chore(deps): bump the docker group with 4 updates by dependabot[bot] · Pull Request #377 · LerianStudio/github-actions-shared-workflows

dependabot · 2026-05-25T16:51:39Z

Bumps the docker group with 4 updates: docker/setup-buildx-action, docker/login-action, docker/metadata-action and docker/build-push-action.

Updates docker/setup-buildx-action from 4.0.0 to 4.1.0

Release notes

Sourced from docker/setup-buildx-action's releases.

v4.1.0

Bump @docker/actions-toolkit from 0.79.0 to 0.90.0 in docker/setup-buildx-action#489

Bump brace-expansion from 1.1.12 to 5.0.6 in docker/setup-buildx-action#547 docker/setup-buildx-action#508

Bump fast-xml-builder from 1.0.0 to 1.2.0 in docker/setup-buildx-action#540

Bump fast-xml-parser from 5.4.2 to 5.8.0 in docker/setup-buildx-action#496

Bump flatted from 3.3.3 to 3.4.2 in docker/setup-buildx-action#499

Bump glob from 10.3.12 to 13.0.6 in docker/setup-buildx-action#495

Bump handlebars from 4.7.8 to 4.7.9 in docker/setup-buildx-action#504

Bump lodash from 4.17.23 to 4.18.1 in docker/setup-buildx-action#523

Bump picomatch from 4.0.3 to 4.0.4 in docker/setup-buildx-action#503

Bump postcss from 8.5.6 to 8.5.10 in docker/setup-buildx-action#537

Bump tar from 6.2.1 to 7.5.15 in docker/setup-buildx-action#545

Bump undici from 6.23.0 to 6.25.0 in docker/setup-buildx-action#492

Bump vite from 7.3.1 to 7.3.2 in docker/setup-buildx-action#520

Full Changelog: docker/setup-buildx-action@v4.0.0...v4.1.0

Commits

d7f5e7f Merge pull request #489 from docker/dependabot/npm_and_yarn/docker/actions-to...
92bc5c9 chore: update generated content
da11e35 build(deps): bump @docker/actions-toolkit from 0.79.0 to 0.90.0
f021e16 Merge pull request #492 from docker/dependabot/npm_and_yarn/undici-6.24.1
b5af94f chore: update generated content
16ad977 build(deps): bump undici from 6.23.0 to 6.25.0
d7a12d7 Merge pull request #495 from docker/dependabot/npm_and_yarn/glob-10.5.0
28ff27d build(deps): bump glob from 10.3.12 to 13.0.6
daf436b Merge pull request #496 from docker/dependabot/npm_and_yarn/fast-xml-parser-5...
9725348 chore: update generated content
Additional commits viewable in compare view

Updates docker/login-action from 4.1.0 to 4.2.0

Release notes

Sourced from docker/login-action's releases.

v4.2.0

Bump @actions/core from 3.0.0 to 3.0.1 in docker/login-action#976

Bump @aws-sdk/client-ecr and @aws-sdk/client-ecr-public to 3.1050.0 in docker/login-action#960

Bump @docker/actions-toolkit from 0.86.0 to 0.90.0 in docker/login-action#970

Bump brace-expansion from 2.0.1 to 5.0.6 in docker/login-action#993

Bump fast-xml-builder from 1.1.4 to 1.2.0 in docker/login-action#985

Bump fast-xml-parser from 5.3.6 to 5.8.0 in docker/login-action#963

Bump http-proxy-agent and https-proxy-agent to 9.0.0 in docker/login-action#961

Bump postcss from 8.5.6 to 8.5.10 in docker/login-action#979

Bump tar from 6.2.1 to 7.5.15 in docker/login-action#991

Bump vite from 7.3.1 to 7.3.3 in docker/login-action#986

Full Changelog: docker/login-action@v4.1.0...v4.2.0

Commits

650006c Merge pull request #960 from docker/dependabot/npm_and_yarn/aws-sdk-dependenc...
99df1a3 chore: update generated content
3ab375f build(deps): bump the aws-sdk-dependencies group across 1 directory with 2 up...
39d8580 Merge pull request #970 from docker/dependabot/npm_and_yarn/docker/actions-to...
4eefcd3 chore: update generated content
56d092c build(deps): bump @docker/actions-toolkit from 0.86.0 to 0.90.0
e2e31ca Merge pull request #976 from docker/dependabot/npm_and_yarn/actions/core-3.0.1
0bced94 chore: update generated content
3e75a0f build(deps): bump @actions/core from 3.0.0 to 3.0.1
365bebd Merge pull request #984 from docker/dependabot/github_actions/aws-actions/con...
Additional commits viewable in compare view

Updates docker/metadata-action from 6.0.0 to 6.1.0

Release notes

Sourced from docker/metadata-action's releases.

v6.1.0

Bump @docker/actions-toolkit from 0.79.0 to 0.90.0 in docker/metadata-action#613

Bump brace-expansion from 1.1.12 to 5.0.6 in docker/metadata-action#658 docker/metadata-action#630

Bump csv-parse from 6.1.0 to 6.2.1 in docker/metadata-action#617

Bump fast-xml-parser from 5.4.2 to 5.8.0 in docker/metadata-action#620

Bump flatted from 3.3.3 to 3.4.2 in docker/metadata-action#623

Bump glob from 10.3.15 to 10.5.0 in docker/metadata-action#621

Bump handlebars from 4.7.8 to 4.7.9 in docker/metadata-action#629

Bump lodash from 4.17.23 to 4.18.1 in docker/metadata-action#639

Bump moment-timezone from 0.6.0 to 0.6.1 in docker/metadata-action#619

Bump picomatch from 4.0.3 to 4.0.4 in docker/metadata-action#626

Bump postcss from 8.5.6 to 8.5.10 in docker/metadata-action#649

Bump tar from 6.2.1 to 7.5.15 in docker/metadata-action#657

Bump undici from 6.23.0 to 6.25.0 in docker/metadata-action#614

Bump vite from 7.3.1 to 7.3.2 in docker/metadata-action#637

Full Changelog: docker/metadata-action@v6.0.0...v6.1.0

Commits

80c7e94 Merge pull request #613 from docker/dependabot/npm_and_yarn/docker/actions-to...
8e0ddab chore: update generated content
a8db14b chore(deps): Bump @docker/actions-toolkit from 0.79.0 to 0.90.0
63a7371 Merge pull request #617 from docker/dependabot/npm_and_yarn/csv-parse-6.2.0
c6916a6 chore: update generated content
aca9205 chore(deps): Bump csv-parse from 6.1.0 to 6.2.1
9dcfe60 Merge pull request #629 from docker/dependabot/npm_and_yarn/handlebars-4.7.9
43dea76 chore: update generated content
7a56f5a chore(deps): Bump handlebars from 4.7.8 to 4.7.9
e49e0aa Merge pull request #658 from docker/dependabot/npm_and_yarn/brace-expansion-5...
Additional commits viewable in compare view

Updates docker/build-push-action from 7.1.0 to 7.2.0

Release notes

Sourced from docker/build-push-action's releases.

v7.2.0

Bump @actions/core from 3.0.0 to 3.0.1 in docker/build-push-action#1525

Bump @docker/actions-toolkit from 0.87.0 to 0.90.0 in docker/build-push-action#1517

Bump brace-expansion from 2.0.2 to 5.0.6 in docker/build-push-action#1534

Bump fast-xml-builder from 1.1.4 to 1.2.0 in docker/build-push-action#1529

Bump fast-xml-parser from 5.5.7 to 5.8.0 in docker/build-push-action#1521

Bump postcss from 8.5.6 to 8.5.10 in docker/build-push-action#1526

Bump tar from 6.2.1 to 7.5.15 in docker/build-push-action#1533

Full Changelog: docker/build-push-action@v7.1.0...v7.2.0

Commits

f9f3042 Merge pull request #1517 from docker/dependabot/npm_and_yarn/docker/actions-t...
812d5fd chore: update generated content
b6f6693 chore(deps): Bump @docker/actions-toolkit from 0.87.0 to 0.90.0
c1c626e Merge pull request #1525 from docker/dependabot/npm_and_yarn/actions/core-3.0.1
51bb284 chore: update generated content
5f7884d chore(deps): Bump @actions/core from 3.0.0 to 3.0.1
e01deff Merge pull request #1521 from docker/dependabot/npm_and_yarn/fast-xml-parser-...
3804d49 chore: update generated content
71e8947 chore(deps): Bump fast-xml-parser from 5.5.7 to 5.8.0
4925ad2 Merge pull request #1526 from docker/dependabot/npm_and_yarn/postcss-8.5.10
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the docker group with 4 updates: [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action), [docker/login-action](https://github.com/docker/login-action), [docker/metadata-action](https://github.com/docker/metadata-action) and [docker/build-push-action](https://github.com/docker/build-push-action). Updates `docker/setup-buildx-action` from 4.0.0 to 4.1.0 - [Release notes](https://github.com/docker/setup-buildx-action/releases) - [Commits](docker/setup-buildx-action@4d04d5d...d7f5e7f) Updates `docker/login-action` from 4.1.0 to 4.2.0 - [Release notes](https://github.com/docker/login-action/releases) - [Commits](docker/login-action@4907a6d...650006c) Updates `docker/metadata-action` from 6.0.0 to 6.1.0 - [Release notes](https://github.com/docker/metadata-action/releases) - [Commits](docker/metadata-action@030e881...80c7e94) Updates `docker/build-push-action` from 7.1.0 to 7.2.0 - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](docker/build-push-action@bcafcac...f9f3042) --- updated-dependencies: - dependency-name: docker/setup-buildx-action dependency-version: 4.1.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: docker - dependency-name: docker/login-action dependency-version: 4.2.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: docker - dependency-name: docker/metadata-action dependency-version: 6.1.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: docker - dependency-name: docker/build-push-action dependency-version: 7.2.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: docker ... Signed-off-by: dependabot[bot] <support@github.com>

lerian-studio · 2026-05-25T16:52:35Z

🔍 Lint Analysis

Check	Files Scanned	Status
YAML Lint	4 file(s)	✅ success
Action Lint	4 file(s)	✅ success
Pinned Actions	4 file(s)	✅ success
Markdown Link Check	no changes	⏭️ skipped
Spelling Check	4 file(s)	✅ success
Shell Check	4 file(s)	✅ success
README Check	4 file(s)	✅ success
Composite Schema	no changes	⏭️ skipped
Deployment Matrix	no changes	⏭️ skipped

_{🔍 View full scan logs}

lerian-studio · 2026-05-25T16:52:35Z

🔍 PR Validation Summary

✅ PR Mergeable — no blocking failures

Check	Status	Blocking
Source Branch	✅ success	yes
PR Title	✅ success	yes
PR Description	✅ success	yes
PR Size	✅ success	no
Auto Labels	✅ success	no
PR Metadata	✅ success	no

_{🔍 View workflow run}

lerian-studio · 2026-05-25T16:54:14Z

🛡️ CodeQL Analysis Results

Languages analyzed: actions

Found 27 issue(s): 27 Medium

Severity	Rule	File	Message
🟡 Medium	`actions/untrusted-checkout/medium`	`.github/workflows/go-release.yml:127`	Potential unsafe checkout of untrusted pull request on privileged workflow.
🟡 Medium	`actions/untrusted-checkout/medium`	`.github/workflows/gitops-update.yml:143`	Potential unsafe checkout of untrusted pull request on privileged workflow.
🟡 Medium	`actions/untrusted-checkout/medium`	`.github/workflows/gitops-update.yml:151`	Potential unsafe checkout of untrusted pull request on privileged workflow.
🟡 Medium	`actions/code-injection/medium`	`.github/workflows/go-release.yml:101`	Potential code injection in ${{ inputs.test_cmd }}, which may be control...
🟡 Medium	`actions/code-injection/medium`	`.github/workflows/go-release.yml:122`	Potential code injection in ${{ inputs.homebrew_tap_repo }}, which may b...
🟡 Medium	`actions/code-injection/medium`	`.github/workflows/build.yml:216`	Potential code injection in ${{ inputs.force_multiplatform }}, which may...
🟡 Medium	`actions/code-injection/medium`	`.github/workflows/build.yml:275`	Potential code injection in ${{ github.repository_owner }}, which may be...
🟡 Medium	`actions/code-injection/medium`	`.github/workflows/build.yml:289`	Potential code injection in ${{ inputs.dockerhub_org }}, which may be co...
🟡 Medium	`actions/code-injection/medium`	`.github/workflows/build.yml:288`	Potential code injection in ${{ inputs.enable_dockerhub }}, which may be...
🟡 Medium	`actions/code-injection/medium`	`.github/workflows/build.yml:292`	Potential code injection in ${{ inputs.enable_ghcr }}, which may be cont...
🟡 Medium	`actions/code-injection/medium`	`.github/workflows/build.yml:289`	Potential code injection in ${{ matrix.app.name }}, which may be control...
🟡 Medium	`actions/code-injection/medium`	`.github/workflows/build.yml:294`	Potential code injection in ${{ matrix.app.name }}, which may be control...
🟡 Medium	`actions/code-injection/medium`	`.github/workflows/build.yml:296`	Potential code injection in ${{ matrix.app.name }}, which may be control...
🟡 Medium	`actions/code-injection/medium`	`.github/workflows/build.yml:281`	Potential code injection in ${{ inputs.ghcr_org }}, which may be control...
🟡 Medium	`actions/code-injection/medium`	`.github/workflows/build.yml:283`	Potential code injection in ${{ steps.normalize.outputs.owner_lower }}, ...
🟡 Medium	`actions/code-injection/medium`	`.github/workflows/build.yml:410`	Potential code injection in ${{ matrix.app.name }}, which may be control...
🟡 Medium	`actions/code-injection/medium`	`.github/workflows/build.yml:411`	Potential code injection in ${{ matrix.app.name }}, which may be control...
🟡 Medium	`actions/code-injection/medium`	`.github/workflows/build.yml:408`	Potential code injection in ${{ steps.version.outputs.version }}, which ...
🟡 Medium	`actions/code-injection/medium`	`.github/workflows/gitops-update.yml:169`	Potential code injection in ${{ inputs.app_name }}, which may be control...
🟡 Medium	`actions/code-injection/medium`	`.github/workflows/gitops-update.yml:172`	Potential code injection in ${{ inputs.app_name }}, which may be control...
🟡 Medium	`actions/code-injection/medium`	`.github/workflows/gitops-update.yml:178`	Potential code injection in ${{ inputs.commit_message_prefix }}, which m...
🟡 Medium	`actions/code-injection/medium`	`.github/workflows/gitops-update.yml:181`	Potential code injection in ${{ inputs.commit_message_prefix }}, which m...
🟡 Medium	`actions/code-injection/medium`	`.github/workflows/gitops-update.yml:187`	Potential code injection in ${{ inputs.artifact_pattern }}, which may be...
🟡 Medium	`actions/code-injection/medium`	`.github/workflows/gitops-update.yml:190`	Potential code injection in ${{ inputs.artifact_pattern }}, which may be...
🟡 Medium	`actions/code-injection/medium`	`.github/workflows/gitops-update.yml:199`	Potential code injection in ${{ inputs.yq_version }}, which may be contr...
🟡 Medium	`actions/code-injection/medium`	`.github/workflows/gitops-update.yml:731`	Potential code injection in ${{ steps.apply_tags.outputs.env_label }}, w...
🟡 Medium	`actions/code-injection/medium`	`.github/workflows/gitops-update.yml:739`	Potential code injection in ${{ steps.setup.outputs.commit_prefix }}, wh...

_{🔍 View full scan logs | 🛡️ Security tab}

dependabot · 2026-05-29T14:29:19Z

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml

…c238479d6e

dependabot Bot added dependencies Dependency updates (usually opened by Dependabot) github-actions Updates to GitHub Actions dependencies (Dependabot ecosystem) labels May 25, 2026

dependabot Bot requested a review from a team as a code owner May 25, 2026 16:51

dependabot Bot added dependencies Dependency updates (usually opened by Dependabot) github-actions Updates to GitHub Actions dependencies (Dependabot ecosystem) labels May 25, 2026

prymax10 deleted the branch develop May 29, 2026 14:29

prymax10 closed this May 29, 2026

dependabot Bot deleted the dependabot/github_actions/develop/docker-c238479d6e branch May 29, 2026 14:29

bedatty restored the dependabot/github_actions/develop/docker-c238479d6e branch May 29, 2026 15:01

bedatty reopened this May 29, 2026

Merge branch 'develop' into dependabot/github_actions/develop/docker-…

49cd306

…c238479d6e

bedatty merged commit a8f7b4b into develop May 29, 2026
18 checks passed

bedatty self-assigned this May 29, 2026

dependabot Bot deleted the dependabot/github_actions/develop/docker-c238479d6e branch May 29, 2026 15:05

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): bump the docker group with 4 updates#377

chore(deps): bump the docker group with 4 updates#377
bedatty merged 2 commits into
developfrom
dependabot/github_actions/develop/docker-c238479d6e

dependabot Bot commented on behalf of github May 25, 2026 •

edited

Loading

Uh oh!

lerian-studio commented May 25, 2026 •

edited

Loading

Uh oh!

lerian-studio commented May 25, 2026 •

edited

Loading

Uh oh!

lerian-studio commented May 25, 2026 •

edited

Loading

Uh oh!

dependabot Bot commented on behalf of github May 29, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

dependabot Bot commented on behalf of github May 25, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

v4.1.0

v4.2.0

v6.1.0

v7.2.0

Uh oh!

lerian-studio commented May 25, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

🔍 Lint Analysis

Uh oh!

lerian-studio commented May 25, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

🔍 PR Validation Summary

✅ PR Mergeable — no blocking failures

Uh oh!

lerian-studio commented May 25, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

🛡️ CodeQL Analysis Results

Uh oh!

dependabot Bot commented on behalf of github May 29, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

dependabot Bot commented on behalf of github May 25, 2026 •

edited

Loading

lerian-studio commented May 25, 2026 •

edited

Loading

lerian-studio commented May 25, 2026 •

edited

Loading

lerian-studio commented May 25, 2026 •

edited

Loading