ci(github-action)!: Update action actions/checkout (v6 → v7)

[its-miso]

This PR contains the following updates:

Package	Type	Update	Change
actions/checkout	action	major	v6 → v7

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

actions/checkout (actions/checkout)

v7

Compare Source

• Block checking out fork PR for pull_request_target and workflow_run by @​aiqiaoy in #​2454
• Bump actions/publish-immutable-action from 0.0.3 to 0.0.4 in the minor-actions-dependencies group across 1 directory by @​dependabot[bot] in #​2458
• Bump flatted from 3.3.1 to 3.4.2 by @​dependabot[bot] in #​2460
• Bump js-yaml from 4.1.0 to 4.2.0 by @​dependabot[bot] in #​2461
• Bump @​actions/core and @​actions/tool-cache and Remove uuid by @​dependabot[bot] in #​2459
• upgrade module to esm and update dependencies by @​aiqiaoy in #​2463
• Bump the minor-npm-dependencies group across 1 directory with 3 updates by @​dependabot[bot] in #​2462

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

Superseded by a newer automated review for this pull request.

[its-saffron]

AI Automated Review

Full PR review.

Analysis engine: MiniMax-M2.7@https://litellm.jory.dev/v1 (anthropic) — escalated (fast_low_confidence)

PR Review: Update actions/checkout v6 → v7

Recommendation: Approve

This is a straightforward GitHub Actions dependency update that upgrades actions/checkout from v6 to v7 in both CI workflow files. The change follows best practices and has already passed CI validation.

Change Summary

Files modified (2):

• .github/workflows/ci.yaml — Checkout action updated from df4cb1c (v6) to 9c091bb (v7)
• .github/workflows/image.yaml — Checkout action updated from df4cb1c (v6) to 9c091bb (v7)

Both files use full SHA pinning with inline version comments, which is the recommended practice for GitHub Actions.

Verification

• Commit SHA verification: The new SHA 9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 corresponds to the v7.0.0 tag in actions/checkout, confirmed via the GitHub API tags endpoint. The v7 floating tag also resolves to this same SHA.
• CI status: Both "Validate" and "Docker Build" checks completed successfully.
• Consistency: Both workflow files updated identically.

v7 Release Notes Summary

The v7 release includes:

• Security hardening: Blocks checking out fork PRs for pull_request_target and workflow_run triggers (PR PR 2454)
• ESM module upgrade: Modernized to ES modules
• Dependency updates: Updated @actions/core, @actions/tool-cache, and related dependencies

Standards Compliance

Requirement	Status
SHA pinning	✅ Uses full commit SHA
Version comment	✅ Inline # v7 comment present
CI passes	✅ Validate + Docker Build succeeded
Consistent across files	✅ Both workflows updated identically

Linked Issue Fit

No linked issue. This is a routine dependency maintenance task with no explicit acceptance criteria to verify.

Unknowns / Needs Verification

None. The update is well-verified:

• SHA confirmed against upstream tags API
• CI has green status
• Breaking changes (ESM, fork security) are improvements, not regressions for this workflow usage