Skip to content

build(deps): bump docker/build-push-action from 7.0.0 to 7.1.0#194

Merged
lklimek merged 1 commit into
developfrom
dependabot/github_actions/docker/build-push-action-7.1.0
Apr 24, 2026
Merged

build(deps): bump docker/build-push-action from 7.0.0 to 7.1.0#194
lklimek merged 1 commit into
developfrom
dependabot/github_actions/docker/build-push-action-7.1.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Apr 10, 2026

Copy link
Copy Markdown
Contributor

Bumps docker/build-push-action from 7.0.0 to 7.1.0.

Release notes

Sourced from docker/build-push-action's releases.

v7.1.0

Full Changelog: docker/build-push-action@v7.0.0...v7.1.0

Commits
  • bcafcac Merge pull request #1509 from docker/dependabot/npm_and_yarn/vite-7.3.2
  • 18e62f1 Merge pull request #1510 from docker/dependabot/npm_and_yarn/lodash-4.18.1
  • 46580d2 chore: update generated content
  • 3f80b25 chore(deps): Bump lodash from 4.17.23 to 4.18.1
  • efeec95 Merge pull request #1505 from crazy-max/refactor-git-context
  • ddf04b0 Merge pull request #1511 from docker/dependabot/github_actions/crazy-max-dot-...
  • db08d97 chore(deps): Bump the crazy-max-dot-github group with 2 updates
  • ef1fb96 Merge pull request #1508 from docker/dependabot/github_actions/docker/login-a...
  • 2d8f2a1 chore: update generated content
  • 919ac7b fix test since secrets are not written to temp path anymore
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Apr 10, 2026
@Claudius-Maginificent

Copy link
Copy Markdown

Security Audit — Sergeant Major Smythe

Verdict: SAFE

One-line diff in .github/workflows/docker.yml:45, bumping docker/build-push-action from v7.0.0 to v7.1.0 on the build-args step used for Dockerfile-alpine and Dockerfile-debian sample images. Minor version, single file, no workflow logic change. I verified it twice.

Release verification

  • Tag v7.1.0 resolves to commit bcafcacb16a39f128d818304e6c9c0c18556b85f, published 2026-04-10 by crazy-max (official Docker maintainer). Legitimate upstream release.
  • Action is pinned by tag (@v7.1.0) — consistent with the rest of this workflow (actions/checkout@v6, docker/setup-buildx-action@v4.0.0). No regression in pinning posture. SHA-pinning would be stricter but is out of scope for this bump.
  • Same action family that was just bumped 6.18.0 → 7.0.0 in build(deps): bump docker/build-push-action from 6.18.0 to 7.0.0 #186 — upstream shows no published security advisories (GitHub Advisory DB, OSV.dev) for docker/build-push-action at either version.

Changes in v7.1.0

  • New feature: Git context query format support (PR refactor: use new gitContext for build context resolution docker/build-push-action#1505) — only relevant when using a remote Git URL as build context. This workflow uses context: . (local checkout), so the new Git-context parsing path is not exercised. No new attack surface reachable from this workflow.
  • Dependency bumps inside the action's bundled JS: @docker/actions-toolkit 0.79.0→0.87.0, lodash 4.17.23→4.18.1, handlebars 4.7.8→4.7.9, undici 6.23.0→6.24.1, brace-expansion, fast-xml-parser, flatted, glob, picomatch, vite. These are transitive to the action itself; direction is forward (patch/minor), several pick up published security patches. Net supply-chain exposure improves or stays flat.
  • No breaking changes called out in the v7.0.0...v7.1.0 changelog. No input/output schema changes that would affect the with: block in this workflow.

Cross-reference with audited workflow

Reviewed .github/workflows/docker.yml against the research findings:

  • push: false — no registry credentials in play, so the credential-exposure class of Buildkit/build-push issues is not applicable regardless.
  • build-args: REVISION=${{ github.ref }}github.ref is a trusted, sanitized ref string; no untrusted input flowing into the new Git-context query parser (which isn't used here anyway).
  • Build runs on pull_request with push: false and cache-from/cache-to: type=gha — standard pattern, no escalation from the version bump.

Risks / notes

Research summary

Source Finding
GitHub Security Advisories No advisories for docker/build-push-action
OSV.dev (GitHub Actions ecosystem) No entries for docker/build-push-action
CISA KEV Not listed
Upstream release notes v7.1.0 No breaking changes; dependency security patches forward

Score tally

Severity Count
CRITICAL 0
HIGH 0
MEDIUM 1 (rebase conflict with #186 — operational, not security)
LOW 0
INFO 1 (tag-pinning vs SHA-pinning — project-wide pattern, out of scope)

Recommendation: Approve and merge after rebase once #193 lands. Watch for the conflict on line 45.

🤖 Co-authored by Claudius the Magnificent AI Agent

@lklimek

lklimek commented Apr 24, 2026

Copy link
Copy Markdown
Collaborator

@dependabot rebase

Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 7.0.0 to 7.1.0.
- [Release notes](https://github.com/docker/build-push-action/releases)
- [Commits](docker/build-push-action@v7.0.0...v7.1.0)

---
updated-dependencies:
- dependency-name: docker/build-push-action
  dependency-version: 7.1.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
dependabot Bot force-pushed the dependabot/github_actions/docker/build-push-action-7.1.0 branch from 820aed1 to 3b99dd0 Compare April 24, 2026 08:38
@lklimek
lklimek merged commit fb27e3a into develop Apr 24, 2026
9 of 10 checks passed
@lklimek
lklimek deleted the dependabot/github_actions/docker/build-push-action-7.1.0 branch April 24, 2026 08:44
@lklimek lklimek mentioned this pull request Apr 24, 2026
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants