Skip to content

Bump actions/checkout from 4 to 7 #84

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
dependabot wants to merge 1 commit into
base: main
Choose a base branch
from
+3 −3
Open

Bump actions/checkout from 4 to 7 #84

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions .github/workflows/branch-protection-check.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ jobs:

steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@v7

@coderabbitai coderabbitai Bot Jun 24, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Pin actions/checkout to a full commit SHA and disable credential persistence.

Line 18 and Line 40 use a mutable tag (@v7) and keep default credential persistence. This violates workflow security hardening and increases supply-chain/token exposure risk.

🔒 Suggested fix 
       - name: Checkout code
-        uses: actions/checkout@v7
+        uses: actions/checkout@<full-length-commit-sha-for-v7>
+        with:
+          persist-credentials: false
...
       - name: Checkout code
-        uses: actions/checkout@v7
+        uses: actions/checkout@<full-length-commit-sha-for-v7>
+        with:
+          persist-credentials: false

As per path instructions, ".github/workflows/**/*: Pin actions by full SHA, not tag" and "Least privilege: minimize GITHUB_TOKEN permissions."

Also applies to: 40-40

🧰 Tools
🪛 zizmor (1.26.1)

[warning] 17-18: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

[error] 18-18: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/branch-protection-check.yml at line 18, Replace the
mutable tag reference in the uses field for actions/checkout from `@v7` to a full
commit SHA (a 40-character hash) to ensure reproducibility and prevent
supply-chain attacks. Additionally, add a with section to the actions/checkout
action that includes persist-credentials set to false to disable default
credential persistence and minimize GITHUB_TOKEN exposure. Apply this same fix
to both occurrences at line 18 and line 40 in the workflow file.

Sources: Path instructions, Linters/SAST tools


- name: Check Dependabot Config
run: |
Expand All @@ -37,7 +37,7 @@ jobs:

steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@v7

- name: Check Required Workflows and Branch Protection
env:
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/dependabot-auto-merge.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ jobs:
PR_NUMBER: ${{ github.event.pull_request.number }}
steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@v7

@coderabbitai coderabbitai Bot Jun 24, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Harden checkout step: pin by SHA and set persist-credentials: false.

Line 19 currently references actions/checkout via mutable tag (@v7) and leaves credential persistence enabled.

🔒 Suggested fix 
       - name: Checkout code
-        uses: actions/checkout@v7
+        uses: actions/checkout@<full-length-commit-sha-for-v7>
+        with:
+          persist-credentials: false

As per path instructions, ".github/workflows/**/*: Pin actions by full SHA, not tag" and "Least privilege: minimize GITHUB_TOKEN permissions."

🧰 Tools
🪛 zizmor (1.26.1)

[warning] 18-19: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

[error] 19-19: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/dependabot-auto-merge.yml at line 19, The actions/checkout
step currently uses a mutable tag reference (`@v7`) and does not disable
credential persistence, which creates security risks. Replace the `uses:
actions/checkout@v7` reference with a pinned SHA version of the checkout action
and add a `with:` section that sets `persist-credentials: false` to follow least
privilege principles and ensure the workflow uses a specific, immutable version
of the action.

Sources: Path instructions, Linters/SAST tools


- name: Fetch Dependabot Metadata
id: metadata
Expand Down
Loading