Skip to content

chore(deps): bump actions/checkout from 6 to 7#2338

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/actions/checkout-7
Open

chore(deps): bump actions/checkout from 6 to 7#2338
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/actions/checkout-7

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 22, 2026

Copy link
Copy Markdown
Contributor

Bumps actions/checkout from 6 to 7.

Release notes

Sourced from actions/checkout's releases.

v7.0.0

What's Changed

New Contributors

Full Changelog: actions/checkout@v6.0.3...v7.0.0

v6.0.3

What's Changed

New Contributors

Full Changelog: actions/checkout@v6...v6.0.3

v6.0.2

What's Changed

Full Changelog: actions/checkout@v6.0.1...v6.0.2

v6.0.1

What's Changed

Full Changelog: actions/checkout@v6...v6.0.1

Changelog

Sourced from actions/checkout's changelog.

Changelog

v7.0.0

v6.0.3

v6.0.2

v6.0.1

v6.0.0

v5.0.1

v5.0.0

v4.3.1

v4.3.0

v4.2.2

v4.2.1

... (truncated)

Commits

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jun 22, 2026
@dependabot dependabot Bot requested a review from a team as a code owner June 22, 2026 18:34
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jun 22, 2026
@changeset-bot

changeset-bot Bot commented Jun 22, 2026

Copy link
Copy Markdown

⚠️ No Changeset found

Latest commit: e4a7526

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@pkg-pr-new

pkg-pr-new Bot commented Jun 22, 2026

Copy link
Copy Markdown

Open in StackBlitz

@modelcontextprotocol/client

npm i https://pkg.pr.new/@modelcontextprotocol/client@2338

@modelcontextprotocol/codemod

npm i https://pkg.pr.new/@modelcontextprotocol/codemod@2338

@modelcontextprotocol/core

npm i https://pkg.pr.new/@modelcontextprotocol/core@2338

@modelcontextprotocol/server

npm i https://pkg.pr.new/@modelcontextprotocol/server@2338

@modelcontextprotocol/server-legacy

npm i https://pkg.pr.new/@modelcontextprotocol/server-legacy@2338

@modelcontextprotocol/express

npm i https://pkg.pr.new/@modelcontextprotocol/express@2338

@modelcontextprotocol/fastify

npm i https://pkg.pr.new/@modelcontextprotocol/fastify@2338

@modelcontextprotocol/hono

npm i https://pkg.pr.new/@modelcontextprotocol/hono@2338

@modelcontextprotocol/node

npm i https://pkg.pr.new/@modelcontextprotocol/node@2338

commit: e4a7526

@claude claude Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM — mechanical Dependabot bump of actions/checkout v6→v7 across all workflows; none of these workflows use the pull_request_target/workflow_run triggers affected by v7's only behavioral change.

Extended reasoning...

Overview

This PR is a Dependabot version bump of actions/checkout from v6 to v7 across seven workflow files (claude.yml, conformance.yml, deploy-docs.yml, main.yml, publish.yml, release.yml, update-spec-types.yml). Every change is the same one-line substitution actions/checkout@v6actions/checkout@v7; no other workflow logic, inputs, or permissions are touched.

Security risks

None introduced. The headline change in checkout v7 is actually a security hardening: it blocks checking out fork PR refs in pull_request_target and workflow_run workflows. None of the affected workflows in this repo use those triggers (they use push, pull_request, workflow_dispatch, schedule, issue_comment, issues, and review events), so the new restriction cannot break or change behavior here. The other v7 changes are internal (Node 24/ESM, dependency bumps), which GitHub-hosted ubuntu-latest runners support.

Level of scrutiny

Low. This is a CI-only, mechanical dependency bump produced by Dependabot with no application code changes, no public API impact, and no need for a changeset (it doesn't ship in any package). Per the repo's CI/GitHub Actions guidance, no failure claims are warranted — the v7 release notes were checked and no breaking behavior applies to these workflows.

Other factors

The bug-hunting system found no issues, there are no outstanding reviewer comments, and the changeset-bot notice is expected for a workflow-only change. CI on the PR will exercise most of these workflows directly, providing additional verification before merge.

@dependabot dependabot Bot force-pushed the dependabot/github_actions/actions/checkout-7 branch from 22c1d51 to 6b09c88 Compare June 25, 2026 18:44

@claude claude Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM — straightforward Dependabot bump of actions/checkout v6 → v7 across all workflows.

Extended reasoning...

Overview

This PR is a Dependabot-generated bump of actions/checkout from v6 to v7 in seven workflow files (claude.yml, conformance.yml, deploy-docs.yml, main.yml, publish.yml, release.yml, update-spec-types.yml). Every change is the identical one-line version-tag swap; no other workflow logic is touched.

Security risks

None introduced. The only behavioral/breaking change in checkout v7 is that it blocks checking out fork PR head refs for pull_request_target and workflow_run events — a security hardening measure. I verified that no workflow in .github/workflows/ uses either of those triggers, so the change cannot break any existing job. The bump otherwise consists of dependency updates and an ESM migration internal to the action.

Level of scrutiny

Low. This is a mechanical CI dependency bump following the established pattern (the repo already pins or version-tags its actions and routinely takes Dependabot bumps). It does not touch SDK source, the public API, or release/publish logic beyond the checkout step itself. Per the repo's review conventions on CI changes, I confirmed the claimed v7 behavior against the action's release notes rather than asserting failure modes from memory.

Other factors

The bug-hunting system found no issues, and the changeset-bot's "no changeset" notice is expected since workflow-only changes don't require a version bump. CI on the PR exercises the bumped action directly (every job starts with checkout), so any incompatibility would surface immediately in the PR's own checks.

@dependabot dependabot Bot force-pushed the dependabot/github_actions/actions/checkout-7 branch from 6b09c88 to aaef4c7 Compare June 26, 2026 13:03

@claude claude Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM — mechanical Dependabot bump of actions/checkout v6 → v7 across all workflows; none of them use pull_request_target or workflow_run, so v7's fork-PR checkout restriction (its only behavioral breaking change) doesn't affect this repo.

Extended reasoning...

Overview

This Dependabot PR updates actions/checkout from v6 to v7 in all eight workflow files (claude.yml, conformance.yml, deploy-docs.yml, examples.yml, main.yml, publish.yml, release.yml, update-spec-types.yml). Every change is the same one-line version bump; no checkout inputs or other workflow logic are touched.

Security risks

None introduced. The notable v7 change is actually security-positive: checkout v7 blocks checking out fork PR refs under pull_request_target and workflow_run events. I verified that none of this repo's workflows use those triggers (they use push, pull_request, workflow_dispatch, schedule, issue_comment, issues, and review events), so this restriction cannot break any existing job. actions/checkout remains pinned by major-version tag, consistent with the repo's existing convention for first-party GitHub actions.

Level of scrutiny

Low. This is CI configuration only — no SDK source, types, or published package code changes, and no changeset is needed. The remaining v7 changes are internal (ESM migration, dependency bumps), and the workflows' usage of checkout is plain default checkouts plus one fetch-depth: 1, all fully supported in v7. Per the repo's CI review guidance, I checked the action's release notes/changelog rather than asserting behavior from memory.

Other factors

No bugs were reported by the bug hunting system, and the PR timeline contains only automated bot comments (changeset-bot, pkg-pr-new) with no outstanding reviewer feedback. Any residual risk would surface immediately as a red checkout step in CI rather than as a latent runtime issue.

@dependabot dependabot Bot force-pushed the dependabot/github_actions/actions/checkout-7 branch from aaef4c7 to 858440a Compare June 30, 2026 14:50

@claude claude Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM — mechanical actions/checkout v6→v7 bump across workflows; the v7 breaking change (blocking fork-PR checkout under pull_request_target/workflow_run) doesn't apply since no workflow in this repo uses those triggers.

Extended reasoning...

Overview

Dependabot bump of actions/checkout from v6 to v7 across all 8 workflow files (claude.yml, conformance.yml, deploy-docs.yml, examples.yml, main.yml, publish.yml, release.yml, update-spec-types.yml). Every change is the same one-line version reference update; no inputs or step logic are modified.

Security risks

None introduced. The v7 release's only breaking behavior is that it blocks checking out fork PR head refs under pull_request_target and workflow_run events — a security hardening change. I grepped .github/workflows/ and confirmed no workflow in this repo uses either trigger (events used are push, pull_request, workflow_dispatch, schedule, issue_comment, issues, pull_request_review, pull_request_review_comment), so nothing in this repo is affected by that change. The remaining v7 changes are internal dependency bumps and an ESM migration of the action itself.

Level of scrutiny

Low. This is CI configuration only — no SDK source, types, or published package code is touched, so no changeset is needed (consistent with the changeset-bot notice). Any actual breakage would surface immediately as red checks on this PR's own CI runs (main, conformance, examples, publish-preview all run on pull_request).

Other factors

Per the repo's review conventions for .github/workflows/ diffs, I verified the claimed v7 behavior against the actions/checkout changelog included in the PR description rather than asserting failure modes from memory. The runners are ubuntu-latest, which satisfies v7's runtime requirements. No bugs were found by the bug hunting system and there are no outstanding reviewer comments.

@dependabot dependabot Bot force-pushed the dependabot/github_actions/actions/checkout-7 branch from 858440a to 95e82f4 Compare June 30, 2026 15:05

@claude claude Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM — mechanical Dependabot bump of actions/checkout v6→v7 across all workflows; the v7 breaking change (blocking fork-PR checkout) only affects pull_request_target/workflow_run triggers, which no workflow in this repo uses.

Extended reasoning...

Overview

Dependabot PR bumping actions/checkout from v6 to v7 in all 8 workflow files (claude.yml, conformance.yml, deploy-docs.yml, examples.yml, main.yml, publish.yml, release.yml, update-spec-types.yml). Every change is the identical one-line uses: actions/checkout@v6@v7 substitution; no inputs or surrounding steps are touched.

Security risks

None introduced. The only behavioral change in checkout v7 is a hardening one: it now blocks checking out fork PR head refs under pull_request_target and workflow_run triggers. A grep of .github/ confirms no workflow in this repo uses either trigger, so nothing breaks and the bump otherwise tightens, not loosens, the security posture. The remaining v7 changes are internal (ESM migration, dependency bumps) and don't affect workflow inputs or outputs.

Level of scrutiny

Low. This is CI configuration, not shipped SDK code, and it's a fully mechanical version bump generated by Dependabot. Per the repo's review conventions on CI/GitHub Actions, I verified the claimed v7 behavior against the release notes rather than asserting failure modes from memory; nothing in the changelog conflicts with how these workflows invoke checkout (default inputs, plus fetch-depth: 1 in claude.yml, which is unaffected).

Other factors

The bug-hunting system found no issues, the changeset bot correctly notes no changeset is needed for workflow-only changes, and any breakage would surface immediately in CI on this PR rather than in published packages.

Bumps [actions/checkout](https://github.com/actions/checkout) from 6 to 7.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v6...v7)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/github_actions/actions/checkout-7 branch from 95e82f4 to e4a7526 Compare June 30, 2026 20:20

@claude claude Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM — mechanical Dependabot bump of actions/checkout v6→v7 across all workflows; no workflow here uses pull_request_target or workflow_run, so v7's only behavioral change (blocking fork-PR checkout for those triggers) doesn't apply.

Extended reasoning...

Overview

This is a Dependabot PR that bumps actions/checkout from v6 to v7 in all eight workflow files (claude.yml, conformance.yml, deploy-docs.yml, examples.yml, main.yml, publish.yml, release.yml, update-spec-types.yml). Every change is the identical one-line version reference update; no inputs, permissions, or other workflow logic are touched.

Security risks

None introduced. checkout v7's notable change is a hardening one — it blocks checking out fork PR refs under pull_request_target and workflow_run events. None of the affected workflows use those triggers (they use push, pull_request, workflow_dispatch, schedule, and issue/review comment events), so the new restriction cannot break or change behavior here. The other v7 changes are internal (Node/ESM upgrade, dependency bumps), and all jobs run on GitHub-hosted ubuntu-latest runners, which support the required runner/Node version.

Level of scrutiny

CI configuration only — no SDK source, protocol, or published-package code is modified. The release/publish workflows are touched, but only the checkout step's version tag, with credentials handling and publish steps unchanged. Per the repo's CI guidance, I verified the claimed v7 behavior against the action's changelog rather than asserting failure modes from memory.

Other factors

The bug hunting system found no issues, and the only timeline activity is the standard changeset-bot and pkg-pr-new comments (no changeset is needed for a workflow-only change). CI runs on this PR will exercise the bumped action directly, providing a concrete check that checkout v7 works in these workflows.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants