chainguard-dev · dependabot · Jun 22, 2026
diff --git a/.github/workflows/actionlint.yaml b/.github/workflows/actionlint.yaml
@@ -36,7 +36,7 @@ jobs:
             release-assets.githubusercontent.com:443
 
       - name: Check out code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
         with:
           persist-credentials: false
 

diff --git a/.github/workflows/buildifier.yaml b/.github/workflows/buildifier.yaml
@@ -22,6 +22,6 @@
         with:
           egress-policy: audit
 
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
       - name: buildifier
         run: bazel run --enable_bzlmod //.github/workflows:buildifier.check
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -33,7 +33,7 @@
        with:
          egress-policy: audit
      - id: linux
        run: echo "os=ubuntu-latest" >> $GITHUB_OUTPUT
    outputs:
      # Will look like ["ubuntu-latest"]
      os: ${{ toJSON(steps.*.outputs.os) }}
@@ -46,17 +46,17 @@
         uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
         with:
           egress-policy: audit
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
       - id: bazel_91
         run: echo "bazelversion=9.1.0" >> $GITHUB_OUTPUT
       - id: bazel_86
        run: echo "bazelversion=8.6.0" >> $GITHUB_OUTPUT
      - id: bazel_83
        run: echo "bazelversion=8.3.0" >> $GITHUB_OUTPUT
      - id: bazel_76
        run: echo "bazelversion=7.6.1" >> $GITHUB_OUTPUT
      - id: bazel_6
        run: echo "bazelversion=6.5.0" >> $GITHUB_OUTPUT
    outputs:
      # Will look like ["<version from .bazelversion>", "x.y.z"]
      bazelversions: ${{ toJSON(steps.*.outputs.bazelversion) }}
@@ -90,7 +90,7 @@
         with:
           egress-policy: audit
       # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
 
       - uses: bazel-contrib/setup-bazel@c5acdfb288317d0b5c0bbd7a396a3dc868bb0f86 # v0.19.0
         with:

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -22,9 +22,9 @@
         with:
           egress-policy: audit
 
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
         with:
           fetch-depth: 0 # fetch all history for all branches and tags
 
      - name: Calculate version bump
        id: create_tag

diff --git a/.github/workflows/update-apko.yaml b/.github/workflows/update-apko.yaml
@@ -22,7 +22,7 @@
       with:
         egress-policy: audit
 
-    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+    - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
 
     - uses: octo-sts/action@f603d3be9d8dd9871a265776e625a27b00effe05 # v1.1.1
       id: octo-sts
@@ -36,7 +36,7 @@
    - name: Determine if there is a diff
      shell: bash
      id: check-diff
      run: |
        set -x
        # Check if there is a diff
        if git diff --exit-code MODULE.bazel; then

diff --git a/.github/workflows/zizmor.yaml b/.github/workflows/zizmor.yaml
@@ -36,7 +36,7 @@ jobs:
             ghcr.io
 
       - name: Check out code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
         with:
           persist-credentials: false