chore(deps): bump actions/checkout from 6 to 7#2338
Conversation
Bumps [actions/checkout](https://github.com/actions/checkout) from 6 to 7. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v6...v7) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
dependabot
Bot
added
dependencies
|
@modelcontextprotocol/client
@modelcontextprotocol/codemod
@modelcontextprotocol/server
@modelcontextprotocol/server-legacy
@modelcontextprotocol/express
@modelcontextprotocol/fastify
@modelcontextprotocol/hono
@modelcontextprotocol/node
commit: |
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
There was a problem hiding this comment.
LGTM — mechanical Dependabot bump of actions/checkout v6→v7 across all workflows; none of these workflows use the pull_request_target/workflow_run triggers affected by v7's only behavioral change.
Extended reasoning...
Overview
This PR is a Dependabot version bump of actions/checkout from v6 to v7 across seven workflow files (claude.yml, conformance.yml, deploy-docs.yml, main.yml, publish.yml, release.yml, update-spec-types.yml). Every change is the same one-line substitution actions/checkout@v6 → actions/checkout@v7; no other workflow logic, inputs, or permissions are touched.
Security risks
None introduced. The headline change in checkout v7 is actually a security hardening: it blocks checking out fork PR refs in pull_request_target and workflow_run workflows. None of the affected workflows in this repo use those triggers (they use push, pull_request, workflow_dispatch, schedule, issue_comment, issues, and review events), so the new restriction cannot break or change behavior here. The other v7 changes are internal (Node 24/ESM, dependency bumps), which GitHub-hosted ubuntu-latest runners support.
Level of scrutiny
Low. This is a CI-only, mechanical dependency bump produced by Dependabot with no application code changes, no public API impact, and no need for a changeset (it doesn't ship in any package). Per the repo's CI/GitHub Actions guidance, no failure claims are warranted — the v7 release notes were checked and no breaking behavior applies to these workflows.
Other factors
The bug-hunting system found no issues, there are no outstanding reviewer comments, and the changeset-bot notice is expected for a workflow-only change. CI on the PR will exercise most of these workflows directly, providing additional verification before merge.
Bumps actions/checkout from 6 to 7.
Release notes
Sourced from actions/checkout's releases.
Changelog
Sourced from actions/checkout's changelog.
... (truncated)
Commits
9c091bbupdate error wording (#2467)1044a6dgetting ready for checkout v7 release (#2464)f028218Bump the minor-npm-dependencies group across 1 directory with 3 updates (#2462)d914b26upgrade module to esm and update dependencies (#2463)537c7efBump@actions/coreand@actions/tool-cacheand Remove uuid (#2459)130a169Bump js-yaml from 4.1.0 to 4.2.0 (#2461)7d09575Bump flatted from 3.3.1 to 3.4.2 (#2460)0f9f3aaBump actions/publish-immutable-action (#2458)f9e715ablock checking out fork pr for pull_request_target and workflow_run (#2454)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)