deps: Bump actions/checkout to v7

[wu21-web]

Summary by CodeRabbit

• Chores
  • Updated continuous integration workflows to use the latest GitHub Actions checkout tooling across build and test jobs.
• Documentation
  • Refreshed the example workflow snippets in the main README and the Chinese README to reference the updated checkout action version.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 1745a156-5ec1-46a9-a30e-4ef77f61ba82

📥 Commits

Reviewing files that changed from the base of the PR and between 80c390d and cdd6add.

📒 Files selected for processing (2)

• README.md
• README.zh-CN.md

✅ Files skipped from review due to trivial changes (2)

• README.md
• README.zh-CN.md

---

📝 Walkthrough

Walkthrough

All eight GitHub Actions workflow files are updated to use actions/checkout@v7 instead of actions/checkout@v6, and both README files (English and Chinese) are updated to reflect the new version in example workflows. The change applies uniformly to every job step that performs a repository checkout, with no other workflow logic, triggers, matrix configuration, step parameters, or example explanations modified.

Changes

actions/checkout v6 → v7 across all CI workflows and documentation

Layer / File(s)	Summary
Bump actions/checkout@v6 to @v7 in all workflows .github/workflows/basic.yaml, .github/workflows/build.yaml, .github/workflows/full-matrix.yaml, .github/workflows/latest-matrix.yaml, .github/workflows/main-matrix.yaml, .github/workflows/module-test.yaml, .github/workflows/release-matrix.yaml, .github/workflows/use-nightly.yaml	Every actions/checkout step across all workflow files is updated from @v6 to @v7; no other job structure, matrix config, or step parameters are changed.
Update checkout version in README examples README.md, README.zh-CN.md	Both English and Chinese README files update their GitHub Actions workflow examples to use actions/checkout@v7 instead of @v6.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐇 Hippity hop, a version goes up,
From six to seven, now fill up that cup!
Eight workflow files, all tidy and neat,
Two READMEs updated—the docs are complete!
The rabbit approves, with a wiggle and cheer~ ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'deps: Bump actions/checkout to v7' clearly and concisely summarizes the main change: updating the actions/checkout dependency from v6 to v7 across all workflow files and documentation.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Code Analysis

• Version Bump Consistency: All workflow files consistently update actions/checkout from v6 to v7, ensuring uniform dependency management across CI pipelines.
• No Functional Changes: The diff only modifies version strings; no logic, structure, or configuration changes are introduced.
• Dependency Pinning: The update follows semantic versioning best practices by specifying a major version (v7), which provides stability while allowing minor/patch updates.

Security Review

• No Security Vulnerabilities Introduced: The change is a routine dependency version bump. actions/checkout@v7 is a trusted GitHub Action with no known security issues at this version.
• No Input Sanitization Concerns: The diff does not involve any user input handling, so XSS, CSRF, or injection risks are not applicable.
• Safe Dependency Usage: The update uses a well-maintained, official GitHub Action, reducing supply chain risk.

Optimization Suggestions

• Consider Pinning to Exact Version: For stricter reproducibility, consider pinning to a specific patch version (e.g., v7.1.0) instead of v7 to avoid unexpected breaking changes from future minor releases.
• Add Dependency Review Step: To enhance security, consider adding a dependency-review step in workflows to automatically check for vulnerabilities in new action versions.
• Use Dependabot for Automated Updates: Enable Dependabot version updates to automatically create PRs for action version bumps, reducing manual effort and ensuring timely updates.

Overall Quality: 5

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/use-nightly.yaml:
- Line 18: The README.md documentation is out of sync with the updated workflow
files. Find the reference to actions/checkout@v6 in README.md (around line 51)
and update it to actions/checkout@v7 to match the version now being used in all
workflow files. This ensures the documentation accurately reflects the current
tooling and security improvements.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a96e3a0a-bd1a-49db-99fe-7dcac17e11de

📥 Commits

Reviewing files that changed from the base of the PR and between 9c3e286 and 80c390d.

📒 Files selected for processing (8)

• .github/workflows/basic.yaml
• .github/workflows/build.yaml
• .github/workflows/full-matrix.yaml
• .github/workflows/latest-matrix.yaml
• .github/workflows/main-matrix.yaml
• .github/workflows/module-test.yaml
• .github/workflows/release-matrix.yaml
• .github/workflows/use-nightly.yaml

[github-actions]

Code Analysis

• Version Bump Consistency: The diff shows a systematic update of actions/checkout from v6 to v7 across 8 workflow files and 1 README.md. This is a straightforward dependency upgrade, likely to leverage new features or security patches in the GitHub Action.
• No Functional Changes: Beyond the version increment, no logic, configuration, or structural changes are present. The update is purely mechanical and consistent across all occurrences.
• Context: This is a CI/CD pipeline configuration change, not frontend code. The review will adapt to DevOps best practices rather than frontend-specific concerns.

Security Review

• Vulnerability Findings: None directly introduced by this change. However, upgrading actions/checkout@v7 may include security fixes (e.g., patched vulnerabilities in v6). Ensure the new version is verified against known CVEs.
• Dependency Pinning: The diff uses @v7 (a major version tag), which is mutable. For production workflows, consider pinning to a specific commit SHA to prevent supply chain attacks (e.g., actions/checkout@<sha>). This is a best practice for security.
• Third-Party Action Risk: The hustcer/setup-nu action is referenced with @develop, @v3, and @main branches. Using mutable branches (e.g., @develop) introduces risk of untested changes. Recommend pinning to a specific release tag or commit hash.

Optimization Suggestions

• Performance Improvements:
  • Caching: Add caching for actions/checkout to reduce clone time on repeated runs (e.g., actions/cache for dependencies). This is not directly related to the version bump but improves CI efficiency.
  • Matrix Strategy: The workflows use matrix builds (e.g., ${{ matrix.os }}). Ensure the matrix is optimized to avoid redundant runs (e.g., limit to necessary OS/version combinations).
• Reliability:
  • Error Handling: Consider adding continue-on-error: false or if: failure() steps to handle checkout failures gracefully, especially in matrix builds.
  • Fallback UI: Not applicable here, but for frontend context, ensure error boundaries are present.

Overall Quality: 4/5

• The change is clean, consistent, and follows a clear upgrade pattern.
• Deducted 1 point for lack of SHA pinning and use of mutable branch references in third-party actions, which could introduce security or reliability risks.
• Recommendation: After merging, verify the new actions/checkout@v7 behavior in CI to ensure no breaking changes (e.g., token requirements or checkout depth defaults).

[github-actions]

Code Analysis

• This is a CI/CD configuration update, not frontend code. The diff shows systematic version bump of actions/checkout from v6 to v7 across 10 GitHub Actions workflow files and 2 README files.
• Changes are consistent and follow a clear pattern: updating the actions/checkout action version in all workflow steps and documentation examples.
• No breaking changes or functional modifications beyond the version update.

Security Review

• ✅ No security vulnerabilities found. This is a dependency version update with no code changes.
• ⚠️ Minor consideration: Ensure actions/checkout@v7 is a verified, stable release from GitHub's official marketplace to avoid supply chain risks.

Optimization Suggestions

• ✅ Consider pinning to a specific minor version (e.g., @v7.1.0) instead of the major version tag for reproducible builds, though major version tags are standard practice.
• ✅ No performance improvements needed as this is a CI configuration change.

Overall Quality: 5/5 (Clean, consistent, and well-structured update across all files)

Note: This review is for a CI/CD configuration change, not frontend code. The standard frontend review checklist (ES specification, component design, state management, etc.) does not apply here. The update is straightforward and correctly applied across all relevant files.