Skip to content

Bump docker/build-push-action from 6 to 7#178

Merged
svengo merged 1 commit into
mainfrom
revert-175-revert-174-dependabot/github_actions/docker/build-push-action-7
Mar 7, 2026
Merged

Bump docker/build-push-action from 6 to 7#178
svengo merged 1 commit into
mainfrom
revert-175-revert-174-dependabot/github_actions/docker/build-push-action-7

Conversation

@svengo

@svengo svengo commented Mar 7, 2026

Copy link
Copy Markdown
Owner

Summary by CodeRabbit

  • Chores
    • Updated Docker build pipeline tools to latest versions for enhanced reliability and performance.

@coderabbitai

coderabbitai Bot commented Mar 7, 2026

Copy link
Copy Markdown
Contributor

Walkthrough

The PR updates the docker/build-push-action GitHub Actions dependency from v6 to v7 in two workflow files (anchore.yml and publish-docker.yml). No other parameters or control flow changes are made.

Changes

Cohort / File(s) Summary
GitHub Actions Workflows
.github/workflows/anchore.yml, .github/workflows/publish-docker.yml
Updated docker/build-push-action from v6 to v7 in both workflow files' Docker build-push steps.

Possibly related PRs

Poem

🐰 Hopped through the workflows with glee so keen,
Bumped the actions from v6 to v7 so clean,
No logic changed, just versions aligned,
Docker builds stronger, more refined! 🐇

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately describes the main change: upgrading docker/build-push-action from version 6 to version 7 across two workflow files.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch revert-175-revert-174-dependabot/github_actions/docker/build-push-action-7

Tip

Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs).
Share your feedback on Discord.


Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@svengo svengo changed the title Revert "Revert "Bump docker/build-push-action from 6 to 7"" Bump docker/build-push-action from 6 to 7 Mar 7, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/publish-docker.yml:
- Around line 66-67: Replace the mutable tag for the third‑party action used in
the workflow by pinning to the full commit SHA: change the uses reference for
docker/build-push-action (the line currently using
"docker/build-push-action@v7") to the immutable commit SHA
"d08e5c354a6adb9ed34480a06d141179aa583294" so the workflow uses
docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294; update any
similar non-pinned uses in the same workflow to full-length commit SHAs as well.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: aa0a17a0-ef71-4000-80a2-4b1713f087ab

📥 Commits

Reviewing files that changed from the base of the PR and between e9febbf and a845cb3.

📒 Files selected for processing (2)
  • .github/workflows/anchore.yml
  • .github/workflows/publish-docker.yml

Comment on lines 66 to +67
name: Build and push Docker image
uses: docker/build-push-action@v6
uses: docker/build-push-action@v7

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Pin this third-party action to an immutable SHA.

This job can push packages and mint attestations, so docker/build-push-action@v7 is a mutable trust boundary. Please pin the v7.0.0 release commit (d08e5c354a6adb9ed34480a06d141179aa583294) instead of the v7 tag. GitHub recommends full-length commit SHAs here because tags can move. (docs.github.com)

🔒 Proposed fix
-      uses: docker/build-push-action@v7
+      uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0

Run this to find other workflow action refs that are still not pinned to full SHAs:

#!/bin/bash
rg -n --glob '.github/workflows/*.yml' \
  '^\s*uses:\s*(?!\./)[^#[:space:]]+@(?![0-9a-fA-F]{40}\b)[^#[:space:]]+' \
  .github/workflows
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/publish-docker.yml around lines 66 - 67, Replace the
mutable tag for the third‑party action used in the workflow by pinning to the
full commit SHA: change the uses reference for docker/build-push-action (the
line currently using "docker/build-push-action@v7") to the immutable commit SHA
"d08e5c354a6adb9ed34480a06d141179aa583294" so the workflow uses
docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294; update any
similar non-pinned uses in the same workflow to full-length commit SHAs as well.

@svengo
svengo merged commit 5ce1acf into main Mar 7, 2026
3 checks passed
@svengo
svengo deleted the revert-175-revert-174-dependabot/github_actions/docker/build-push-action-7 branch March 7, 2026 09:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant