RepoJournal
Laravel

@laravel

PHP's most popular framework — Forge, Vapor, and a massive paying audience

Pick a date

The Wire · Showcase

GITHUB ACTIONS CHECKOUT 7.0 ROLLS ACROSS LARAVEL ECOSYSTEM

By RepoJournal · Filed · About Laravel

dependabot
1 person shipped this

Actions/checkout jumped to v7.0.0 overnight, and three Laravel core repositories just pulled the trigger on the upgrade.

The github-actions group bump hit locket [1], forge-sdk [2], and passkeys-server [3] simultaneously, all moving actions/checkout from 6.0.3 to 7.0.0. The v7 release includes a critical security change: it now blocks checking out fork PRs for pull_request_target events, closing a known attack vector where malicious code could steal secrets. This is the kind of silent fix that matters more than it sounds. If you're running CI workflows that accept external contributions, this upgrade hardens your pipeline against a real class of exploits. The rollout across three different repos suggests this wasn't accidental - this was coordinated. Worth noting that cache action also got bumped in locket and passkeys-server, though the details are light on what changed there.

Action items

References

  1. [1] Bump the github-actions group across 1 directory with 2 updates ↗ laravel/locket
  2. [2] Bump the github-actions group across 1 directory with 2 updates ↗ laravel/forge-sdk
  3. [3] Bump the github-actions group across 1 directory with 2 updates ↗ laravel/passkeys-server

More from @laravel

Daily updates, in your inbox

Follow Laravel

PHP's most popular framework — Forge, Vapor, and a massive paying audience We'll email you a link to confirm first.

Free. Confirm via email. Unsubscribe in one click.

— or follow the whole beat:

Elsewhere on the wire