chore: bump actions/checkout from 4 to 7#3281
Conversation
Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 7. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v4...v7) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
tangletools
left a comment
tangletools
left a comment
There was a problem hiding this comment.
✅ Auto-approved PR — 3af47256
Blanket team auto-approval is enabled for this reviewer service.
The full PR reviewer audit still runs separately and will publish findings if it detects issues.
tangletools · auto-approval · reason: blanket_auto_approve · 2026-06-22T18:12:49Z
tangletools
left a comment
tangletools
left a comment
There was a problem hiding this comment.
🟢 Value Audit — sound
| Verdict | sound |
| Concerns | 0 (none) |
| Heuristic | 0.0s |
| Duplication | 0.0s |
| Interrogation | 106.5s (2 bridge agents) |
| Total | 106.5s |
💰 Value — sound
Bumps actions/checkout from v4 to v7 across all 10 workflow files; a coherent, low-risk dependency update that stays current with upstream.
- What it does: Replaces every
actions/checkout@v4reference withactions/checkout@v7in.github/workflows/*.yml(10 files, 12 occurrences). - Goals it achieves: Keeps CI on the latest supported major version of actions/checkout, picking up dependency refreshes (
@actions/core,js-yaml, etc.) and the new fork-PR checkout guard forpull_request_target/workflow_run. - Assessment: Good. The change is exhaustive and consistent. I verified that no workflow in this repo uses
pull_request_targetorworkflow_run(.github/workflows/*.ymlgrep), so the v7 breaking change around fork PRs does not affect existing flows. The repo already uses Dependabot for GitHub Actions (.github/dependabot.yml:55-68), so the update aligns with existing automation. - Better / existing approach: none — this is the right approach. I checked
.github/actions/for a reusable checkout wrapper or shared workflow (none exists beyond release composite actions), and the repo consistently versions actions with floating major tags, so@v7matches the established pattern. Centralizing checkout would add indirection without payoff because each invocation carries different inputs (fetch-depth, `p - Model: opencode/kimi-for-coding/k2p7
- Bridge attempts: 1
🎯 Usefulness — sound
Clean, complete bump of actions/checkout from v4 to v7 across all 12 call sites in CI workflows.
- Integration: Fully wired: every workflow that previously used actions/checkout@v4 now uses @v7 (12 usages across 10 files, e.g. .github/workflows/check-build.yml:24, .github/workflows/test.yml:26, .github/workflows/check-lint.yml:22/52/78). No @v4 references remain in the workflows directory. All workflows are CI entry points, so the new behavior is reached on the next automated run.
- Fit with existing patterns: Matches the codebase's established pattern of pinning major versions of third-party actions in workflow
uses:directives. There is no competing checkout mechanism; this is a direct replacement. - Real-world viability: Holds up: the change is a version bump only; no workflow logic, inputs, or outputs were altered. actions/checkout v7 is a published stable release, and all existing
with:options (fetch-depth, persist-credentials, ref) remain supported. - Model: opencode/kimi-for-coding/k2p7
- Bridge attempts: 2
- Bridge warning: opencode/zai-coding-plan/glm-5.2: bridge stream ended without value-audit content
No concerns — sound change, no better or existing approach found. ✅
What this audit checks
It judges the change on its merits — not whether it was tasked out in an issue. Unticketed, fast-moving work is fine; the question is whether the change is good and whether a better or existing approach should be used instead.
| Pass | What it asks |
|---|---|
| Heuristic | Vague title? Whitespace-only or cruft-bearing diff? (content signals only) |
| Duplication | Do added function/class names already exist elsewhere in the repo? |
| Value Audit | What does it do? What goal does it achieve? Is it good? Better architecture or already-exists? |
| Usefulness Audit | Does it integrate and fit? Will it hold up in real use and actually get used? |
Findings are concerns, not blocks — the human reviewer decides what to do with them.
❌ Needs Work —
|
| opencode-kimi | glm | deepseek | moonmath-m3 | aggregate | |
|---|---|---|---|---|---|
| Readiness | 95 | 92 | 92 | 47 | 47 |
| Confidence | 65 | 65 | 65 | 65 | 65 |
| Correctness | 95 | 92 | 92 | 47 | 47 |
| Security | 95 | 92 | 92 | 47 | 47 |
| Testing | 95 | 92 | 92 | 47 | 47 |
| Architecture | 95 | 92 | 92 | 47 | 47 |
Full multi-shot audit completed 1/1 planned shots over 10 changed files. Global verifier still owns final merge decision. | Full multi-shot audit completed 1/1 planned shots over 10 changed files. Global verifier still owns final merge decision. | Full multi-shot audit completed 1/1 planned shots over 10 changed files. Global verifier still owns final merge decision. | Full multi-shot audit completed 1/1 planned shots over 10 changed files. Global verifier still owns final merge decision.
Blocking
🟣 CRITICAL actions/checkout@v7 is not a real tag and will fail to resolve at runtime — .github/workflows/check-pr-title.yml
actions/checkout major releases are v1→v2→v3→v4→v5; there is no v7 tag. The dependabot PR bumps every workflow from @v4 to @v7, which is a non-existent version. Every modified workflow will fail with 'Unable to resolve action', including .github/workflows/check-pr-title.yml which uses the bad version itself. Fix: replace @v7 with a real tag (likely @v5) and re-run CI to confirm resolution.
Other
🟡 LOW actions/checkout@v7 released 4 days before PR; floating major tag — .github/workflows/check-lint.yml
v7.0.0 was published 18 Jun 2026; the head commit is 22 Jun 2026. The
@v7floating tag will auto-track future v7.x releases, which could introduce regressions without a new PR. This matches the repo's existing convention (all actions use floating tags: setup-node@v6.4.0, lycheeverse/lychee-action@v2.5.0, github/codeql-action/init@v3), so it is not a regression — informational only. If the team later adopts SHA-pinning policy, this PR is a natural place to apply it; otherwise no action required. Same pattern appears identically in all 10 files in this shot.
🟡 LOW v7.0.0 released 4 days ago — skipping 3 major versions — .github/workflows/check-lint.yml
actions/checkout@v7.0.0 was released 2026-06-18, 4 days before this PR. All 10 workflows skip directly from v4 to v7, bypassing v5 (Node 24) and v6 (credential storage change). The diff is mechanically correct — every
with:parameter (ref, fetch-depth, token, persist-credentials) maps cleanly to documented v7 inputs — but the freshness of the release means undiscovered regressions are possible. A safer path would be bumping to v6 first, but given this is a GH-owned, widely-used action with no trigger-incompatibility here, risk is low. Evidence: grep confirmed no pull_request_target nor workflow_run triggers in any of the 10 files; v7 README section 'What's new' confirms only fork-PR blocking as a behavioral change.
🟡 LOW Major-version bump performed without breaking-change verification — .github/workflows/check-pr-title.yml
Even if a v7 tag existed, jumping 3 major versions of actions/checkout without consulting release notes is risky. Each major bump has historically changed Node runtime requirements or minor API surfaces. workflows pin node-version '>=18.18.x' which is current, so likely fine — but unverified without a release note.
tangletools · 2026-06-22T18:27:58Z · trace
tangletools
left a comment
tangletools
left a comment
There was a problem hiding this comment.
❌ 1 Blocking Finding — 3af47256
Full multi-shot audit completed 1/1 planned shots over 10 changed files. Global verifier still owns final merge decision. | Full multi-shot audit completed 1/1 planned shots over 10 changed files. Global verifier still owns final merge decision. | Full multi-shot audit completed 1/1 planned shots over 10 changed files. Global verifier still owns final merge decision. | Full multi-shot audit comple
Full immutable report for this review: trace
Summary comment for this run: full summary
tangletools · 2026-06-22T18:27:58Z · immutable trace
1 participant
Bumps actions/checkout from 4 to 7.
Release notes
Sourced from actions/checkout's releases.
... (truncated)
Changelog
Sourced from actions/checkout's changelog.
... (truncated)
Commits
9c091bbupdate error wording (#2467)1044a6dgetting ready for checkout v7 release (#2464)f028218Bump the minor-npm-dependencies group across 1 directory with 3 updates (#2462)d914b26upgrade module to esm and update dependencies (#2463)537c7efBump@actions/coreand@actions/tool-cacheand Remove uuid (#2459)130a169Bump js-yaml from 4.1.0 to 4.2.0 (#2461)7d09575Bump flatted from 3.3.1 to 3.4.2 (#2460)0f9f3aaBump actions/publish-immutable-action (#2458)f9e715ablock checking out fork pr for pull_request_target and workflow_run (#2454)df4cb1cUpdate changelog for v6.0.3 (#2446)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)