Skip to content

chore(deps): update docker/setup-buildx-action action to v4.1.0#73

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/docker-setup-buildx-action-4.x
Open

chore(deps): update docker/setup-buildx-action action to v4.1.0#73
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/docker-setup-buildx-action-4.x

Conversation

@renovate

@renovate renovate Bot commented Jun 27, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Type Update Change
docker/setup-buildx-action action minor v4.0.0v4.1.0

Release Notes

docker/setup-buildx-action (docker/setup-buildx-action)

v4.1.0

Compare Source

  • Bump @​docker/actions-toolkit from 0.79.0 to 0.90.0 in #​489
  • Bump brace-expansion from 1.1.12 to 5.0.6 in #​547 #​508
  • Bump fast-xml-builder from 1.0.0 to 1.2.0 in #​540
  • Bump fast-xml-parser from 5.4.2 to 5.8.0 in #​496
  • Bump flatted from 3.3.3 to 3.4.2 in #​499
  • Bump glob from 10.3.12 to 13.0.6 in #​495
  • Bump handlebars from 4.7.8 to 4.7.9 in #​504
  • Bump lodash from 4.17.23 to 4.18.1 in #​523
  • Bump picomatch from 4.0.3 to 4.0.4 in #​503
  • Bump postcss from 8.5.6 to 8.5.10 in #​537
  • Bump tar from 6.2.1 to 7.5.15 in #​545
  • Bump undici from 6.23.0 to 6.25.0 in #​492
  • Bump vite from 7.3.1 to 7.3.2 in #​520

Full Changelog: docker/setup-buildx-action@v4.0.0...v4.1.0


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday through Friday (* 0-4,22-23 * * 1-5)
    • Only on Sunday and Saturday (* * * * 0,6)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@github-actions

Copy link
Copy Markdown
Contributor

Renovate PR Review Results

⚖️ Safety Assessment: ✅ Safe

🔍 Release Content Analysis

  • No breaking changes: v4.1.0 is a minor version bump over v4.0.0 with no API or interface changes to the action itself.
  • Dependency-only release: All changes are internal transitive dependency updates — the action's inputs, outputs, and behavior are unchanged.
  • Security-relevant dependency updates included:
    • handlebars 4.7.8 → 4.7.9 (security patch)
    • tar 6.2.1 → 7.5.15 (major version bump with security improvements)
    • undici 6.23.0 → 6.25.0 (HTTP client security/bug fixes)
    • postcss 8.5.6 → 8.5.10 (security patch)
    • brace-expansion 1.1.12 → 5.0.6 (major version bump, fixes ReDoS vulnerability)
  • Toolkit update: @docker/actions-toolkit bumped from 0.79.0 to 0.90.0 (internal tooling, no interface impact).

🎯 Impact Scope Investigation

  • Single usage location: .github/workflows/release-please.yml:107 — used in the Docker image build job that publishes container images to ghcr.io/koki-develop/ghasec during releases.
  • No configuration changes required: The action is used without any explicit with: inputs, so no parameter changes to review.
  • Commit hash pinned: The PR correctly updates the pinned commit hash from 4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd (v4.0.0) to d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 (v4.1.0), maintaining the security benefit of hash-pinned actions.
  • No impact on other dependencies in the codebase — this change is confined to the CI workflow file only.

💡 Recommended Actions

  • No migration steps or code changes are required.
  • This PR can be merged as-is. The update brings security fixes in transitive dependencies (notably brace-expansion ReDoS fix and tar security improvements) with zero functional risk.

🔗 Reference Links

Generated by koki-develop/claude-renovate-review

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants