The Wire · Showcase
GITHUB ACTIONS CHECKOUT 7.0 ROLLS ACROSS LARAVEL ECOSYSTEM
By RepoJournal · Filed · About Laravel
Actions/checkout jumped to v7.0.0 overnight, and three Laravel core repositories just pulled the trigger on the upgrade.
The github-actions group bump hit locket [1], forge-sdk [2], and passkeys-server [3] simultaneously, all moving actions/checkout from 6.0.3 to 7.0.0. The v7 release includes a critical security change: it now blocks checking out fork PRs for pull_request_target events, closing a known attack vector where malicious code could steal secrets. This is the kind of silent fix that matters more than it sounds. If you're running CI workflows that accept external contributions, this upgrade hardens your pipeline against a real class of exploits. The rollout across three different repos suggests this wasn't accidental - this was coordinated. Worth noting that cache action also got bumped in locket and passkeys-server, though the details are light on what changed there.
Action items
- → Merge the github-actions bumps in locket, forge-sdk, and passkeys-server before next CI run laravel/locket [immediate]
- → Review your own GitHub Actions workflows for fork PR handling - apply the same security posture laravel/framework [plan]
References
- [1] Bump the github-actions group across 1 directory with 2 updates ↗ laravel/locket
- [2] Bump the github-actions group across 1 directory with 2 updates ↗ laravel/forge-sdk
- [3] Bump the github-actions group across 1 directory with 2 updates ↗ laravel/passkeys-server