Skip to content

build(deps): bump the minor-and-patch group across 1 directory with 5 updates#12500

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/github_actions/minor-and-patch-7272907ea4
Open

build(deps): bump the minor-and-patch group across 1 directory with 5 updates#12500
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/github_actions/minor-and-patch-7272907ea4

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 5, 2026

Copy link
Copy Markdown
Contributor

Bumps the minor-and-patch group with 5 updates in the / directory:

Package From To
aquasecurity/trivy-action 0.35.0 0.36.0
docker/setup-compose-action 2.2.0 2.3.0
docker/setup-buildx-action 4.1.0 4.2.0
docker/login-action 4.2.0 4.4.0
docker/build-push-action 7.2.0 7.3.0

Updates aquasecurity/trivy-action from 0.35.0 to 0.36.0

Release notes

Sourced from aquasecurity/trivy-action's releases.

v0.36.0

What's Changed

New Contributors

Full Changelog: aquasecurity/trivy-action@v0.35.0...v0.36.0

Commits
  • ed142fd chore: update action version to v0.36.0 in examples (#563)
  • dea62cf chore(deps): Update trivy to v0.70.0 (#559)
  • 128d9a8 chore: use GitHub Actions as git commit author in bump-trivy workflow (#561)
  • 876cf04 Upgrade Trivy action version from 0.33.1 to 0.35.0 fixes #549 (#548)
  • dada784 Fix typo in GOOGLE_APPLICATION_CREDENTIALS env var name (#547)
  • 4a2deec fix: use portable shebang in entrypoint.sh (#545)
  • 1994662 chore(deps): bump the actions group with 5 updates (#558)
  • 6b36659 chore: add zizmor config (#557)
  • 316aa5a ci: add dependabot config (#556)
  • 264c9c5 test: use pinned digests for trivy-db, trivy-java-db and trivy-checks (#555)
  • Additional commits viewable in compare view

Updates docker/setup-compose-action from 2.2.0 to 2.3.0

Release notes

Sourced from docker/setup-compose-action's releases.

v2.3.0

Full Changelog: docker/setup-compose-action@v2.2.0...v2.3.0

Commits
  • 4eb059f Merge pull request #119 from docker/dependabot/npm_and_yarn/docker/actions-to...
  • 310654b [dependabot skip] chore: update generated content
  • 2f4a309 chore(deps): bump @​docker/actions-toolkit from 0.91.0 to 0.92.0
  • 7d865ff Merge pull request #111 from docker/dependabot/npm_and_yarn/undici-6.27.0
  • a11ad46 [dependabot skip] chore: update generated content
  • ea03e82 chore(deps): bump undici from 6.26.0 to 6.27.0
  • d37dd72 Merge pull request #118 from docker/dependabot/npm_and_yarn/js-yaml-4.3.0
  • 146a460 [dependabot skip] chore: update generated content
  • d3b0309 Merge pull request #108 from docker/dependabot/npm_and_yarn/tmp-0.2.7
  • e04d0ba chore(deps): bump js-yaml from 4.1.1 to 4.3.0
  • Additional commits viewable in compare view

Updates docker/setup-buildx-action from 4.1.0 to 4.2.0

Release notes

Sourced from docker/setup-buildx-action's releases.

v4.2.0

Full Changelog: docker/setup-buildx-action@v4.1.0...v4.2.0

Commits
  • bb05f3f Merge pull request #580 from docker/dependabot/npm_and_yarn/docker/actions-to...
  • 321c814 [dependabot skip] chore: update generated content
  • b9a36ef build(deps): bump @​docker/actions-toolkit from 0.91.0 to 0.92.0
  • ebeab24 Merge pull request #570 from docker/dependabot/npm_and_yarn/undici-6.27.0
  • 5c7b8ae [dependabot skip] chore: update generated content
  • 037e618 build(deps): bump undici from 6.25.0 to 6.27.0
  • 66080e5 Merge pull request #577 from docker/dependabot/npm_and_yarn/sigstore-4.1.1
  • 409aef0 Merge pull request #562 from docker/dependabot/npm_and_yarn/js-yaml-4.2.0
  • 49c6e42 build(deps): bump sigstore from 4.1.0 to 4.1.1
  • 2211273 [dependabot skip] chore: update generated content
  • Additional commits viewable in compare view

Updates docker/login-action from 4.2.0 to 4.4.0

Release notes

Sourced from docker/login-action's releases.

v4.4.0

Full Changelog: docker/login-action@v4.3.0...v4.4.0

v4.3.0

Full Changelog: docker/login-action@v4.2.0...v4.3.0

Commits
  • af1e73f Merge pull request #1034 from docker/dependabot/npm_and_yarn/aws-sdk-dependen...
  • da722bd [dependabot skip] chore: update generated content
  • 2916ad6 build(deps): bump the aws-sdk-dependencies group across 1 directory with 2 up...
  • ca0a662 Merge pull request #1035 from crazy-max/fix-registry-auth-empty-mask
  • c455755 chore: update generated content
  • 4835190 skip empty registry-auth secret mask
  • 992421c Merge pull request #1033 from docker/dependabot/github_actions/docker/bake-ac...
  • b249b43 Merge pull request #1032 from docker/dependabot/github_actions/docker/bake-ac...
  • 1b67977 build(deps): bump docker/bake-action from 7.2.0 to 7.3.0
  • 9d49d6a build(deps): bump docker/bake-action/subaction/matrix
  • Additional commits viewable in compare view

Updates docker/build-push-action from 7.2.0 to 7.3.0

Release notes

Sourced from docker/build-push-action's releases.

v7.3.0

Full Changelog: docker/build-push-action@v7.2.0...v7.3.0

Commits
  • 53b7df9 Merge pull request #1572 from docker/dependabot/npm_and_yarn/docker/actions-t...
  • 154298c [dependabot skip] chore: update generated content
  • cb1238b chore(deps): Bump @​docker/actions-toolkit from 0.91.0 to 0.92.0
  • 24f845d Merge pull request #1566 from docker/dependabot/npm_and_yarn/js-yaml-4.2.0
  • 9c69730 [dependabot skip] chore: update generated content
  • bc3a3a5 Merge pull request #1574 from docker/dependabot/github_actions/aws-actions/co...
  • a82c504 chore(deps): Bump js-yaml from 4.1.1 to 4.3.0
  • 0285a75 Merge pull request #1573 from docker/dependabot/github_actions/actions/cache-...
  • c6ad2a3 Merge pull request #1575 from docker/dependabot/github_actions/actions/checko...
  • d37484f Merge pull request #1564 from docker/dependabot/npm_and_yarn/undici-6.27.0
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jul 5, 2026
@dependabot dependabot Bot requested a review from a team as a code owner July 5, 2026 22:04
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jul 5, 2026
@update-docs

update-docs Bot commented Jul 5, 2026

Copy link
Copy Markdown

Thanks for opening this pull request! The maintainers of this repository would appreciate it if you would create a changelog item based on your changes.

@kw-security

kw-security commented Jul 5, 2026

Copy link
Copy Markdown

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues
Code Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@dj4oC dj4oC left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Dependabot "minor-and-patch" group (4 GitHub Actions pins, SHA-pinned): aquasecurity/trivy-action v0.35.0→v0.36.0, docker/setup-compose-action v2.2.0→v2.3.0, docker/setup-buildx-action v4.1.0→v4.2.0, docker/login-action v4.2.0→v4.4.0, docker/build-push-action v7.2.0→v7.3.0. Workflow YAML only — no application source touched.

  • Security: no findings — all official/verified actions, SHA-pinned, no CVE
  • Stability: no findings
  • Performance: no findings
  • Test coverage: n/a — workflow-config-only change
  • TODOs found: none
  • Dependency touched: yes — covered by dependabot.yml's github-actions group config
  • CI status: Snyk checks green; the acceptance-test matrix has not run on this commit (these workflow files aren't exercised by the default non-[full-ci] gate) — not confirmed green end-to-end, unlike #12502 which triggered the full suite
  • Stale review: no

Verdict

Commenting — low risk (CI/build tooling only, not runtime code), but withholding the fast-lane auto-merge since the full acceptance suite hasn't actually run on this commit. Recommend a maintainer add [full-ci] before merge, or merge manually if the risk is accepted as-is.

🤖 Automated review by Claude Code (security · stability · performance · coverage)


Generated by Claude Code

@dependabot dependabot Bot changed the title build(deps): bump the minor-and-patch group with 5 updates build(deps): bump the minor-and-patch group across 1 directory with 5 updates Jul 8, 2026
@dependabot dependabot Bot force-pushed the dependabot/github_actions/minor-and-patch-7272907ea4 branch from 53852b7 to ec298f9 Compare July 8, 2026 04:22
… updates

Bumps the minor-and-patch group with 5 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action) | `0.35.0` | `0.36.0` |
| [docker/setup-compose-action](https://github.com/docker/setup-compose-action) | `2.2.0` | `2.3.0` |
| [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) | `4.1.0` | `4.2.0` |
| [docker/login-action](https://github.com/docker/login-action) | `4.2.0` | `4.4.0` |
| [docker/build-push-action](https://github.com/docker/build-push-action) | `7.2.0` | `7.3.0` |



Updates `aquasecurity/trivy-action` from 0.35.0 to 0.36.0
- [Release notes](https://github.com/aquasecurity/trivy-action/releases)
- [Commits](aquasecurity/trivy-action@0.35.0...ed142fd)

Updates `docker/setup-compose-action` from 2.2.0 to 2.3.0
- [Release notes](https://github.com/docker/setup-compose-action/releases)
- [Commits](docker/setup-compose-action@16feee7...4eb059f)

Updates `docker/setup-buildx-action` from 4.1.0 to 4.2.0
- [Release notes](https://github.com/docker/setup-buildx-action/releases)
- [Commits](docker/setup-buildx-action@d7f5e7f...bb05f3f)

Updates `docker/login-action` from 4.2.0 to 4.4.0
- [Release notes](https://github.com/docker/login-action/releases)
- [Commits](docker/login-action@650006c...af1e73f)

Updates `docker/build-push-action` from 7.2.0 to 7.3.0
- [Release notes](https://github.com/docker/build-push-action/releases)
- [Commits](docker/build-push-action@f9f3042...53b7df9)

---
updated-dependencies:
- dependency-name: aquasecurity/trivy-action
  dependency-version: 0.36.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: docker/build-push-action
  dependency-version: 7.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: docker/login-action
  dependency-version: 4.4.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: docker/setup-buildx-action
  dependency-version: 4.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: docker/setup-compose-action
  dependency-version: 2.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/github_actions/minor-and-patch-7272907ea4 branch from ec298f9 to 0fa04e1 Compare July 12, 2026 22:05

@DeepDiver1975 DeepDiver1975 left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Dependabot bump; CI green. Approving.

@DeepDiver1975

Copy link
Copy Markdown
Member

⚠️ Please disregard my approval above — it was posted in error by an automated Dependabot-sweep job that mistakenly ran on this repository, where I do not have merge permissions. This is not a maintainer sign-off. Apologies for the noise; the automation has been corrected to skip repos I can't merge into.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants