ci(github-action)!: Update action actions/checkout to v7.0.0

[its-miso]

This PR contains the following updates:

Package	Type	Update	Change
actions/checkout	action	major	v6.0.3 → v7.0.0
actions/checkout	action	major	v6.0.2 → v7.0.0

---

Release Notes

actions/checkout (actions/checkout)

v7.0.0

Compare Source

• Block checking out fork PR for pull_request_target and workflow_run by @​aiqiaoy in #​2454
• Bump actions/publish-immutable-action from 0.0.3 to 0.0.4 in the minor-actions-dependencies group across 1 directory by @​dependabot[bot] in #​2458
• Bump flatted from 3.3.1 to 3.4.2 by @​dependabot[bot] in #​2460
• Bump js-yaml from 4.1.0 to 4.2.0 by @​dependabot[bot] in #​2461
• Bump @​actions/core and @​actions/tool-cache and Remove uuid by @​dependabot[bot] in #​2459
• upgrade module to esm and update dependencies by @​aiqiaoy in #​2463
• Bump the minor-npm-dependencies group across 1 directory with 3 updates by @​dependabot[bot] in #​2462

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[its-saffron]

AI Automated Review

Full PR review.

Analysis engine: MiniMax-M2.7@https://litellm.jory.dev/v1 (anthropic) — escalated (fast_low_confidence)

PR Review: Update actions/checkout to v7.0.0

Recommendation

Approve. This is a straightforward GitHub Actions dependency update with no production code impact and all CI checks passing.

Change Summary

The PR updates actions/checkout from v6.x to v7.0.0 in two workflow files:

• .github/workflows/ai-pr-review.yaml: v6.0.2 → v7.0.0
• .github/workflows/label-sync.yaml: v6.0.3 → v7.0.0

Both usages update to the full SHA commit 9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 for v7.0.0, which is the correct practice for action pin-with-SHA.

Evidence Provider Findings

• CI Status: All checks completed successfully (review, Script test suite, Headless smoke test, macOS validation)
• Release Timeline: v7.0.0 was published 2026-06-18, v6.0.3 on 2026-06-02 — this is a current, stable release

Breaking Change Assessment

The conventional commit ! flag indicates breaking changes. Key changes in v7.0.0 per release notes:

• ESM module migration
• Removal of uuid dependency
• Updated @actions/core, @actions/tool-cache to newer major versions
• Block checking out fork PRs for pull_request_target and workflow_run triggers (security hardening)

However, these breaking changes affect the action's internals and security behavior — they do not affect the workflow YAML structure or inputs used in these two files. The workflows simply use actions/checkout to clone the repository, and that operation continues to work identically.

Standards Compliance

• Repository conventions: No specific standards for GitHub Actions versions exist in AGENTS.md. The repo prefers direct pushes to main and no release after every small change — this PR is automated dependency maintenance, not a feature or release.
• Action pin hygiene: Both usages correctly pin to a full SHA commit rather than a mutable tag — this is the recommended security practice.

Linked Issue Fit

No linked issues exist for this PR.

Unknowns / Needs Verification

None. The CI ran on the updated workflows and passed, confirming compatibility.

Final Verdict

Safe to merge. This is low-risk dependency maintenance: CI-only, no application code, all checks passed, SHA-pinned action reference maintained.