chore(deps): bump actions/checkout from 6.0.3 to 7.0.0

[dependabot]

Bumps actions/checkout from 6.0.3 to 7.0.0.

Release notes

Sourced from actions/checkout's releases.

v7.0.0

What's Changed

• block checking out fork pr for pull_request_target and workflow_run by @​aiqiaoy in actions/checkout#2454
• Bump actions/publish-immutable-action from 0.0.3 to 0.0.4 in the minor-actions-dependencies group across 1 directory by @​dependabot[bot] in actions/checkout#2458
• Bump flatted from 3.3.1 to 3.4.2 by @​dependabot[bot] in actions/checkout#2460
• Bump js-yaml from 4.1.0 to 4.2.0 by @​dependabot[bot] in actions/checkout#2461
• Bump @​actions/core and @​actions/tool-cache and Remove uuid by @​dependabot[bot] in actions/checkout#2459
• upgrade module to esm and update dependencies by @​aiqiaoy in actions/checkout#2463
• Bump the minor-npm-dependencies group across 1 directory with 3 updates by @​dependabot[bot] in actions/checkout#2462
• getting ready for checkout v7 release by @​aiqiaoy in actions/checkout#2464
• update error wording by @​aiqiaoy in actions/checkout#2467

New Contributors

• @​aiqiaoy made their first contribution in actions/checkout#2454

Full Changelog: actions/checkout@v6.0.3...v7.0.0

Changelog

Sourced from actions/checkout's changelog.

Changelog

v7.0.0

• Block checking out fork PR for pull_request_target and workflow_run by @​aiqiaoy in actions/checkout#2454
• Bump actions/publish-immutable-action from 0.0.3 to 0.0.4 in the minor-actions-dependencies group across 1 directory by @​dependabot[bot] in actions/checkout#2458
• Bump flatted from 3.3.1 to 3.4.2 by @​dependabot[bot] in actions/checkout#2460
• Bump js-yaml from 4.1.0 to 4.2.0 by @​dependabot[bot] in actions/checkout#2461
• Bump @​actions/core and @​actions/tool-cache and Remove uuid by @​dependabot[bot] in actions/checkout#2459
• upgrade module to esm and update dependencies by @​aiqiaoy in actions/checkout#2463
• Bump the minor-npm-dependencies group across 1 directory with 3 updates by @​dependabot[bot] in actions/checkout#2462

v6.0.3

• Fix checkout init for SHA-256 repositories by @​yaananth in actions/checkout#2439
• fix: expand merge commit SHA regex and add SHA-256 test cases by @​yaananth in actions/checkout#2414

v6.0.2

• Fix tag handling: preserve annotations and explicit fetch-tags by @​ericsciple in actions/checkout#2356

v6.0.1

• Add worktree support for persist-credentials includeIf by @​ericsciple in actions/checkout#2327

v6.0.0

• Persist creds to a separate file by @​ericsciple in actions/checkout#2286
• Update README to include Node.js 24 support details and requirements by @​salmanmkc in actions/checkout#2248

v5.0.1

• Port v6 cleanup to v5 by @​ericsciple in actions/checkout#2301

v5.0.0

• Update actions checkout to use node 24 by @​salmanmkc in actions/checkout#2226

v4.3.1

• Port v6 cleanup to v4 by @​ericsciple in actions/checkout#2305

v4.3.0

• docs: update README.md by @​motss in actions/checkout#1971
• Add internal repos for checking out multiple repositories by @​mouismail in actions/checkout#1977
• Documentation update - add recommended permissions to Readme by @​benwells in actions/checkout#2043
• Adjust positioning of user email note and permissions heading by @​joshmgross in actions/checkout#2044
• Update README.md by @​nebuk89 in actions/checkout#2194
• Update CODEOWNERS for actions by @​TingluoHuang in actions/checkout#2224
• Update package dependencies by @​salmanmkc in actions/checkout#2236

v4.2.2

• url-helper.ts now leverages well-known environment variables by @​jww3 in actions/checkout#1941
• Expand unit test coverage for isGhes by @​jww3 in actions/checkout#1946

v4.2.1

• Check out other refs/* by commit if provided, fall back to ref by @​orhantoy in actions/checkout#1924

... (truncated)

Commits

• 9c091bb update error wording (#2467)
• 1044a6d getting ready for checkout v7 release (#2464)
• f028218 Bump the minor-npm-dependencies group across 1 directory with 3 updates (#2462)
• d914b26 upgrade module to esm and update dependencies (#2463)
• 537c7ef Bump @​actions/core and @​actions/tool-cache and Remove uuid (#2459)
• 130a169 Bump js-yaml from 4.1.0 to 4.2.0 (#2461)
• 7d09575 Bump flatted from 3.3.1 to 3.4.2 (#2460)
• 0f9f3aa Bump actions/publish-immutable-action (#2458)
• f9e715a block checking out fork pr for pull_request_target and workflow_run (#2454)
• See full diff in compare view

You can trigger a rebase of this PR by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 28 package(s) with unknown licenses.

See the Details below.

Snapshot Warnings

⚠️: The number of snapshots compared for the base SHA (0) and the head SHA (1) do not match. You may see unexpected additions in the diff.

Re-running this action after a short time may resolve the issue. See the documentation for more information and troubleshooting advice.

License Issues

go.mod

Package	Version	License	Issue Type
github.com/aymanbagabas/go-pty	v0.2.3	Null	Unknown License
github.com/creack/pty	v1.1.24	Null	Unknown License
github.com/davecgh/go-spew	v1.1.1	Null	Unknown License
github.com/hashicorp/go-version	v1.9.0	Null	Unknown License
github.com/otiai10/copy	v1.14.1	Null	Unknown License
github.com/pmezard/go-difflib	v1.0.0	Null	Unknown License
github.com/sirupsen/logrus	v1.9.4	Null	Unknown License
github.com/spf13/cobra	v1.10.2	Null	Unknown License
github.com/spf13/pflag	v1.0.10	Null	Unknown License
github.com/stretchr/testify	v1.11.1	Null	Unknown License
golang.org/x/crypto	v0.52.0	Null	Unknown License
golang.org/x/sys	v0.46.0	Null	Unknown License
golang.org/x/term	v0.44.0	Null	Unknown License
gopkg.in/yaml.v3	v3.0.1	Null	Unknown License
github.com/aymanbagabas/go-pty	v0.2.3	Null	Unknown License
github.com/creack/pty	v1.1.24	Null	Unknown License
github.com/davecgh/go-spew	v1.1.1	Null	Unknown License
github.com/hashicorp/go-version	v1.9.0	Null	Unknown License
github.com/otiai10/copy	v1.14.1	Null	Unknown License
github.com/pmezard/go-difflib	v1.0.0	Null	Unknown License
github.com/sirupsen/logrus	v1.9.4	Null	Unknown License
github.com/spf13/cobra	v1.10.2	Null	Unknown License
github.com/spf13/pflag	v1.0.10	Null	Unknown License
github.com/stretchr/testify	v1.11.1	Null	Unknown License
golang.org/x/crypto	v0.52.0	Null	Unknown License
golang.org/x/sys	v0.46.0	Null	Unknown License
golang.org/x/term	v0.44.0	Null	Unknown License
gopkg.in/yaml.v3	v3.0.1	Null	Unknown License

OpenSSF Scorecard

Scorecard details

Package	Version	Score	Details
actions/actions/checkout	9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0	🟢 5.9	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Binary-Artifacts 🟢 10 no binaries found in the repo Maintained ⚠️ 2 3 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 2 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Fuzzing ⚠️ 0 project is not fuzzed Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 License 🟢 10 license file detected Packaging ⚠️ -1 packaging workflow not detected Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected SAST 🟢 8 SAST tool detected but not run on all commits Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches
gomod/github.com/aymanbagabas/go-pty	v0.2.3	Unknown	Unknown
gomod/github.com/creack/pty	v1.1.24	Unknown	Unknown
gomod/github.com/davecgh/go-spew	v1.1.1	Unknown	Unknown
gomod/github.com/hashicorp/go-version	v1.9.0	Unknown	Unknown
gomod/github.com/otiai10/copy	v1.14.1	Unknown	Unknown
gomod/github.com/pmezard/go-difflib	v1.0.0	Unknown	Unknown
gomod/github.com/sirupsen/logrus	v1.9.4	Unknown	Unknown
gomod/github.com/spf13/cobra	v1.10.2	Unknown	Unknown
gomod/github.com/spf13/pflag	v1.0.10	Unknown	Unknown
gomod/github.com/stretchr/testify	v1.11.1	Unknown	Unknown
gomod/github.com/u-root/u-root	v0.16.0	🟢 7.7	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 10 30 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 4 security policy file detected CII-Best-Practices ⚠️ 2 badge detected: InProgress Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Fuzzing 🟢 10 project is fuzzed Binary-Artifacts 🟢 9 binaries present in source code Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Packaging 🟢 10 packaging workflow detected SAST 🟢 10 SAST tool is run on all commits Pinned-Dependencies 🟢 4 dependency not pinned by hash detected -- score normalized to 4
gomod/golang.org/x/crypto	v0.52.0	Unknown	Unknown
gomod/golang.org/x/sync	v0.18.0	Unknown	Unknown
gomod/golang.org/x/sys	v0.46.0	Unknown	Unknown
gomod/golang.org/x/term	v0.44.0	Unknown	Unknown
gomod/gopkg.in/yaml.v3	v3.0.1	Unknown	Unknown
actions/actions/checkout	9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0	🟢 5.9	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Binary-Artifacts 🟢 10 no binaries found in the repo Maintained ⚠️ 2 3 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 2 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Fuzzing ⚠️ 0 project is not fuzzed Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 License 🟢 10 license file detected Packaging ⚠️ -1 packaging workflow not detected Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected SAST 🟢 8 SAST tool detected but not run on all commits Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches
gomod/github.com/aymanbagabas/go-pty	v0.2.3	Unknown	Unknown
gomod/github.com/creack/pty	v1.1.24	Unknown	Unknown
gomod/github.com/davecgh/go-spew	v1.1.1	Unknown	Unknown
gomod/github.com/hashicorp/go-version	v1.9.0	Unknown	Unknown
gomod/github.com/otiai10/copy	v1.14.1	Unknown	Unknown
gomod/github.com/pmezard/go-difflib	v1.0.0	Unknown	Unknown
gomod/github.com/sirupsen/logrus	v1.9.4	Unknown	Unknown
gomod/github.com/spf13/cobra	v1.10.2	Unknown	Unknown
gomod/github.com/spf13/pflag	v1.0.10	Unknown	Unknown
gomod/github.com/stretchr/testify	v1.11.1	Unknown	Unknown
gomod/github.com/u-root/u-root	v0.16.0	🟢 7.7	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 10 30 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 4 security policy file detected CII-Best-Practices ⚠️ 2 badge detected: InProgress Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Fuzzing 🟢 10 project is fuzzed Binary-Artifacts 🟢 9 binaries present in source code Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Packaging 🟢 10 packaging workflow detected SAST 🟢 10 SAST tool is run on all commits Pinned-Dependencies 🟢 4 dependency not pinned by hash detected -- score normalized to 4
gomod/golang.org/x/crypto	v0.52.0	Unknown	Unknown
gomod/golang.org/x/sync	v0.18.0	Unknown	Unknown
gomod/golang.org/x/sys	v0.46.0	Unknown	Unknown
gomod/golang.org/x/term	v0.44.0	Unknown	Unknown
gomod/gopkg.in/yaml.v3	v3.0.1	Unknown	Unknown

Scanned Files

• .github/workflows/scorecard.yml
• .github/workflows/tpip-check.yml
• go.mod