build(deps): bump actions/checkout from 6 to 7#285
Conversation
Bumps [actions/checkout](https://github.com/actions/checkout) from 6 to 7. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v6...v7) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Bug Scan Summary
Date: 2026-06-21
Commits inspected: PR #285 (e045e4b..46cff23); master delta e045e4b..34c8e02 (@mantine/hooks 9.3.1→9.3.2)
Result: No critical bugs found.
PR #285 — actions/checkout v6 → v7
Reviewed all 9 workflow files touched by this bump and traced each checkout call against v7’s documented breaking change (fork PR checkout blocked on pull_request_target / workflow_run unless allow-unsafe-pr-checkout: true).
| Workflow / job | Trigger | Fork PR checkout? | v7 impact |
|---|---|---|---|
dependabot-auto-merge.yml |
pull_request_target |
No checkout step | None |
docs.yml build |
workflow_run (+ others) |
Default base-repo ref only | None |
build.yml docker-pr |
pull_request |
Yes (head.repo) |
Not affected — v7 block applies only to pull_request_target / workflow_run |
| All other jobs | push, pull_request, schedule, workflow_dispatch |
No fork checkout | None |
This is a CI-only dependency bump with no application-code changes. No data-loss, auth-bypass, crash, or race-condition paths identified.
Master since last scan (34c8e02)
Patch bump @mantine/hooks 9.3.1→9.3.2 — lockfile-only; no runtime logic changes. Below critical-confidence bar.
Deduplication: Open draft fixes remain for known pre-existing issues (#281 Imported scoping, #282 CHANGE_ME placeholder drop, #283 PasswordHash section-replace). No competing fix PR opened.
Sent by Cursor Automation: Torrentarr - Find critical bugs
There was a problem hiding this comment.
PR Validation (Cursor Automation)
Recommendation: Merge
Primary reason: Clean workflow-only Dependabot bump; local merge with current master was conflict-free, and backend/frontend validation passed.
Gates
| Gate | Status | Notes |
|---|---|---|
| Merge conflicts | Pass | origin/master merged into origin/dependabot/github_actions/actions/checkout-7 cleanly; conflicts: none. |
dotnet build |
Pass | Release build succeeded with 0 errors. Existing warnings were not introduced by this workflow-only PR. |
dotnet test (non-live) |
Pass | 759 passed, 0 failed, 0 skipped across Core, Host, and Infrastructure tests. |
vitest |
Pass | 154 passed across 16 frontend test files. |
Validation
| Axis | Score | Notes |
|---|---|---|
| Purpose | Pass | Keeps GitHub workflows current by bumping actions/checkout from v6 to v7. |
| Correctness | Pass | Minimal version-only changes; existing checkout options and workflow structure are preserved. |
| Tests | Pass | No runtime behavior changes; full requested backend and frontend suites passed on the locally merged tree. |
| Hygiene | Pass | Scope is limited to 8 workflow files with no source, lockfile, or generated-file noise. |
| Overlap | Pass | No other open PR found for the same actions/checkout bump; known 2026-06-15 duplicate winners are unrelated. |
Why
The effective PR diff after merging current master is limited to replacing actions/checkout@v6 with actions/checkout@v7 in GitHub workflow files. The merge was clean, the Release build succeeded, and both non-live .NET tests and Vitest passed.
Note: docs/audits/pr-triage-*.md is not present on current master because the docs/audits directory has been removed; validation used the prompt-provided known-winner list plus an open-PR overlap search.
Overlap
None.
Commands run
git fetch origin mastergit fetch origin dependabot/github_actions/actions/checkout-7git checkout -B pr-validate origin/dependabot/github_actions/actions/checkout-7git merge origin/masterrg "actions/checkout@" ".github/workflows"gh pr list --state open --search "actions/checkout" --json number,title,url,headRefName,authordotnet restore(initial PATH check failed becausedotnetwas unavailable)curl ... dotnet-install.sh --version 10.0.100 --install-dir /tmp/dotnet --no-path/tmp/dotnet/dotnet restore/tmp/dotnet/dotnet build -c Release/tmp/dotnet/dotnet test -c Release --no-build --filter "Category!=Live"cd webui && npm ci && npx vitest run
Sent by Cursor Automation: Torrentarr PR validation triage
Bumps actions/checkout from 6 to 7.
Release notes
Sourced from actions/checkout's releases.
Changelog
Sourced from actions/checkout's changelog.
... (truncated)
Commits
9c091bbupdate error wording (#2467)1044a6dgetting ready for checkout v7 release (#2464)f028218Bump the minor-npm-dependencies group across 1 directory with 3 updates (#2462)d914b26upgrade module to esm and update dependencies (#2463)537c7efBump@actions/coreand@actions/tool-cacheand Remove uuid (#2459)130a169Bump js-yaml from 4.1.0 to 4.2.0 (#2461)7d09575Bump flatted from 3.3.1 to 3.4.2 (#2460)0f9f3aaBump actions/publish-immutable-action (#2458)f9e715ablock checking out fork pr for pull_request_target and workflow_run (#2454)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)