Bump docker/build-push-action from 6 to 7#178
Conversation
WalkthroughThe PR updates the docker/build-push-action GitHub Actions dependency from v6 to v7 in two workflow files (anchore.yml and publish-docker.yml). No other parameters or control flow changes are made. Changes
Possibly related PRs
Poem
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~2 minutes 🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Tip Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs). Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/publish-docker.yml:
- Around line 66-67: Replace the mutable tag for the third‑party action used in
the workflow by pinning to the full commit SHA: change the uses reference for
docker/build-push-action (the line currently using
"docker/build-push-action@v7") to the immutable commit SHA
"d08e5c354a6adb9ed34480a06d141179aa583294" so the workflow uses
docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294; update any
similar non-pinned uses in the same workflow to full-length commit SHAs as well.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: aa0a17a0-ef71-4000-80a2-4b1713f087ab
📒 Files selected for processing (2)
.github/workflows/anchore.yml.github/workflows/publish-docker.yml
| name: Build and push Docker image | ||
| uses: docker/build-push-action@v6 | ||
| uses: docker/build-push-action@v7 |
There was a problem hiding this comment.
Pin this third-party action to an immutable SHA.
This job can push packages and mint attestations, so docker/build-push-action@v7 is a mutable trust boundary. Please pin the v7.0.0 release commit (d08e5c354a6adb9ed34480a06d141179aa583294) instead of the v7 tag. GitHub recommends full-length commit SHAs here because tags can move. (docs.github.com)
🔒 Proposed fix
- uses: docker/build-push-action@v7
+ uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0Run this to find other workflow action refs that are still not pinned to full SHAs:
#!/bin/bash
rg -n --glob '.github/workflows/*.yml' \
'^\s*uses:\s*(?!\./)[^#[:space:]]+@(?![0-9a-fA-F]{40}\b)[^#[:space:]]+' \
.github/workflows🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/publish-docker.yml around lines 66 - 67, Replace the
mutable tag for the third‑party action used in the workflow by pinning to the
full commit SHA: change the uses reference for docker/build-push-action (the
line currently using "docker/build-push-action@v7") to the immutable commit SHA
"d08e5c354a6adb9ed34480a06d141179aa583294" so the workflow uses
docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294; update any
similar non-pinned uses in the same workflow to full-length commit SHAs as well.
Summary by CodeRabbit