build(deps): bump actions/checkout from 4 to 7#556
Conversation
Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 7. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v4...v7) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
There was a problem hiding this comment.
The most notable changes since v4 are
- node.js 24 by default
- a security fix for workflows with repository secrets (which we don't use)
- a fix for checking out repositories using SHA-256 revs (which also we don't use)
The node.js 20 is EOL by April 30th, 2026 (https://nodejs.org/en/download/archive/v20.20.2 and https://endoflife.date/nodejs). I think this is a good time for upgrading to newer checkout with newer node.js 24 (which is supported until April 30th, 2028).
However I won't merge this PR and I'm waiting for you Davin to merge it if you agree with me.
Just FYI, you are mis-using quotation marks (AKA quotes) there. The quotation marks should be around text that comes from the actual changelog, not the "(which we don't use)" comment which is yours. Quotation marks indicate you are quoting from something else - what's inside the marks is the quote. (That's why I put "(which we don't use)" in quotation marks - I'm quoting you! - but you shouldn't, if you're not quoting something). Now: I don't see how the action using an end-of-life node.js is a problem (unless there was an actual security concern, which as far as I can tell there is not). If there isn't any difference to us from this upgrade, I don't see the point of doing it now. |
I changed my message to reflect that its my own words (or at least it's not the exact wording of someone else).
Regardless of being any security concerns, GitHub will remove the support for Node.js 20 fall this year and expects users of GitHub actions to migrate to actions based on Node.js 24: https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/ |
Ok (you didn't mention this earlier). Apply then. |
Bumps actions/checkout from 4 to 7.
Release notes
Sourced from actions/checkout's releases.
... (truncated)
Changelog
Sourced from actions/checkout's changelog.
... (truncated)
Commits
9c091bbupdate error wording (#2467)1044a6dgetting ready for checkout v7 release (#2464)f028218Bump the minor-npm-dependencies group across 1 directory with 3 updates (#2462)d914b26upgrade module to esm and update dependencies (#2463)537c7efBump@actions/coreand@actions/tool-cacheand Remove uuid (#2459)130a169Bump js-yaml from 4.1.0 to 4.2.0 (#2461)7d09575Bump flatted from 3.3.1 to 3.4.2 (#2460)0f9f3aaBump actions/publish-immutable-action (#2458)f9e715ablock checking out fork pr for pull_request_target and workflow_run (#2454)df4cb1cUpdate changelog for v6.0.3 (#2446)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)