You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Bump actions/publish-immutable-action from 0.0.3 to 0.0.4 in the minor-actions-dependencies group across 1 directory by @dependabot[bot] in actions/checkout#2458
Bump actions/publish-immutable-action from 0.0.3 to 0.0.4 in the minor-actions-dependencies group across 1 directory by @dependabot[bot] in actions/checkout#2458
Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.
This PR includes no changesets
When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types
dependabotBot
changed the title
chore(deps): bump actions/checkout from 6.0.2 to 6.0.3
chore(deps): bump actions/checkout from 6.0.2 to 7.0.0
Jun 24, 2026
Summary: Safe to merge. This is a clean 11-file update with no functional impact on this repo's workflows.
What changed
Every workflow pinned checkout was bumped from de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2 to 9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 #v7.0.0. The pinning pattern (full commit SHA + version comment) is correct security practice — no issues there.
v7.0.0 Breaking Change: Fork PR Checkout Blocked
The headline change in v7.0.0 is blocking checkout of fork PRs for pull_request_target and workflow_run triggers. Checked all 11 workflows:
No workflows use pull_request_target — not affected.
release.yml uses workflow_run but only checks out the repo's own main branch (no ref pointing to a fork PR's ref) — not affected.
All other workflows use pull_request, push, issue_comment, etc. — not affected.
This security hardening is a net positive and doesn't change behavior for any workflow in this repo.
SHA-256 git repository improvements (from v6.0.3, included here)
No concerns with any of these for this repo.
v6.0.3 (also included)
SHA-256 repository fixes — no impact either way for this repo.
✅ Approve — straightforward dependency bump, no breaking changes for this repo's workflow patterns, and the security hardening in v7.0.0 is beneficial.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
dependenciesPull requests that update a dependency filegithub_actionsPull requests that update GitHub Actions code
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps actions/checkout from 6.0.2 to 7.0.0.
Release notes
Sourced from actions/checkout's releases.
Changelog
Sourced from actions/checkout's changelog.
... (truncated)
Commits
9c091bbupdate error wording (#2467)1044a6dgetting ready for checkout v7 release (#2464)f028218Bump the minor-npm-dependencies group across 1 directory with 3 updates (#2462)d914b26upgrade module to esm and update dependencies (#2463)537c7efBump@actions/coreand@actions/tool-cacheand Remove uuid (#2459)130a169Bump js-yaml from 4.1.0 to 4.2.0 (#2461)7d09575Bump flatted from 3.3.1 to 3.4.2 (#2460)0f9f3aaBump actions/publish-immutable-action (#2458)f9e715ablock checking out fork pr for pull_request_target and workflow_run (#2454)df4cb1cUpdate changelog for v6.0.3 (#2446)