chore(deps): bump actions/checkout from 6 to 7#3407
Conversation
Bumps [actions/checkout](https://github.com/actions/checkout) from 6 to 7. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v6...v7) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
|
This pull request is automatically built and testable in CodeSandbox. To see build info of the built libraries, click here or the icon next to each commit SHA. |
@faststore/api
@faststore/cli
@faststore/components
@faststore/core
@faststore/diagnostics
@faststore/lighthouse
@faststore/sdk
@faststore/ui
commit: |
|
renatomaurovtex
left a comment
There was a problem hiding this comment.
Reviewed the actions/checkout v6 → v7 bump across the four workflows (ci.yml, codeql-analysis.yml, packages-preview.yml, release.yml). This is a CI-only change — it does not touch any published package's runtime deps, so no Dependency Discipline sign-off is required.
💬 [ci] v7 breaking change does not apply here — safe
v7.0.0's only behavioral break is "block checking out fork PR for pull_request_target and workflow_run". None of the four bumped workflows use those triggers — they run on push / pull_request / schedule only, and release.yml runs on push to main/dev/3.x with an explicit token + fetch-depth: 0. So the guard has no impact on this repo. The rest of v7 is an ESM migration + internal npm dep bumps, transparent for plain checkout usage. Consistent with the recent v4→v6 bump in #3391.
💬 [ci] Red "FastStore" check is the Chromatic step, not this bump
The failing FastStore run dies inside chromaui/action@v17 (getOptions → Error in optimistic validation: Cannot read properties of undefined (reading 'read')) because dependabot PRs don't receive the Chromatic project token secret. The @faststore/storybook:build right before it succeeds, and the sibling FastStore check (build + test), ci/codesandbox, faststore-node-ci-v2 and SonarQube are all green. This is the known dependabot-secrets pattern, not a checkout regression — safe to merge once a maintainer re-runs / confirms the UI Tests token path.
Verdict: Approved with comments
Blocking (🔴/🟠):
- none
Non-blocking (🟡/💬):
- v7's fork-PR guard doesn't affect these workflows (no
pull_request_target/workflow_run). - The red
FastStorecheck is Chromatic missing its token on dependabot PRs, not a regression from this bump.
Checks to confirm before merge: the two FastStore jobs (build+test already green; the Chromatic/UI Tests one only needs the token) — no pnpm size needed, nothing ships to the bundle.

0 New Issues
0 Fixed Issues
0 Accepted Issues
No data about coverage (22.40% Estimated after merge)
Bumps actions/checkout from 6 to 7.
Release notes
Sourced from actions/checkout's releases.
Changelog
Sourced from actions/checkout's changelog.
... (truncated)
Commits
9c091bbupdate error wording (#2467)1044a6dgetting ready for checkout v7 release (#2464)f028218Bump the minor-npm-dependencies group across 1 directory with 3 updates (#2462)d914b26upgrade module to esm and update dependencies (#2463)537c7efBump@actions/coreand@actions/tool-cacheand Remove uuid (#2459)130a169Bump js-yaml from 4.1.0 to 4.2.0 (#2461)7d09575Bump flatted from 3.3.1 to 3.4.2 (#2460)0f9f3aaBump actions/publish-immutable-action (#2458)f9e715ablock checking out fork pr for pull_request_target and workflow_run (#2454)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)