Skip to content

chore(deps): update github-actions (major)#170

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/major-github-actions
Open

chore(deps): update github-actions (major)#170
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/major-github-actions

Conversation

@renovate

@renovate renovate Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Type Update Change
actions/checkout action major v6.0.2v7.0.0
sorenlouv/backport-github-action action major v11.0.0v12.0.4

Release Notes

actions/checkout (actions/checkout)

v7.0.0

Compare Source

v7

Compare Source

v6.0.3

Compare Source

sorenlouv/backport-github-action (sorenlouv/backport-github-action)

v12.0.4

Compare Source

What's Changed

Full Changelog: sorenlouv/backport-github-action@v12.0.0...v12.0.4

v12.0.3

Compare Source

What's Changed

Full Changelog: sorenlouv/backport-github-action@v12.0.0...v12.0.3

v12.0.2

Compare Source

What's Changed

Full Changelog: sorenlouv/backport-github-action@v12.0.0...v12.0.2

v12.0.1

Compare Source

What's Changed

Full Changelog: sorenlouv/backport-github-action@v12.0.0...v12.0.1

v12.0.0

Compare Source

Update backport to 12.0.0

v12

Compare Source


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown

Claude finished @renovate[bot]'s task in 1m 53s —— View job


Review

Mechanical bump. Only one substantive risk worth flagging.

⚠️ Potential breaking change: actions/checkout v7 blocks fork-PR checkout under pull_request_target

Per the v7 changelog, actions/checkout#2454 "Block checking out fork PR for pull_request_target and workflow_run" — this is exactly the pattern used in .github/workflows/claude-code-review.yaml:

  • Line 4: reusable workflow (workflow_call) — invoked by callers that (per the in-file comment on line 17) use pull_request_target so secrets are available for fork PRs "by design"
  • Line 30: ref: ${{ github.event.pull_request.head.sha }} — the fork PR head SHA
  • Lines 42–51: an entire "Setup fork as origin for Claude" step, so fork PRs are explicitly a supported path

If the v7 block is a hard failure (not opt-in), every Claude code-review run on a fork PR will start failing at the checkout step after this merges and callers pick up @main. Callers include downstream repos, so the blast radius extends beyond this repo.

Please verify against v7's actual behavior before merging:

  1. Read actions/checkout PR #2454 — does v7 add a new input (e.g. allow-fork-pr or similar) to opt back into the old behavior, or is it a hard block?
  2. If a hard block: either keep checkout@v6 on claude-code-review.yaml (and any downstream workflow that runs under pull_request_target + checks out head.sha), or drop the reusable workflow's fork-PR support.
  3. If opt-in escape hatch exists: add the required input on line 28 with a comment explaining why fork PRs are intentionally allowed here.

Note: ai-pr-review.yaml is not affected — its job gates on github.event.pull_request.head.repo.full_name == github.repository (line 43), skipping fork PRs entirely.

Not an issue

  • sorenlouv/backport-github-action v11→v12: backport.yaml only passes standard inputs (github_token, auto_backport_label_prefix, add_original_reviewers), none of which appear affected by the v12 release notes (release automation + npm dep bumps only).
  • SHA pinning is consistent across all 38 files (9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 for checkout, 8a6c0381851f43f9f1fddc7303f0e9015eb57b62 for backport).
    · Branch

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved by the shared auto-approve workflow because this PR matched the approval criteria.

For more information, see https://github.com/loft-sh/github-actions?tab=readme-ov-file#auto-approve-bot-prs.

@renovate renovate Bot force-pushed the renovate/major-github-actions branch from 8a5e40a to 72611a3 Compare July 9, 2026 08:10
@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown

Claude finished @renovate[bot]'s task in 4m 14s —— View job


Review

Renovate rebased/force-pushed (commit 72611a3, 08:10 UTC) with no substantive change from the diff reviewed yesterday. The primary risk still stands.

⚠️ actions/checkout v7 fork-PR block breaks claude-code-review.yaml

Per the v7.0.0 changelog: actions/checkout#2454 "Block checking out fork PR for pull_request_target and workflow_run". This is exactly what claude-code-review.yaml is designed to do:

  • L4: workflow_call reusable workflow.
  • L16-17: comment explicitly states callers invoke it via pull_request_target so secrets are available for fork PRs "by design".
  • L28-30: actions/checkout@v7 with ref: ${{ github.event.pull_request.head.sha }} — the fork PR head SHA.
  • L42-51: dedicated "Setup fork as origin for Claude" step, i.e. fork PRs are a first-class supported path.

If v7 hard-blocks (rather than opt-in warns), every caller running claude-code-review.yaml@main will fail at the checkout step on fork PRs after merge — blast radius includes downstream repos consuming this reusable workflow.

I could not verify v7's exact behavior against upstream (gh api, curl, and WebFetch are all sandboxed in this job). Please confirm one of the following before merging:

  1. Hard block, no bypass: keep checkout@v6.0.3 on claude-code-review.yaml (a bare-minimum fix; the rest of the repo can safely go to v7).
  2. Opt-in via input (e.g. some new allow-fork-pr / equivalent): add it on L28-32 with a comment linking to #2454 and justifying why fork PRs are intentionally allowed here.
  3. Detection by ref vs. event, not eventName: verify the specific check by reading src/input-helper.ts.

Fix this →

Not an issue

  • ai-pr-review.yaml is safe — gated on github.event.pull_request.head.repo.full_name == github.repository (L43), so fork PRs are skipped upstream of checkout.
  • sorenlouv/backport-github-action v11→v12: backport.yaml passes only github_token, auto_backport_label_prefix, add_original_reviewers — none touched by the v12 release notes (CI automation + npm bumps only).
  • SHA pins are consistent and match the claimed tags across all 39 files.

Todos:

  • Verify actions/checkout v7 fork-PR block affects claude-code-review.yaml
  • Verify sorenlouv/backport v11→v12 input compatibility
  • Verify SHA pins match across changed files
  • Post review
    · Branch

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants