Skip to content

Bump docker/build-push-action from 6 to 7#29

Merged
rennf93 merged 1 commit into
masterfrom
dependabot/github_actions/docker/build-push-action-7
Mar 9, 2026
Merged

Bump docker/build-push-action from 6 to 7#29
rennf93 merged 1 commit into
masterfrom
dependabot/github_actions/docker/build-push-action-7

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Mar 9, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Bumps docker/build-push-action from 6 to 7.

Release notes

Sourced from docker/build-push-action's releases.

v7.0.0

Full Changelog: docker/build-push-action@v6.19.2...v7.0.0

v6.19.2

Full Changelog: docker/build-push-action@v6.19.1...v6.19.2

v6.19.1

Full Changelog: docker/build-push-action@v6.19.0...v6.19.1

v6.19.0

Full Changelog: docker/build-push-action@v6.18.0...v6.19.0

v6.18.0

[!NOTE] Build summary is now supported with Docker Build Cloud.

Full Changelog: docker/build-push-action@v6.17.0...v6.18.0

v6.17.0

[!NOTE] Build record is now exported using the buildx history export command instead of the legacy export-build tool.

Full Changelog: docker/build-push-action@v6.16.0...v6.17.0

v6.16.0

... (truncated)

Commits
  • d08e5c3 Merge pull request #1479 from docker/dependabot/npm_and_yarn/docker/actions-t...
  • cbd2dff chore: update generated content
  • f76f51f chore(deps): Bump @​docker/actions-toolkit from 0.78.0 to 0.79.0
  • 7d03e66 Merge pull request #1473 from crazy-max/rm-deprecated-envs
  • 98f853d chore: update generated content
  • cadccf6 remove deprecated envs
  • 03fe877 Merge pull request #1478 from docker/dependabot/github_actions/docker/setup-b...
  • 827e366 chore(deps): Bump docker/setup-buildx-action from 3 to 4
  • e25db87 Merge pull request #1474 from crazy-max/rm-export-build-tool
  • 1ac2573 Merge pull request #1470 from crazy-max/node24
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Mar 9, 2026
@github-actions

github-actions Bot commented Mar 9, 2026
edited
Loading

Copy link
Copy Markdown

🔍 Vulnerabilities of renzof93/github-actions-secrets-mgmt:latest

📦 Image Reference renzof93/github-actions-secrets-mgmt:latest
digestsha256:da8fd41f5bb18a1527afdfe8ed829645ae5ff6c37e552e31f9ccc96ee23f8b76
vulnerabilitiescritical: 0 high: 0 medium: 2 low: 0
platformlinux/amd64
size104 MB
packages63
📦 Base Image python:3-alpine3.20
also known as
  • 3.13-alpine3.20
  • 3.13.3-alpine3.20
  • alpine3.20
digestsha256:68834522e73344a5337150a62e87a75be9046c0e39b9bab925be078d953e54e1
vulnerabilitiescritical: 1 high: 5 medium: 12 low: 4
critical: 0 high: 0 medium: 1 low: 0 requests 2.32.3 (pypi)

pkg:pypi/requests@2.32.3

medium 5.3: CVE--2024--47081 Insufficiently Protected Credentials

Affected range<2.32.4
Fixed version2.32.4
CVSS Score5.3
CVSS VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
EPSS Score0.154%
EPSS Percentile36th percentile
Description

Impact

Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs.

Workarounds

For older versions of Requests, use of the .netrc file can be disabled with trust_env=False on your Requests Session (docs).

References

psf/requests#6965
https://seclists.org/fulldisclosure/2025/Jun/2

critical: 0 high: 0 medium: 1 low: 0 pynacl 1.5.0 (pypi)

pkg:pypi/pynacl@1.5.0

medium 4.5: CVE--2025--69277 Incomplete List of Disallowed Inputs

Affected range<1.6.2
Fixed version1.6.2
CVSS Score4.5
CVSS VectorCVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
EPSS Score0.007%
EPSS Percentile1st percentile
Description

libsodium before ad3004e, in atypical use cases involving certain custom cryptography or untrusted data to crypto_core_ed25519_is_valid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic group.

This advisoory lists packages in the GitHub Advisory Database's supported ecosystems that are affected by this vulnerability due to a vulnerable dependency.

@github-actions

github-actions Bot commented Mar 9, 2026
edited
Loading

Copy link
Copy Markdown

Recommended fixes for image renzof93/github-actions-secrets-mgmt:latest

Base image is python:3-alpine3.20

Name3.13.3-alpine3.20
Digestsha256:68834522e73344a5337150a62e87a75be9046c0e39b9bab925be078d953e54e1
Vulnerabilitiescritical: 1 high: 5 medium: 12 low: 4
Pushed10 months ago
Size16 MB
Packages41
Flavoralpine
OS3.20
Runtime3.13.3

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

TagDetailsPushedVulnerabilities
3-alpine
Tag is preferred tag
Also known as:
  • alpine
  • alpine3.23
  • 3.14.3-alpine
  • 3.14.3-alpine3.23
  • 3.14-alpine
  • 3.14-alpine3.23
  • 3-alpine3.23
 Benefits:
  • Same OS detected
  • Minor runtime version update
  • Minor OS version update
  • Tag is preferred tag
  • Tag was pushed more recently
  • Image has similar size
  • Image introduces no new vulnerability but removes 18
  • Image contains equal number of packages
  • 3-alpine was pulled 51K times last month
Image details:
  • Size: 18 MB
  • Flavor: alpine
  • OS: 3.23
  • Runtime: 3.14.3
 1 month ago



3.13-alpine
Minor runtime version update
Also known as:
  • 3.13.12-alpine
  • 3.13.12-alpine3.23
  • 3.13-alpine3.23
 Benefits:
  • Same OS detected
  • Minor runtime version update
  • Minor OS version update
  • Image contains 2 fewer packages
  • Tag was pushed more recently
  • Image has similar size
  • Image introduces no new vulnerability but removes 18
Image details:
  • Size: 17 MB
  • Flavor: alpine
  • OS: 3.23
  • Runtime: 3.13.12
 1 month ago



3.13-alpine3.22
Minor runtime version update
Also known as:
  • 3.13.12-alpine3.22
 Benefits:
  • Same OS detected
  • Minor runtime version update
  • Minor OS version update
  • Image contains 2 fewer packages
  • Tag was pushed more recently
  • Image has similar size
  • Image introduces no new vulnerability but removes 19
Image details:
  • Size: 17 MB
  • Flavor: alpine
  • OS: 3.22
  • Runtime: 3.13.12
 1 month ago



3-alpine3.22
Minor runtime version update
Also known as:
  • alpine3.22
  • 3.14.3-alpine3.22
  • 3.14-alpine3.22
 Benefits:
  • Same OS detected
  • Minor runtime version update
  • Minor OS version update
  • Tag was pushed more recently
  • Image has similar size
  • Image introduces no new vulnerability but removes 19
  • Image contains equal number of packages
Image details:
  • Size: 18 MB
  • Flavor: alpine
  • OS: 3.22
  • Runtime: 3.14.3
 1 month ago



@dependabot
Bump docker/build-push-action from 6 to 7
d328783 
Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 6 to 7.
- [Release notes](https://github.com/docker/build-push-action/releases)
- [Commits](docker/build-push-action@v6...v7)

---
updated-dependencies:
- dependency-name: docker/build-push-action
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/github_actions/docker/build-push-action-7 branch from 8ee56a2 to d328783 Compare March 9, 2026 19:49
@rennf93 rennf93 merged commit a23625b into master Mar 9, 2026
1 of 2 checks passed
@dependabot dependabot Bot deleted the dependabot/github_actions/docker/build-push-action-7 branch March 9, 2026 19:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@rennf93