chore(deps): update actions/checkout action to v7

[scality-renovate]

This PR contains the following updates:

Package	Type	Update	Change
actions/checkout	action	major	v6.0.3 → v7.0.0

---

Release Notes

actions/checkout (actions/checkout)

v7.0.0

Compare Source

• Block checking out fork PR for pull_request_target and workflow_run by @​aiqiaoy in #​2454
• Bump actions/publish-immutable-action from 0.0.3 to 0.0.4 in the minor-actions-dependencies group across 1 directory by @​dependabot[bot] in #​2458
• Bump flatted from 3.3.1 to 3.4.2 by @​dependabot[bot] in #​2460
• Bump js-yaml from 4.1.0 to 4.2.0 by @​dependabot[bot] in #​2461
• Bump @​actions/core and @​actions/tool-cache and Remove uuid by @​dependabot[bot] in #​2459
• upgrade module to esm and update dependencies by @​aiqiaoy in #​2463
• Bump the minor-npm-dependencies group across 1 directory with 3 updates by @​dependabot[bot] in #​2462

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • "before 9am on monday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate.

[github-actions]

Dependency Bump Evaluation

Version change: actions/checkout v6.0.3 → v7.0.0 (major)

Changes:

• Block checking out fork PRs for pull_request_target and workflow_run events (security hardening)
• Internal upgrade to ESM modules and dependency bumps (flatted, js-yaml, @actions/core, @actions/tool-cache)

Breaking changes: v7 blocks fork PR checkout under pull_request_target and workflow_run triggers. None of the 4 updated workflows use these triggers — they use workflow_call (build.yaml), pull_request (pre-merge.yaml), push on tags (promote.yaml), and workflow_dispatch (release.yaml). The breaking change does not apply here.

Note: review.yml does use pull_request_target but is not modified by this PR — it delegates to reusable workflows in scality/workflows which manage their own checkout version.

Security concerns: None. The v7 change is itself a security improvement. No supply chain anomalies — changes are from the GitHub actions org maintainers.

Impact on codebase: The diff is purely mechanical: 4 SHA pin updates with version comment changes. No workflow logic, inputs, or behavior is altered.

CI status: lint, test, and build checks are still in progress — verify they pass before merging.

Recommendation: SAFE TO MERGE (once CI is green)

— Claude Code