chore(deps): bump actions/checkout from 4.3.1 to 7.0.0#424
chore(deps): bump actions/checkout from 4.3.1 to 7.0.0#424dependabot[bot] wants to merge 1 commit into
Conversation
Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 7.0.0. - [Release notes](https://github.com/actions/checkout/releases) - [Commits](actions/checkout@v4.3.1...v7) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 7.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
dependabot
Bot
added
dependencies
Kusari Analysis Results:Caution Flagged Issues Detected The dependency analysis found no pinned version dependency changes, presenting no additional risk. However, the code analysis identified 3 high-severity supply chain risks across two workflow files (ci.yml at lines 15 and 36, and release.yml at line 32). In all three cases, actions/checkout is referenced via a mutable version tag (@v7.0.0) rather than an immutable commit SHA. This violates the blanket pinning policy and creates a real supply chain attack vector: if the tag is silently moved or the action repository is compromised, malicious code could be injected into your CI/CD pipeline without any visible change to your workflow files. We strongly recommend replacing all three mutable tag references with their corresponding full commit SHAs before merging. Action items: (1) Resolve the commit SHA for actions/checkout@v7.0.0, (2) Replace @v7.0.0 with the full SHA in ci.yml lines 15 and 36, and (3) Replace @v7.0.0 with the full SHA in release.yml line 32. Note View full detailed analysis result for more information on the output and the checks that were run. Required Code Mitigationsactions/checkout is referenced using a mutable version tag (@v7.0.0). This must be pinned to a specific immutable commit SHA to satisfy the blanket pinning policy and prevent supply chain attacks.
actions/checkout is referenced using a mutable version tag (@v7.0.0). This must be pinned to a specific immutable commit SHA to satisfy the blanket pinning policy and prevent supply chain attacks.
actions/checkout is referenced using a mutable version tag (@v7.0.0). This must be pinned to a specific immutable commit SHA to satisfy the blanket pinning policy and prevent supply chain attacks.
Found this helpful? Give it a 👍 or 👎 reaction! |
![kusari-inspector[bot]](https://avatars.githubusercontent.com/in/1220830?s=60&v=4){kind=small}
|
|
||
| steps: | ||
| - uses: actions/checkout@v6.0.2 | ||
| - uses: actions/checkout@v7.0.0 |
There was a problem hiding this comment.
actions/checkout is referenced using a mutable version tag (@v7.0.0). This must be pinned to a specific immutable commit SHA to satisfy the blanket pinning policy and prevent supply chain attacks.
|
|
||
| steps: | ||
| - uses: actions/checkout@v6.0.2 | ||
| - uses: actions/checkout@v7.0.0 |
There was a problem hiding this comment.
actions/checkout is referenced using a mutable version tag (@v7.0.0). This must be pinned to a specific immutable commit SHA to satisfy the blanket pinning policy and prevent supply chain attacks.
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v6.0.2 | ||
| uses: actions/checkout@v7.0.0 |
There was a problem hiding this comment.
actions/checkout is referenced using a mutable version tag (@v7.0.0). This must be pinned to a specific immutable commit SHA to satisfy the blanket pinning policy and prevent supply chain attacks.
Bumps actions/checkout from 4.3.1 to 7.0.0.
Release notes
Sourced from actions/checkout's releases.
... (truncated)
Commits
9c091bbupdate error wording (#2467)1044a6dgetting ready for checkout v7 release (#2464)f028218Bump the minor-npm-dependencies group across 1 directory with 3 updates (#2462)d914b26upgrade module to esm and update dependencies (#2463)537c7efBump@actions/coreand@actions/tool-cacheand Remove uuid (#2459)130a169Bump js-yaml from 4.1.0 to 4.2.0 (#2461)7d09575Bump flatted from 3.3.1 to 3.4.2 (#2460)0f9f3aaBump actions/publish-immutable-action (#2458)f9e715ablock checking out fork pr for pull_request_target and workflow_run (#2454)df4cb1cUpdate changelog for v6.0.3 (#2446)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)