Skip to content

build(deps): bump actions/checkout from 4 to 7#556

Merged
mobin-2008 merged 1 commit into
masterfrom
dependabot/github_actions/actions/checkout-7
Jun 22, 2026
Merged

build(deps): bump actions/checkout from 4 to 7#556
mobin-2008 merged 1 commit into
masterfrom
dependabot/github_actions/actions/checkout-7

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 19, 2026

Copy link
Copy Markdown
Contributor

Bumps actions/checkout from 4 to 7.

Release notes

Sourced from actions/checkout's releases.

v7.0.0

What's Changed

New Contributors

Full Changelog: actions/checkout@v6.0.3...v7.0.0

v6.0.3

What's Changed

New Contributors

Full Changelog: actions/checkout@v6...v6.0.3

v6.0.2

What's Changed

Full Changelog: actions/checkout@v6.0.1...v6.0.2

v6.0.1

What's Changed

Full Changelog: actions/checkout@v6...v6.0.1

v6.0.0

What's Changed

... (truncated)

Changelog

Sourced from actions/checkout's changelog.

Changelog

v7.0.0

v6.0.3

v6.0.2

v6.0.1

v6.0.0

v5.0.1

v5.0.0

v4.3.1

v4.3.0

v4.2.2

v4.2.1

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 7.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v4...v7)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jun 19, 2026

@mobin-2008 mobin-2008 left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The most notable changes since v4 are

  1. node.js 24 by default
  2. a security fix for workflows with repository secrets (which we don't use)
  3. a fix for checking out repositories using SHA-256 revs (which also we don't use)

The node.js 20 is EOL by April 30th, 2026 (https://nodejs.org/en/download/archive/v20.20.2 and https://endoflife.date/nodejs). I think this is a good time for upgrading to newer checkout with newer node.js 24 (which is supported until April 30th, 2028).

However I won't merge this PR and I'm waiting for you Davin to merge it if you agree with me.

@davmac314

Copy link
Copy Markdown
Owner

The most notable changes since v4 are "node.js 24 by default" and "a security fix for workflows with repository secrets (which we don't use)" and "a fix for checking out repositories using SHA-256 revs (which also we don't use)"

Just FYI, you are mis-using quotation marks (AKA quotes) there. The quotation marks should be around text that comes from the actual changelog, not the "(which we don't use)" comment which is yours. Quotation marks indicate you are quoting from something else - what's inside the marks is the quote. (That's why I put "(which we don't use)" in quotation marks - I'm quoting you! - but you shouldn't, if you're not quoting something).

Now: I don't see how the action using an end-of-life node.js is a problem (unless there was an actual security concern, which as far as I can tell there is not). If there isn't any difference to us from this upgrade, I don't see the point of doing it now.

@mobin-2008

Copy link
Copy Markdown
Collaborator

The most notable changes since v4 are "node.js 24 by default" and "a security fix for workflows with repository secrets (which we don't use)" and "a fix for checking out repositories using SHA-256 revs (which also we don't use)"

Just FYI, you are mis-using quotation marks (AKA quotes) there. The quotation marks should be around text that comes from the actual changelog, not the "(which we don't use)" comment which is yours. Quotation marks indicate you are quoting from something else - what's inside the marks is the quote. (That's why I put "(which we don't use)" in quotation marks - I'm quoting you! - but you shouldn't, if you're not quoting something).

I changed my message to reflect that its my own words (or at least it's not the exact wording of someone else).

Now: I don't see how the action using an end-of-life node.js is a problem (unless there was an actual security concern, which as far as I can tell there is not). If there isn't any difference to us from this upgrade, I don't see the point of doing it now.

Regardless of being any security concerns, GitHub will remove the support for Node.js 20 fall this year and expects users of GitHub actions to migrate to actions based on Node.js 24: https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/

@davmac314

Copy link
Copy Markdown
Owner

Regardless of being any security concerns, GitHub will remove the support for Node.js 20 fall this year

Ok (you didn't mention this earlier). Apply then.

@mobin-2008 mobin-2008 merged commit 00913e5 into master Jun 22, 2026
4 checks passed
@dependabot dependabot Bot deleted the dependabot/github_actions/actions/checkout-7 branch June 22, 2026 08:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants