Skip to content

Bump actions/checkout from 6 to 7#6121

Merged
falkoschindler merged 1 commit into
mainfrom
dependabot/github_actions/actions/checkout-7
Jun 20, 2026
Merged

Bump actions/checkout from 6 to 7#6121
falkoschindler merged 1 commit into
mainfrom
dependabot/github_actions/actions/checkout-7

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 18, 2026

Copy link
Copy Markdown
Contributor

Bumps actions/checkout from 6 to 7.

Release notes

Sourced from actions/checkout's releases.

v7.0.0

What's Changed

New Contributors

Full Changelog: actions/checkout@v6.0.3...v7.0.0

v6.0.3

What's Changed

New Contributors

Full Changelog: actions/checkout@v6...v6.0.3

v6.0.2

What's Changed

Full Changelog: actions/checkout@v6.0.1...v6.0.2

v6.0.1

What's Changed

Full Changelog: actions/checkout@v6...v6.0.1

Changelog

Sourced from actions/checkout's changelog.

Changelog

v7.0.0

v6.0.3

v6.0.2

v6.0.1

v6.0.0

v5.0.1

v5.0.0

v4.3.1

v4.3.0

v4.2.2

v4.2.1

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [actions/checkout](https://github.com/actions/checkout) from 6 to 7.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v6...v7)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added the dependencies Type/scope: Third party libraries label Jun 18, 2026
@evnchn

evnchn commented Jun 19, 2026

Copy link
Copy Markdown
Collaborator

Posted by Claude Code on @evnchn's behalf.

TL;DR — safe to merge; no breaking impact on NiceGUI.

This is a CI-only bump (actions/checkout v6→v7), 5 lines across 5 workflow files. No library/API/runtime code is touched.

checkout v7.0.0 has exactly one behavioral change — it now refuses to check out fork-PR code under pull_request_target / workflow_run triggers (security hardening). None of NiceGUI's workflows use those triggers, so even that change is inert here. Everything else in v7 is internal (ESM upgrade + dependency bumps).

v7.0.0 contents — verbatim from source (not a search summary)

Pulled from raw.githubusercontent.com/actions/checkout/main/CHANGELOG.md + gh api repos/actions/checkout/releases/tags/v7.0.0:

  • Block checking out fork PR for pull_request_target and workflow_run (#2454) — the only behavioral/breaking change
  • upgrade module to ESM + update dependencies (#2463) — internal
  • dependency bumps: flatted, js-yaml, @actions/core, @actions/tool-cache, remove uuid (#2458#2462) — internal
  • "getting ready for v7 release" / "update error wording" — cosmetic

Full diff: actions/checkout@v6.0.3...v7.0.0

The one breaking change (#2454), exact mechanics

From the PR #2454 description:

This PR adds a check that refuses to check out fork pull request code when the workflow trigger is either pull_request_target or workflow_run, unless the workflow author explicitly opts in via a new input allow-unsafe-pr-checkout: true.

This closes the classic "pwn-request" fork-PR exfiltration vector. It only bites workflows that (a) trigger on pull_request_target/workflow_run and (b) explicitly check out the untrusted fork ref.

Why it's inert for NiceGUI — checked all 8 workflows

The checkout-using workflows are all reusable (workflow_call) or workflow_dispatch; none use pull_request_target or workflow_run:

Workflow Trigger Uses checkout?
_check.yml workflow_call yes
_docker.yml workflow_dispatch yes
_pypi.yml workflow_dispatch yes
_test.yml workflow_call yes
copilot-setup-steps.yml workflow_dispatch/PR path yes
_verify.yml workflow_call no
ci-gate.yml (orchestrator) no
publish.yml (orchestrator) no

So none of (a)+(b) above is met. CI behavior is unchanged.

Verdict: mergeable as-is. The Dependabot compatibility badge is a heuristic; the above is a manual confirmation.

@falkoschindler falkoschindler added the review Status: PR is open and needs review label Jun 20, 2026
@falkoschindler falkoschindler added this to the 3.14 milestone Jun 20, 2026
@falkoschindler falkoschindler added infrastructure Type/scope: GitHub Actions and IDE and removed dependencies Type/scope: Third party libraries labels Jun 20, 2026
@falkoschindler falkoschindler added this pull request to the merge queue Jun 20, 2026
Merged via the queue into main with commit 31db0e0 Jun 20, 2026
9 checks passed
@falkoschindler falkoschindler deleted the dependabot/github_actions/actions/checkout-7 branch June 20, 2026 11:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

infrastructure Type/scope: GitHub Actions and IDE review Status: PR is open and needs review

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants