chore(deps): bump actions/checkout from 6 to 7#2338
Conversation
|
@modelcontextprotocol/client
@modelcontextprotocol/codemod
@modelcontextprotocol/core
@modelcontextprotocol/server
@modelcontextprotocol/server-legacy
@modelcontextprotocol/express
@modelcontextprotocol/fastify
@modelcontextprotocol/hono
@modelcontextprotocol/node
commit: |
There was a problem hiding this comment.
LGTM — mechanical Dependabot bump of actions/checkout v6→v7 across all workflows; none of these workflows use the pull_request_target/workflow_run triggers affected by v7's only behavioral change.
Extended reasoning...
Overview
This PR is a Dependabot version bump of actions/checkout from v6 to v7 across seven workflow files (claude.yml, conformance.yml, deploy-docs.yml, main.yml, publish.yml, release.yml, update-spec-types.yml). Every change is the same one-line substitution actions/checkout@v6 → actions/checkout@v7; no other workflow logic, inputs, or permissions are touched.
Security risks
None introduced. The headline change in checkout v7 is actually a security hardening: it blocks checking out fork PR refs in pull_request_target and workflow_run workflows. None of the affected workflows in this repo use those triggers (they use push, pull_request, workflow_dispatch, schedule, issue_comment, issues, and review events), so the new restriction cannot break or change behavior here. The other v7 changes are internal (Node 24/ESM, dependency bumps), which GitHub-hosted ubuntu-latest runners support.
Level of scrutiny
Low. This is a CI-only, mechanical dependency bump produced by Dependabot with no application code changes, no public API impact, and no need for a changeset (it doesn't ship in any package). Per the repo's CI/GitHub Actions guidance, no failure claims are warranted — the v7 release notes were checked and no breaking behavior applies to these workflows.
Other factors
The bug-hunting system found no issues, there are no outstanding reviewer comments, and the changeset-bot notice is expected for a workflow-only change. CI on the PR will exercise most of these workflows directly, providing additional verification before merge.
22c1d51 to
6b09c88
Compare
There was a problem hiding this comment.
LGTM — straightforward Dependabot bump of actions/checkout v6 → v7 across all workflows.
Extended reasoning...
Overview
This PR is a Dependabot-generated bump of actions/checkout from v6 to v7 in seven workflow files (claude.yml, conformance.yml, deploy-docs.yml, main.yml, publish.yml, release.yml, update-spec-types.yml). Every change is the identical one-line version-tag swap; no other workflow logic is touched.
Security risks
None introduced. The only behavioral/breaking change in checkout v7 is that it blocks checking out fork PR head refs for pull_request_target and workflow_run events — a security hardening measure. I verified that no workflow in .github/workflows/ uses either of those triggers, so the change cannot break any existing job. The bump otherwise consists of dependency updates and an ESM migration internal to the action.
Level of scrutiny
Low. This is a mechanical CI dependency bump following the established pattern (the repo already pins or version-tags its actions and routinely takes Dependabot bumps). It does not touch SDK source, the public API, or release/publish logic beyond the checkout step itself. Per the repo's review conventions on CI changes, I confirmed the claimed v7 behavior against the action's release notes rather than asserting failure modes from memory.
Other factors
The bug-hunting system found no issues, and the changeset-bot's "no changeset" notice is expected since workflow-only changes don't require a version bump. CI on the PR exercises the bumped action directly (every job starts with checkout), so any incompatibility would surface immediately in the PR's own checks.
6b09c88 to
aaef4c7
Compare
There was a problem hiding this comment.
LGTM — mechanical Dependabot bump of actions/checkout v6 → v7 across all workflows; none of them use pull_request_target or workflow_run, so v7's fork-PR checkout restriction (its only behavioral breaking change) doesn't affect this repo.
Extended reasoning...
Overview
This Dependabot PR updates actions/checkout from v6 to v7 in all eight workflow files (claude.yml, conformance.yml, deploy-docs.yml, examples.yml, main.yml, publish.yml, release.yml, update-spec-types.yml). Every change is the same one-line version bump; no checkout inputs or other workflow logic are touched.
Security risks
None introduced. The notable v7 change is actually security-positive: checkout v7 blocks checking out fork PR refs under pull_request_target and workflow_run events. I verified that none of this repo's workflows use those triggers (they use push, pull_request, workflow_dispatch, schedule, issue_comment, issues, and review events), so this restriction cannot break any existing job. actions/checkout remains pinned by major-version tag, consistent with the repo's existing convention for first-party GitHub actions.
Level of scrutiny
Low. This is CI configuration only — no SDK source, types, or published package code changes, and no changeset is needed. The remaining v7 changes are internal (ESM migration, dependency bumps), and the workflows' usage of checkout is plain default checkouts plus one fetch-depth: 1, all fully supported in v7. Per the repo's CI review guidance, I checked the action's release notes/changelog rather than asserting behavior from memory.
Other factors
No bugs were reported by the bug hunting system, and the PR timeline contains only automated bot comments (changeset-bot, pkg-pr-new) with no outstanding reviewer feedback. Any residual risk would surface immediately as a red checkout step in CI rather than as a latent runtime issue.
aaef4c7 to
858440a
Compare
There was a problem hiding this comment.
LGTM — mechanical actions/checkout v6→v7 bump across workflows; the v7 breaking change (blocking fork-PR checkout under pull_request_target/workflow_run) doesn't apply since no workflow in this repo uses those triggers.
Extended reasoning...
Overview
Dependabot bump of actions/checkout from v6 to v7 across all 8 workflow files (claude.yml, conformance.yml, deploy-docs.yml, examples.yml, main.yml, publish.yml, release.yml, update-spec-types.yml). Every change is the same one-line version reference update; no inputs or step logic are modified.
Security risks
None introduced. The v7 release's only breaking behavior is that it blocks checking out fork PR head refs under pull_request_target and workflow_run events — a security hardening change. I grepped .github/workflows/ and confirmed no workflow in this repo uses either trigger (events used are push, pull_request, workflow_dispatch, schedule, issue_comment, issues, pull_request_review, pull_request_review_comment), so nothing in this repo is affected by that change. The remaining v7 changes are internal dependency bumps and an ESM migration of the action itself.
Level of scrutiny
Low. This is CI configuration only — no SDK source, types, or published package code is touched, so no changeset is needed (consistent with the changeset-bot notice). Any actual breakage would surface immediately as red checks on this PR's own CI runs (main, conformance, examples, publish-preview all run on pull_request).
Other factors
Per the repo's review conventions for .github/workflows/ diffs, I verified the claimed v7 behavior against the actions/checkout changelog included in the PR description rather than asserting failure modes from memory. The runners are ubuntu-latest, which satisfies v7's runtime requirements. No bugs were found by the bug hunting system and there are no outstanding reviewer comments.
858440a to
95e82f4
Compare
There was a problem hiding this comment.
LGTM — mechanical Dependabot bump of actions/checkout v6→v7 across all workflows; the v7 breaking change (blocking fork-PR checkout) only affects pull_request_target/workflow_run triggers, which no workflow in this repo uses.
Extended reasoning...
Overview
Dependabot PR bumping actions/checkout from v6 to v7 in all 8 workflow files (claude.yml, conformance.yml, deploy-docs.yml, examples.yml, main.yml, publish.yml, release.yml, update-spec-types.yml). Every change is the identical one-line uses: actions/checkout@v6 → @v7 substitution; no inputs or surrounding steps are touched.
Security risks
None introduced. The only behavioral change in checkout v7 is a hardening one: it now blocks checking out fork PR head refs under pull_request_target and workflow_run triggers. A grep of .github/ confirms no workflow in this repo uses either trigger, so nothing breaks and the bump otherwise tightens, not loosens, the security posture. The remaining v7 changes are internal (ESM migration, dependency bumps) and don't affect workflow inputs or outputs.
Level of scrutiny
Low. This is CI configuration, not shipped SDK code, and it's a fully mechanical version bump generated by Dependabot. Per the repo's review conventions on CI/GitHub Actions, I verified the claimed v7 behavior against the release notes rather than asserting failure modes from memory; nothing in the changelog conflicts with how these workflows invoke checkout (default inputs, plus fetch-depth: 1 in claude.yml, which is unaffected).
Other factors
The bug-hunting system found no issues, the changeset bot correctly notes no changeset is needed for workflow-only changes, and any breakage would surface immediately in CI on this PR rather than in published packages.
Bumps [actions/checkout](https://github.com/actions/checkout) from 6 to 7. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v6...v7) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
95e82f4 to
e4a7526
Compare
There was a problem hiding this comment.
LGTM — mechanical Dependabot bump of actions/checkout v6→v7 across all workflows; no workflow here uses pull_request_target or workflow_run, so v7's only behavioral change (blocking fork-PR checkout for those triggers) doesn't apply.
Extended reasoning...
Overview
This is a Dependabot PR that bumps actions/checkout from v6 to v7 in all eight workflow files (claude.yml, conformance.yml, deploy-docs.yml, examples.yml, main.yml, publish.yml, release.yml, update-spec-types.yml). Every change is the identical one-line version reference update; no inputs, permissions, or other workflow logic are touched.
Security risks
None introduced. checkout v7's notable change is a hardening one — it blocks checking out fork PR refs under pull_request_target and workflow_run events. None of the affected workflows use those triggers (they use push, pull_request, workflow_dispatch, schedule, and issue/review comment events), so the new restriction cannot break or change behavior here. The other v7 changes are internal (Node/ESM upgrade, dependency bumps), and all jobs run on GitHub-hosted ubuntu-latest runners, which support the required runner/Node version.
Level of scrutiny
CI configuration only — no SDK source, protocol, or published-package code is modified. The release/publish workflows are touched, but only the checkout step's version tag, with credentials handling and publish steps unchanged. Per the repo's CI guidance, I verified the claimed v7 behavior against the action's changelog rather than asserting failure modes from memory.
Other factors
The bug hunting system found no issues, and the only timeline activity is the standard changeset-bot and pkg-pr-new comments (no changeset is needed for a workflow-only change). CI runs on this PR will exercise the bumped action directly, providing a concrete check that checkout v7 works in these workflows.
Bumps actions/checkout from 6 to 7.
Release notes
Sourced from actions/checkout's releases.
Changelog
Sourced from actions/checkout's changelog.
... (truncated)
Commits
9c091bbupdate error wording (#2467)1044a6dgetting ready for checkout v7 release (#2464)f028218Bump the minor-npm-dependencies group across 1 directory with 3 updates (#2462)d914b26upgrade module to esm and update dependencies (#2463)537c7efBump@actions/coreand@actions/tool-cacheand Remove uuid (#2459)130a169Bump js-yaml from 4.1.0 to 4.2.0 (#2461)7d09575Bump flatted from 3.3.1 to 3.4.2 (#2460)0f9f3aaBump actions/publish-immutable-action (#2458)f9e715ablock checking out fork pr for pull_request_target and workflow_run (#2454)