Bump actions/checkout from 4 to 7

[dependabot]

Bumps actions/checkout from 4 to 7.

Release notes

Sourced from actions/checkout's releases.

v7.0.0

What's Changed

• block checking out fork pr for pull_request_target and workflow_run by @​aiqiaoy in actions/checkout#2454
• Bump actions/publish-immutable-action from 0.0.3 to 0.0.4 in the minor-actions-dependencies group across 1 directory by @​dependabot[bot] in actions/checkout#2458
• Bump flatted from 3.3.1 to 3.4.2 by @​dependabot[bot] in actions/checkout#2460
• Bump js-yaml from 4.1.0 to 4.2.0 by @​dependabot[bot] in actions/checkout#2461
• Bump @​actions/core and @​actions/tool-cache and Remove uuid by @​dependabot[bot] in actions/checkout#2459
• upgrade module to esm and update dependencies by @​aiqiaoy in actions/checkout#2463
• Bump the minor-npm-dependencies group across 1 directory with 3 updates by @​dependabot[bot] in actions/checkout#2462
• getting ready for checkout v7 release by @​aiqiaoy in actions/checkout#2464
• update error wording by @​aiqiaoy in actions/checkout#2467

New Contributors

• @​aiqiaoy made their first contribution in actions/checkout#2454

Full Changelog: actions/checkout@v6.0.3...v7.0.0

v6.0.3

What's Changed

• Update changelog by @​ericsciple in actions/checkout#2357
• fix: expand merge commit SHA regex and add SHA-256 test cases by @​yaananth in actions/checkout#2414
• Fix checkout init for SHA-256 repositories by @​yaananth in actions/checkout#2439
• Update changelog for v6.0.3 by @​yaananth in actions/checkout#2446

New Contributors

• @​yaananth made their first contribution in actions/checkout#2414

Full Changelog: actions/checkout@v6...v6.0.3

v6.0.2

What's Changed

• Add orchestration_id to git user-agent when ACTIONS_ORCHESTRATION_ID is set by @​TingluoHuang in actions/checkout#2355
• Fix tag handling: preserve annotations and explicit fetch-tags by @​ericsciple in actions/checkout#2356

Full Changelog: actions/checkout@v6.0.1...v6.0.2

v6.0.1

What's Changed

• Update all references from v5 and v4 to v6 by @​ericsciple in actions/checkout#2314
• Add worktree support for persist-credentials includeIf by @​ericsciple in actions/checkout#2327
• Clarify v6 README by @​ericsciple in actions/checkout#2328

Full Changelog: actions/checkout@v6...v6.0.1

v6.0.0

What's Changed

• Update README to include Node.js 24 support details and requirements by @​salmanmkc in actions/checkout#2248
• Persist creds to a separate file by @​ericsciple in actions/checkout#2286
• v6-beta by @​ericsciple in actions/checkout#2298

... (truncated)

Changelog

Sourced from actions/checkout's changelog.

Changelog

v7.0.0

• Block checking out fork PR for pull_request_target and workflow_run by @​aiqiaoy in actions/checkout#2454
• Bump actions/publish-immutable-action from 0.0.3 to 0.0.4 in the minor-actions-dependencies group across 1 directory by @​dependabot[bot] in actions/checkout#2458
• Bump flatted from 3.3.1 to 3.4.2 by @​dependabot[bot] in actions/checkout#2460
• Bump js-yaml from 4.1.0 to 4.2.0 by @​dependabot[bot] in actions/checkout#2461
• Bump @​actions/core and @​actions/tool-cache and Remove uuid by @​dependabot[bot] in actions/checkout#2459
• upgrade module to esm and update dependencies by @​aiqiaoy in actions/checkout#2463
• Bump the minor-npm-dependencies group across 1 directory with 3 updates by @​dependabot[bot] in actions/checkout#2462

v6.0.3

• Fix checkout init for SHA-256 repositories by @​yaananth in actions/checkout#2439
• fix: expand merge commit SHA regex and add SHA-256 test cases by @​yaananth in actions/checkout#2414

v6.0.2

• Fix tag handling: preserve annotations and explicit fetch-tags by @​ericsciple in actions/checkout#2356

v6.0.1

• Add worktree support for persist-credentials includeIf by @​ericsciple in actions/checkout#2327

v6.0.0

• Persist creds to a separate file by @​ericsciple in actions/checkout#2286
• Update README to include Node.js 24 support details and requirements by @​salmanmkc in actions/checkout#2248

v5.0.1

• Port v6 cleanup to v5 by @​ericsciple in actions/checkout#2301

v5.0.0

• Update actions checkout to use node 24 by @​salmanmkc in actions/checkout#2226

v4.3.1

• Port v6 cleanup to v4 by @​ericsciple in actions/checkout#2305

v4.3.0

• docs: update README.md by @​motss in actions/checkout#1971
• Add internal repos for checking out multiple repositories by @​mouismail in actions/checkout#1977
• Documentation update - add recommended permissions to Readme by @​benwells in actions/checkout#2043
• Adjust positioning of user email note and permissions heading by @​joshmgross in actions/checkout#2044
• Update README.md by @​nebuk89 in actions/checkout#2194
• Update CODEOWNERS for actions by @​TingluoHuang in actions/checkout#2224
• Update package dependencies by @​salmanmkc in actions/checkout#2236

v4.2.2

• url-helper.ts now leverages well-known environment variables by @​jww3 in actions/checkout#1941
• Expand unit test coverage for isGhes by @​jww3 in actions/checkout#1946

v4.2.1

• Check out other refs/* by commit if provided, fall back to ref by @​orhantoy in actions/checkout#1924

... (truncated)

Commits

• 9c091bb update error wording (#2467)
• 1044a6d getting ready for checkout v7 release (#2464)
• f028218 Bump the minor-npm-dependencies group across 1 directory with 3 updates (#2462)
• d914b26 upgrade module to esm and update dependencies (#2463)
• 537c7ef Bump @​actions/core and @​actions/tool-cache and Remove uuid (#2459)
• 130a169 Bump js-yaml from 4.1.0 to 4.2.0 (#2461)
• 7d09575 Bump flatted from 3.3.1 to 3.4.2 (#2460)
• 0f9f3aa Bump actions/publish-immutable-action (#2458)
• f9e715a block checking out fork pr for pull_request_target and workflow_run (#2454)
• df4cb1c Update changelog for v6.0.3 (#2446)
• Additional commits viewable in compare view

Summary by CodeRabbit

• Chores
  • Updated the repository checkout step in two automation workflows to a newer version.
  • No user-facing behavior or validation logic was changed.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: dependabot[bot]
Once this PR has been reviewed and has the lgtm label, please assign tiwillia for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift-online/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: d844ef7d-f6d5-436d-a05e-45412c849035

📥 Commits

Reviewing files that changed from the base of the PR and between 626f195 and e571ace.

📒 Files selected for processing (2)

• .github/workflows/branch-protection-check.yml
• .github/workflows/dependabot-auto-merge.yml

---

Walkthrough

Three actions/checkout steps across two GitHub Actions workflow files are updated from @v4 to @v7.

Changes

Workflow checkout version updates

Layer / File(s)	Summary
Checkout version updates .github/workflows/branch-protection-check.yml, .github/workflows/dependabot-auto-merge.yml	The verify-dependabot-config, verify-workflows, and auto-merge jobs now use actions/checkout@v7.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 11

✅ Passed checks (11 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely describes the main change: upgrading actions/checkout from v4 to v7.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
No-Weak-Crypto	✅ Passed	Only checkout version bumps in two workflow files; no MD5/SHA1/DES/RC4/3DES/Blowfish/ECB, custom crypto, or secret comparisons found.
Container-Privileges	✅ Passed	The PR only bumps actions/checkout refs; the changed workflows contain no privileged/hostPID/allowPrivilegeEscalation/root settings, and repo scan found none.
No-Sensitive-Data-In-Logs	✅ Passed	The changed workflows only log branch-protection/status metadata and Dependabot update info; no passwords, tokens, PII, or customer data are echoed.
No-Hardcoded-Secrets	✅ Passed	Only checkout versions changed; changed workflow files contain no hardcoded secret literals or embedded credentials, just secret references.
No-Injection-Vectors	✅ Passed	Only action version bumps; scans of the modified workflows found no eval/exec, yaml.load, pickle.loads, os.system, or unsafe HTML sinks.
Ai-Attribution	✅ Passed	No AI-tool usage was mentioned in the PR or commit trailers; the only trailer present is Dependabot’s Signed-off-by, so no AI attribution issue.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dependabot/github_actions/actions/checkout-7

---

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/branch-protection-check.yml:
- Line 18: Replace the mutable tag reference in the uses field for
actions/checkout from `@v7` to a full commit SHA (a 40-character hash) to ensure
reproducibility and prevent supply-chain attacks. Additionally, add a with
section to the actions/checkout action that includes persist-credentials set to
false to disable default credential persistence and minimize GITHUB_TOKEN
exposure. Apply this same fix to both occurrences at line 18 and line 40 in the
workflow file.

In @.github/workflows/dependabot-auto-merge.yml:
- Line 19: The actions/checkout step currently uses a mutable tag reference
(`@v7`) and does not disable credential persistence, which creates security risks.
Replace the `uses: actions/checkout@v7` reference with a pinned SHA version of
the checkout action and add a `with:` section that sets `persist-credentials:
false` to follow least privilege principles and ensure the workflow uses a
specific, immutable version of the action.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift-online/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 1a535919-fb29-44b5-8c7c-fc2113c50f4b

📥 Commits

Reviewing files that changed from the base of the PR and between f623c4b and 626f195.

📒 Files selected for processing (2)

• .github/workflows/branch-protection-check.yml
• .github/workflows/dependabot-auto-merge.yml

[coderabbitai]

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Pin actions/checkout to a full commit SHA and disable credential persistence.

Line 18 and Line 40 use a mutable tag (@v7) and keep default credential persistence. This violates workflow security hardening and increases supply-chain/token exposure risk.

🔒 Suggested fix

       - name: Checkout code
-        uses: actions/checkout@v7
+        uses: actions/checkout@<full-length-commit-sha-for-v7>
+        with:
+          persist-credentials: false
...
       - name: Checkout code
-        uses: actions/checkout@v7
+        uses: actions/checkout@<full-length-commit-sha-for-v7>
+        with:
+          persist-credentials: false

As per path instructions, ".github/workflows/**/*: Pin actions by full SHA, not tag" and "Least privilege: minimize GITHUB_TOKEN permissions."

Also applies to: 40-40

🧰 Tools

🪛 zizmor (1.26.1)

[warning] 17-18: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

---

[error] 18-18: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/branch-protection-check.yml at line 18, Replace the
mutable tag reference in the uses field for actions/checkout from `@v7` to a full
commit SHA (a 40-character hash) to ensure reproducibility and prevent
supply-chain attacks. Additionally, add a with section to the actions/checkout
action that includes persist-credentials set to false to disable default
credential persistence and minimize GITHUB_TOKEN exposure. Apply this same fix
to both occurrences at line 18 and line 40 in the workflow file.

Sources: Path instructions, Linters/SAST tools

[coderabbitai]

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Harden checkout step: pin by SHA and set persist-credentials: false.

Line 19 currently references actions/checkout via mutable tag (@v7) and leaves credential persistence enabled.

🔒 Suggested fix

       - name: Checkout code
-        uses: actions/checkout@v7
+        uses: actions/checkout@<full-length-commit-sha-for-v7>
+        with:
+          persist-credentials: false

As per path instructions, ".github/workflows/**/*: Pin actions by full SHA, not tag" and "Least privilege: minimize GITHUB_TOKEN permissions."

🧰 Tools

🪛 zizmor (1.26.1)

[warning] 18-19: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

---

[error] 19-19: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/dependabot-auto-merge.yml at line 19, The actions/checkout
step currently uses a mutable tag reference (`@v7`) and does not disable
credential persistence, which creates security risks. Replace the `uses:
actions/checkout@v7` reference with a pinned SHA version of the checkout action
and add a `with:` section that sets `persist-credentials: false` to follow least
privilege principles and ensure the workflow uses a specific, immutable version
of the action.

Sources: Path instructions, Linters/SAST tools

[openshift-ci]

@dependabot[bot]: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/ocm-fvt-rosa-hcp-staging-ocm-fvt-periodic-cs-sanity-jira-staging-main	626f195	link	true	/test ocm-fvt-rosa-hcp-staging-ocm-fvt-periodic-cs-sanity-jira-staging-main

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[github-actions]

Major Version Update Detected

This PR contains a major version update that requires manual review:

• Dependency: actions/checkout
• Previous version: 4
• New version: 7

Please review the changelog and breaking changes before merging.

Auto-merge has been disabled for this PR.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/dependabot-auto-merge.yml:
- Around line 24-28: The Fetch Dependabot Metadata step in the workflow is using
a mutable action ref, so update the uses value in the metadata step of the
dependabot/fetch-metadata action to a full commit SHA instead of `@v2`. Keep the
existing step name, id, and github-token input unchanged, and make sure the
workflow follows the pinned-actions rule for .github/workflows/**/*.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift-online/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: d844ef7d-f6d5-436d-a05e-45412c849035

📥 Commits

Reviewing files that changed from the base of the PR and between 626f195 and e571ace.

📒 Files selected for processing (2)

• .github/workflows/branch-protection-check.yml
• .github/workflows/dependabot-auto-merge.yml

[coderabbitai]

Caution

Inline review comments failed to post. This is likely due to GitHub's internal server error or limits when posting large numbers of comments. If you are seeing this consistently it is likely a permissions issue. Please check "Moderation" -> "Code review limits" under your organization settings.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/dependabot-auto-merge.yml:
- Around line 24-28: The Fetch Dependabot Metadata step in the workflow is using
a mutable action ref, so update the uses value in the metadata step of the
dependabot/fetch-metadata action to a full commit SHA instead of `@v2`. Keep the
existing step name, id, and github-token input unchanged, and make sure the
workflow follows the pinned-actions rule for .github/workflows/**/*.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift-online/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: d844ef7d-f6d5-436d-a05e-45412c849035

📥 Commits

Reviewing files that changed from the base of the PR and between 626f195 and e571ace.

📒 Files selected for processing (2)

• .github/workflows/branch-protection-check.yml
• .github/workflows/dependabot-auto-merge.yml

🛑 Comments failed to post (1)

.github/workflows/dependabot-auto-merge.yml (1)

24-28: 🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Pin dependabot/fetch-metadata to a full commit SHA.

@v2 is still a mutable ref, so this step does not meet the workflow hardening rule for pinned actions. As per path instructions, ".github/workflows/**/*: Pin actions by full SHA, not tag".

🔒 Minimal hardening diff

       - name: Fetch Dependabot Metadata
         id: metadata
-        uses: dependabot/fetch-metadata@v2
+        uses: dependabot/fetch-metadata@<full-length-commit-sha-for-v2>
         with:
           github-token: "${{ secrets.GITHUB_TOKEN }}"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

      - name: Fetch Dependabot Metadata
        id: metadata
        uses: dependabot/fetch-metadata@<full-length-commit-sha-for-v2>
        with:
          github-token: "${{ secrets.GITHUB_TOKEN }}"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/dependabot-auto-merge.yml around lines 24 - 28, The Fetch
Dependabot Metadata step in the workflow is using a mutable action ref, so
update the uses value in the metadata step of the dependabot/fetch-metadata
action to a full commit SHA instead of `@v2`. Keep the existing step name, id, and
github-token input unchanged, and make sure the workflow follows the
pinned-actions rule for .github/workflows/**/*.

Source: Path instructions