| uses: actions/setup-python@v6 | ||||||
|
|
||||||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do not patch synced
agents-*workflows locally.Line 170, Line 186, and Line 296 update a synced
agents-*.ymlworkflow in this repo. Per repo policy, this change needs to be made instranske/Workflowsand then synced here; otherwise local drift will be overwritten.As per coding guidelines,
.github/workflows/agents-*.ymlworkflows should be fixed instranske/Workflows, not locally.Also applies to: 186-186, 296-296
🤖 Prompt for AI Agents
Sources: Coding guidelines, Linked repositories