Merge f80349a6ad into 9c091bb21b

update error wording (#2467 )
getting ready for checkout v7 release (#2464 )
2026-06-29 08:38:52 +00:00 · 2026-06-19 04:06:32 +00:00 · 2026-06-17 13:51:53 -04:00 · 2026-06-17 09:59:35 -04:00 · 2022-09-02 14:11:12 +02:00 · 2020-10-02 17:20:12 +02:00
11 changed files with 115 additions and 59 deletions
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@ -29,6 +29,8 @@ jobs:
        run: __test__/verify-no-unstaged-changes.sh

  test:
+    env:
+      main_path: main_path_test
    strategy:
      matrix:
        runs-on: [ubuntu-latest, macos-latest, windows-latest]
@ -62,6 +64,16 @@ jobs:
        shell: bash
        run: __test__/verify-clean.sh

+      # Use environment variable as path
+      - name: Environment path test
+        uses: ./
+        with:
+          ref: test-data/v2/basic
+          path: ${{ env.main_path }}
+      - name: Verify environment path test
+        shell: bash
+        run: __test__/verify-environment-path.sh
+
      # Side by side
      - name: Checkout side by side 1
        uses: ./
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,5 +1,14 @@
 # Changelog

+## v7.0.0
+* Block checking out fork PR for pull_request_target and workflow_run by @aiqiaoy in https://github.com/actions/checkout/pull/2454
+* Bump actions/publish-immutable-action from 0.0.3 to 0.0.4 in the minor-actions-dependencies group across 1 directory by @dependabot[bot] in https://github.com/actions/checkout/pull/2458
+* Bump flatted from 3.3.1 to 3.4.2 by @dependabot[bot] in https://github.com/actions/checkout/pull/2460
+* Bump js-yaml from 4.1.0 to 4.2.0 by @dependabot[bot] in https://github.com/actions/checkout/pull/2461
+* Bump @actions/core and @actions/tool-cache and Remove uuid by @dependabot[bot] in https://github.com/actions/checkout/pull/2459
+* upgrade module to esm and update dependencies by @aiqiaoy in https://github.com/actions/checkout/pull/2463
+* Bump the minor-npm-dependencies group across 1 directory with 3 updates by @dependabot[bot] in https://github.com/actions/checkout/pull/2462
+
 ## v6.0.3
 * Fix checkout init for SHA-256 repositories by @yaananth in https://github.com/actions/checkout/pull/2439
 * fix: expand merge commit SHA regex and add SHA-256 test cases by @yaananth in https://github.com/actions/checkout/pull/2414
--- a/README.md
+++ b/README.md
@ -1,5 +1,14 @@
 [![Build and Test](https://github.com/actions/checkout/actions/workflows/test.yml/badge.svg)](https://github.com/actions/checkout/actions/workflows/test.yml)

+# Checkout v7
+
+## What's new
+
+- Safer fork pull request handling: checkout now refuses to check out fork pull request code by default when the workflow is triggered by `pull_request_target` or `workflow_run`. These triggers run with the base repository's `GITHUB_TOKEN`, secrets, and runner access, where executing a fork's code commonly leads to "pwn request" vulnerabilities.
+  - To opt in after [reviewing the risks](https://gh.io/securely-using-pull_request_target), set the new `allow-unsafe-pr-checkout: true` input.
+- Migrated `actions/checkout` to ESM to support new versions of the `@actions/*` packages.
+- Updated direct and transitive dependencies, including security fixes for known vulnerabilities.
+
 # Checkout v6

 ## What's new
@ -15,7 +24,6 @@
 - Updated to the node24 runtime
  - This requires a minimum Actions Runner version of [v2.327.1](https://github.com/actions/runner/releases/tag/v2.327.1) to run.

-
 # Checkout v4

 This action checks-out your repository under `$GITHUB_WORKSPACE`, so your workflow can access it.
@ -52,7 +60,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/

 <!-- start usage -->
 ```yaml
- uses: actions/checkout@v6
+- uses: actions/checkout@v7
  with:
    # Repository name with owner. For example, actions/checkout
    # Default: ${{ github.repository }}
@ -105,7 +113,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
    # Default: true
    persist-credentials: ''

-    # Relative path under $GITHUB_WORKSPACE to place the repository
+    # Relative or absolute path under $GITHUB_WORKSPACE to place the repository
    path: ''

    # Whether to execute `git clean -ffdx && git reset --hard HEAD` before fetching
@ -200,7 +208,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ## Fetch only the root files

 ```yaml
- uses: actions/checkout@v6
+- uses: actions/checkout@v7
  with:
    sparse-checkout: .
 ```
@ -208,7 +216,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ## Fetch only the root files and `.github` and `src` folder

 ```yaml
- uses: actions/checkout@v6
+- uses: actions/checkout@v7
  with:
    sparse-checkout: |
      .github
@ -218,7 +226,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ## Fetch only a single file

 ```yaml
- uses: actions/checkout@v6
+- uses: actions/checkout@v7
  with:
    sparse-checkout: |
      README.md
@ -228,7 +236,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ## Fetch all history for all tags and branches

 ```yaml
- uses: actions/checkout@v6
+- uses: actions/checkout@v7
  with:
    fetch-depth: 0
 ```
@ -236,7 +244,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ## Checkout a different branch

 ```yaml
- uses: actions/checkout@v6
+- uses: actions/checkout@v7
  with:
    ref: my-branch
 ```
@ -244,7 +252,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ## Checkout HEAD^

 ```yaml
- uses: actions/checkout@v6
+- uses: actions/checkout@v7
  with:
    fetch-depth: 2
 - run: git checkout HEAD^
@ -254,26 +262,38 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/

 ```yaml
 - name: Checkout
-  uses: actions/checkout@v6
+  uses: actions/checkout@v7
  with:
    path: main

 - name: Checkout tools repo
-  uses: actions/checkout@v6
+  uses: actions/checkout@v7
  with:
    repository: my-org/my-tools
    path: my-tools
 ```
 > - If your secondary repository is private or internal you will need to add the option noted in [Checkout multiple repos (private)](#Checkout-multiple-repos-private)

+## Checkout repo with a environment based path
+
+```yaml
+env:
+  main_path: ${{ github.workspace }}/main
+steps:
+- name: Checkout
+  uses: actions/checkout@v2
+  with:
+    path: ${{ env.main_path }}
+```
+
 ## Checkout multiple repos (nested)

 ```yaml
 - name: Checkout
-  uses: actions/checkout@v6
+  uses: actions/checkout@v7

 - name: Checkout tools repo
-  uses: actions/checkout@v6
+  uses: actions/checkout@v7
  with:
    repository: my-org/my-tools
    path: my-tools
@ -284,12 +304,12 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/

 ```yaml
 - name: Checkout
-  uses: actions/checkout@v6
+  uses: actions/checkout@v7
  with:
    path: main

 - name: Checkout private tools
-  uses: actions/checkout@v6
+  uses: actions/checkout@v7
  with:
    repository: my-org/my-private-tools
    token: ${{ secrets.GH_PAT }} # `GH_PAT` is a secret that contains your PAT
@ -302,7 +322,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ## Checkout pull request HEAD commit instead of merge commit

 ```yaml
- uses: actions/checkout@v6
+- uses: actions/checkout@v7
  with:
    ref: ${{ github.event.pull_request.head.sha }}
 ```
@ -318,7 +338,7 @@ jobs:
  build:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
 ```

 ## Push a commit using the built-in token
@ -329,7 +349,7 @@ jobs:
  build:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
      - run: |
          date > generated.txt
          # Note: the following account information will not work on GHES
@ -351,7 +371,7 @@ jobs:
  build:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
        with:
          ref: ${{ github.head_ref }}
      - run: |
--- a/test/verify-environment-path.sh
+++ b/test/verify-environment-path.sh
@ -0,0 +1,6 @@
+#!/bin/bash
+
+if [ ! -f "./main_path_test/basic-file.txt" ]; then
+    echo "Expected file does not exist"
+    exit 1
+fi
--- a/action.yml
+++ b/action.yml
@ -53,7 +53,7 @@ inputs:
    description: 'Whether to configure the token or SSH key with the local git config'
    default: true
  path:
-    description: 'Relative path under $GITHUB_WORKSPACE to place the repository'
+    description: 'Relative or absolute path under $GITHUB_WORKSPACE to place the repository'
  clean:
    description: 'Whether to execute `git clean -ffdx && git reset --hard HEAD` before fetching'
    default: true
--- a/adrs/0153-checkout-v2.md
+++ b/adrs/0153-checkout-v2.md
@ -65,7 +65,7 @@ We want to take this opportunity to make behavioral changes, from v1. This docum
    description: 'Whether to configure the token or SSH key with the local git config'
    default: true
  path:
-    description: 'Relative path under $GITHUB_WORKSPACE to place the repository'
+    description: 'Relative or absolute path under $GITHUB_WORKSPACE to place the repository'
  clean:
    description: 'Whether to execute `git clean -ffdx && git reset --hard HEAD` before fetching'
    default: true
--- a/dist/index.js
+++ b/dist/index.js
@ -42023,9 +42023,9 @@ function assertSafePrCheckout(input) {
    throw new Error(`Refusing to check out fork pull request code from a '${eventName}' workflow. ` +
        `This workflow runs with the base repository's GITHUB_TOKEN, secrets, default-branch ` +
        `cache scope, and runner access. Fetching and executing a fork's code in that trusted ` +
-        `context commonly leads to "pwn request" vulnerabilities. To opt in after reviewing ` +
-        `the risks at https://gh.io/securely-using-pull_request_target, set ` +
-        `'allow-unsafe-pr-checkout: true' on the actions/checkout step.`);
+        `context commonly leads to "pwn request" vulnerabilities. To opt in, review the risks ` +
+        `at https://gh.io/securely-using-pull_request_target and set 'allow-unsafe-pr-checkout: true' ` +
+        `on the actions/checkout step.`);
 }
 function pushIfSha(target, value) {
    if (typeof value === 'string' && value.length > 0) {
--- a/package-lock.json
+++ b/package-lock.json
@ -1,12 +1,12 @@
 {
  "name": "checkout",
-  "version": "5.0.0",
+  "version": "7.0.0",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "checkout",
-      "version": "5.0.0",
+      "version": "7.0.0",
      "license": "MIT",
      "dependencies": {
        "@actions/core": "^3.0.1",
@ -719,10 +719,11 @@
      }
    },
    "node_modules/@eslint/eslintrc/node_modules/minimatch": {
-      "version": "3.1.2",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz",
-      "integrity": "sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==",
+      "version": "3.1.5",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.5.tgz",
+      "integrity": "sha512-VgjWUsnnT6n+NUk6eZq77zeFdpW2LWDzP6zFGrCbHXiYNul5Dzqk2HHQ5uFH2DNW5Xbp8+jVzaeNt94ssEEl4w==",
      "dev": true,
+      "license": "ISC",
      "dependencies": {
        "brace-expansion": "^1.1.7"
      },
@ -771,10 +772,11 @@
      }
    },
    "node_modules/@humanwhocodes/config-array/node_modules/minimatch": {
-      "version": "3.1.2",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz",
-      "integrity": "sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==",
+      "version": "3.1.5",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.5.tgz",
+      "integrity": "sha512-VgjWUsnnT6n+NUk6eZq77zeFdpW2LWDzP6zFGrCbHXiYNul5Dzqk2HHQ5uFH2DNW5Xbp8+jVzaeNt94ssEEl4w==",
      "dev": true,
+      "license": "ISC",
      "dependencies": {
        "brace-expansion": "^1.1.7"
      },
@ -3194,10 +3196,11 @@
      }
    },
    "node_modules/eslint-plugin-import/node_modules/minimatch": {
-      "version": "3.1.2",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz",
-      "integrity": "sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==",
+      "version": "3.1.5",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.5.tgz",
+      "integrity": "sha512-VgjWUsnnT6n+NUk6eZq77zeFdpW2LWDzP6zFGrCbHXiYNul5Dzqk2HHQ5uFH2DNW5Xbp8+jVzaeNt94ssEEl4w==",
      "dev": true,
+      "license": "ISC",
      "dependencies": {
        "brace-expansion": "^1.1.7"
      },
@ -3272,10 +3275,11 @@
      }
    },
    "node_modules/eslint-plugin-jsx-a11y/node_modules/minimatch": {
-      "version": "3.1.2",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz",
-      "integrity": "sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==",
+      "version": "3.1.5",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.5.tgz",
+      "integrity": "sha512-VgjWUsnnT6n+NUk6eZq77zeFdpW2LWDzP6zFGrCbHXiYNul5Dzqk2HHQ5uFH2DNW5Xbp8+jVzaeNt94ssEEl4w==",
      "dev": true,
+      "license": "ISC",
      "dependencies": {
        "brace-expansion": "^1.1.7"
      },
@ -3371,10 +3375,11 @@
      }
    },
    "node_modules/eslint/node_modules/minimatch": {
-      "version": "3.1.2",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz",
-      "integrity": "sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==",
+      "version": "3.1.5",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.5.tgz",
+      "integrity": "sha512-VgjWUsnnT6n+NUk6eZq77zeFdpW2LWDzP6zFGrCbHXiYNul5Dzqk2HHQ5uFH2DNW5Xbp8+jVzaeNt94ssEEl4w==",
      "dev": true,
+      "license": "ISC",
      "dependencies": {
        "brace-expansion": "^1.1.7"
      },
@ -3817,10 +3822,11 @@
      }
    },
    "node_modules/glob/node_modules/minimatch": {
-      "version": "3.1.2",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz",
-      "integrity": "sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==",
+      "version": "3.1.5",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.5.tgz",
+      "integrity": "sha512-VgjWUsnnT6n+NUk6eZq77zeFdpW2LWDzP6zFGrCbHXiYNul5Dzqk2HHQ5uFH2DNW5Xbp8+jVzaeNt94ssEEl4w==",
      "dev": true,
+      "license": "ISC",
      "dependencies": {
        "brace-expansion": "^1.1.7"
      },
@ -5522,12 +5528,13 @@
      }
    },
    "node_modules/minimatch": {
-      "version": "9.0.4",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.4.tgz",
-      "integrity": "sha512-KqWh+VchfxcMNRAJjj2tnsSJdNbHsVgnkBhTNrW7AjVo6OvLtxw8zfT9oLw1JSohlFzJ8jCoTgaoXvJ+kHt6fw==",
+      "version": "9.0.9",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.9.tgz",
+      "integrity": "sha512-OBwBN9AL4dqmETlpS2zasx+vTeWclWzkblfZk7KTA5j3jeOONz/tRCnZomUyvNg83wL5Zv9Ss6HMJXAgL8R2Yg==",
      "dev": true,
+      "license": "ISC",
      "dependencies": {
-        "brace-expansion": "^2.0.1"
+        "brace-expansion": "^2.0.2"
      },
      "engines": {
        "node": ">=16 || 14 >=14.17"
@ -5856,10 +5863,11 @@
      "license": "ISC"
    },
    "node_modules/picomatch": {
-      "version": "2.3.1",
-      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.1.tgz",
-      "integrity": "sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA==",
+      "version": "2.3.2",
+      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.2.tgz",
+      "integrity": "sha512-V7+vQEJ06Z+c5tSye8S+nHUfI51xoXIXjHQ99cQtKUkQqqO1kO/KCJUfZXuB47h/YBlDhah2H3hdUGXn8ie0oA==",
      "dev": true,
+      "license": "MIT",
      "engines": {
        "node": ">=8.6"
      },
@ -6610,10 +6618,11 @@
      }
    },
    "node_modules/test-exclude/node_modules/minimatch": {
-      "version": "3.1.2",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz",
-      "integrity": "sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==",
+      "version": "3.1.5",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.5.tgz",
+      "integrity": "sha512-VgjWUsnnT6n+NUk6eZq77zeFdpW2LWDzP6zFGrCbHXiYNul5Dzqk2HHQ5uFH2DNW5Xbp8+jVzaeNt94ssEEl4w==",
      "dev": true,
+      "license": "ISC",
      "dependencies": {
        "brace-expansion": "^1.1.7"
      },
--- a/package.json
+++ b/package.json
@ -1,6 +1,6 @@
 {
  "name": "checkout",
-  "version": "5.0.0",
+  "version": "7.0.0",
  "description": "checkout action",
  "type": "module",
  "main": "lib/main.js",
--- a/src/misc/generate-docs.ts
+++ b/src/misc/generate-docs.ts
@ -123,7 +123,7 @@ function updateUsage(
 }

 updateUsage(
-  'actions/checkout@v6',
+  'actions/checkout@v7',
  path.join(__dirname, '..', '..', 'action.yml'),
  path.join(__dirname, '..', '..', 'README.md')
 )
--- a/src/unsafe-pr-checkout-helper.ts
+++ b/src/unsafe-pr-checkout-helper.ts
@ -75,9 +75,9 @@ export function assertSafePrCheckout(input: IUnsafePrCheckoutInput): void {
    `Refusing to check out fork pull request code from a '${eventName}' workflow. ` +
      `This workflow runs with the base repository's GITHUB_TOKEN, secrets, default-branch ` +
      `cache scope, and runner access. Fetching and executing a fork's code in that trusted ` +
-      `context commonly leads to "pwn request" vulnerabilities. To opt in after reviewing ` +
-      `the risks at https://gh.io/securely-using-pull_request_target, set ` +
-      `'allow-unsafe-pr-checkout: true' on the actions/checkout step.`
+      `context commonly leads to "pwn request" vulnerabilities. To opt in, review the risks ` +
+      `at https://gh.io/securely-using-pull_request_target and set 'allow-unsafe-pr-checkout: true' ` +
+      `on the actions/checkout step.`
  )
 }
Author	SHA1	Message	Date
Johnny Willemsen	3fa538c13c	Merge `f80349a6ad` into `9c091bb21b`	2026-06-19 04:06:32 +00:00
Aiqiao Yan	9c091bb21b	update error wording (#2467 )	2026-06-17 13:51:53 -04:00
Aiqiao Yan	1044a6dea9	getting ready for checkout v7 release (#2464 ) * getting ready for checkout v7 release * update changelog wording Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>	2026-06-17 09:59:35 -04:00
Johnny Willemsen	f80349a6ad	Merge branch 'actions:main' into jwi-pathdocu	2022-09-02 14:11:12 +02:00
Johnny Willemsen	8af5cbfde0	Merge branch 'main' into jwi-pathdocu	2020-10-02 17:20:12 +02:00
Johnny Willemsen	d795c2780e	Move env to test step * .github/workflows/test.yml:	2020-08-26 12:44:28 +02:00
Johnny Willemsen	d345e1892f	Back to basic * .github/workflows/test.yml:	2020-08-26 12:26:01 +02:00
Johnny Willemsen	388793bd97	Use ref as it should * .github/workflows/test.yml:	2020-08-26 12:25:15 +02:00
Johnny Willemsen	4f92610a97	Added environment based path test * __test__/verify-environment-path.sh: Added. * .github/workflows/test.yml:	2020-08-26 12:18:55 +02:00
Johnny Willemsen	e67ad3383b	Removed side by side * README.md:	2020-08-26 12:11:07 +02:00
Johnny Willemsen	146dd77449	The path can be relative or absolute under $GITHUB_WORKSPACE * README.md: * action.yml: * adrs/0153-checkout-v2.md:	2020-08-26 12:09:04 +02:00