Bump docker/setup-qemu-action from 3 to 4

[dependabot]

Bumps docker/setup-qemu-action from 3 to 4.

Release notes

Sourced from docker/setup-qemu-action's releases.

v4.0.0

• Node 24 as default runtime (requires Actions Runner v2.327.1 or later) by @​crazy-max in docker/setup-qemu-action#245
• Switch to ESM and update config/test wiring by @​crazy-max in docker/setup-qemu-action#241
• Bump @​actions/core from 1.11.1 to 3.0.0 in docker/setup-qemu-action#244
• Bump @​docker/actions-toolkit from 0.67.0 to 0.77.0 in docker/setup-qemu-action#243
• Bump @​isaacs/brace-expansion from 5.0.0 to 5.0.1 in docker/setup-qemu-action#240
• Bump js-yaml from 3.14.1 to 3.14.2 in docker/setup-qemu-action#231
• Bump lodash from 4.17.21 to 4.17.23 in docker/setup-qemu-action#238

Full Changelog: docker/setup-qemu-action@v3.7.0...v4.0.0

v3.7.0

• Bump @​docker/actions-toolkit from 0.56.0 to 0.67.0 in docker/setup-qemu-action#217 docker/setup-qemu-action#230
• Bump brace-expansion from 1.1.11 to 1.1.12 in docker/setup-qemu-action#220
• Bump form-data from 2.5.1 to 2.5.5 in docker/setup-qemu-action#218
• Bump tmp from 0.2.3 to 0.2.4 in docker/setup-qemu-action#221
• Bump undici from 5.28.4 to 5.29.0 in docker/setup-qemu-action#219

Full Changelog: docker/setup-qemu-action@v3.6.0...v3.7.0

v3.6.0

• Display binfmt version by @​crazy-max in docker/setup-qemu-action#202

Full Changelog: docker/setup-qemu-action@v3.5.0...v3.6.0

v3.5.0

• Bump @​docker/actions-toolkit from 0.54.0 to 0.56.0 in docker/setup-qemu-action#205

Full Changelog: docker/setup-qemu-action@v3.4.0...v3.5.0

v3.4.0

• Bump @​docker/actions-toolkit from 0.49.0 to 0.54.0 in docker/setup-qemu-action#193 docker/setup-qemu-action#197

Full Changelog: docker/setup-qemu-action@v3.3.0...v3.4.0

v3.3.0

• Add cache-image input to enable/disable caching of binfmt image by @​crazy-max in docker/setup-qemu-action#130
• Bump @​actions/core from 1.10.1 to 1.11.1 in docker/setup-qemu-action#172
• Bump @​docker/actions-toolkit from 0.35.0 to 0.49.0 in docker/setup-qemu-action#187
• Bump cross-spawn from 7.0.3 to 7.0.6 in docker/setup-qemu-action#182
• Bump path-to-regexp from 6.2.2 to 6.3.0 in docker/setup-qemu-action#162

Full Changelog: docker/setup-qemu-action@v3.2.0...v3.3.0

v3.2.0

• Bump @​docker/actions-toolkit from 0.31.0 to 0.35.0 in docker/setup-qemu-action#154 docker/setup-qemu-action#155

Full Changelog: docker/setup-qemu-action@v3.1.0...v3.2.0

v3.1.0

... (truncated)

Commits

• ce36039 Merge pull request #245 from crazy-max/node24
• 6386344 node 24 as default runtime
• 1ea3db7 Merge pull request #243 from docker/dependabot/npm_and_yarn/docker/actions-to...
• b56a002 chore: update generated content
• c43f02d build(deps): bump @​docker/actions-toolkit from 0.67.0 to 0.77.0
• ce10c58 Merge pull request #244 from docker/dependabot/npm_and_yarn/actions/core-3.0.0
• 429fc9d chore: update generated content
• 060e5f8 build(deps): bump @​actions/core from 1.11.1 to 3.0.0
• 44be13e Merge pull request #231 from docker/dependabot/npm_and_yarn/js-yaml-3.14.2
• 1897438 chore: update generated content
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

---

Note

Low Risk
Low risk CI-only change that updates the QEMU setup GitHub Action; potential impact is limited to the riscv64 build workflow if the new major version behaves differently.

Overview
Updates the riscv64 GitHub Actions workflow to use docker/setup-qemu-action@v4 instead of @v3 for QEMU setup, keeping the rest of the build/test steps unchanged.

^{Written by Cursor Bugbot for commit f7c9719. This will update automatically on new commits. Configure here.}

[github-actions]

🤖 Cursor Dependency Analysis

The action is used in exactly one place in this repo. Let me verify the upstream action's interface hasn't changed in a breaking way.Here is my review:

---

1. Usage sites

The dependency is used in exactly one place:

        uses: docker/setup-qemu-action@v4
        with:
          platforms: riscv64

The PR has already updated the tag from @v3 to @v4 (the file on this branch already reads @v4).

2. API compatibility

The action.yml in v4 retains the same inputs (image, platforms, cache-image) and outputs (platforms) as v3. The only input used here -- platforms: riscv64 -- is unchanged. No inputs were removed, renamed, or had their defaults changed in a breaking way.

The major version bump is driven by:

• Switching the runtime from Node 20 to Node 24 (runs.using: 'node24')
• Internal dependency bumps (@actions/core 1.x -> 3.x, toolkit, ESM migration)

None of these affect the action's public interface or behavior.

3. Risks / unknowns

• Runner version requirement: v4 requires Actions Runner >= v2.327.1 for Node 24 support. GitHub-hosted ubuntu-latest runners (used by this workflow) are kept current and already meet this requirement. Self-hosted runners would need verification, but this repo uses ubuntu-latest.
• Functional risk: Negligible. The action's purpose (pulling tonistiigi/binfmt and registering QEMU binfmt interpreters) is unchanged. No input/output contract changes.

4. Recommendation: merge

This is a safe, straightforward major bump driven entirely by Node runtime and internal tooling upgrades. The action's public API is identical, the single usage site is simple, and GitHub-hosted runners already support Node 24. No caveats needed.

[cmmarslender]

@dependabot sign your commits

[cmmarslender]

@dependabot recreate

[github-actions]

🤖 Cursor Dependency Analysis

Supply-Chain Malware Review

Verifying how the action is referenced in the repository to ground the review.

Verdict: benign

Why

• Source: The dependency is the official docker/setup-qemu-action repo under Docker — not a typosquat or unknown publisher.

• Scanner report: After allowlisting, unicode / confusable / IOC counts are 0. The 54 heuristic hits line up with normal bundled action code: minified dist/ output, source maps, and lockfile lines where patterns match substrings like @actions/exec and cross-spawn (package names), not evidence of malicious exec/spawn usage. Nothing in the summary points to hidden payloads, unexpected hosts, or persistence.

• Release behavior: v4.0.0’s documented changes (Node 24 default, runner ≥ v2.327.1, ESM, routine @actions/core / toolkit bumps) match a maintenance major, not a supply-chain anomaly.

• Dependabot scope: For this repo, the meaningful change is pinning the action to v4 in CI (e.g. build-riscv64.yml); that is expected for this kind of PR, not a red flag for “workflow tampering.”

Actionable note: If a job ever failed only on very old self-hosted runners below v2.327.1, upgrading the runner would be required — that’s an environment requirement from upstream, not malware.

Scanner vs interpretation: The heuristics flag benign noise in minified deps and lockfile strings; they do not contradict a benign conclusion.

Compatibility Analysis

Searching the repo for setup-qemu-action usage and reviewing workflow context.

1) Where it’s used

Single real usage: .github/workflows/build-riscv64.yml — step “Set up QEMU on x86_64” with uses: docker/setup-qemu-action@v4 and with: platforms: riscv64.

Other hits are only under .upstream-dependency/ (upstream repo copy / issue templates), not your CI.

---

2) Overlap with v4 changes

From release notes and .upstream-dependency/action.yml, v4 is mainly Node 24 as the action runtime, ESM, and dependency bumps. Inputs/outputs are unchanged for normal use: platforms, optional image, optional cache-image; output platforms still exists.

This workflow only sets platforms: riscv64. The step has id: qemu but nothing references steps.qemu.outputs, so output behavior is irrelevant unless you add that later.

Conclusion: Your usage does not depend on APIs that were called out as changed in a breaking way for consumers; it’s a minimal, stable pattern.

---

3) Risks / unknowns

Risk	Notes
Runner version	v4 needs Actions Runner ≥ v2.327.1 (Node 24). GitHub-hosted ubuntu-latest is expected to satisfy this in practice.
Self-hosted runners	If this job ever runs on an old self-hosted runner, the action could fail to start. Your matrix uses runs-on: ubuntu-latest only.
QEMU/binfmt behavior	Same as any QEMU upgrade: small chance of edge-case Docker/QEMU issues on linux/riscv64; unrelated to JS/API surface.

---

4) Recommendation

Merge — appropriate for this repo as configured: one workflow, hosted runners, standard platforms input only, no reliance on step outputs.

If you introduce self-hosted runners for this job without upgrading them, revisit runner version first; otherwise no need to hold the PR.

---

Malware Scan Summary

• Status: warn
• Warn only mode: true
• Changed upstream files scanned: 22
• Resolution strategy: tag_range
• Changed node/vendor paths: 0
• Changed lockfiles: 1
• Resolved upstream range: c7c53464625b32c7a7e944ae62b3e17d2b600130..ce360397dd3f832beb865e1373c09c0e9f86d70a
• Resolved refs: from=c7c53464625b32c7a7e944ae62b3e17d2b600130 to=ce360397dd3f832beb865e1373c09c0e9f86d70a
• Unicode findings (post-allowlist): 0
• Confusable findings (post-allowlist): 0
• IOC findings (post-allowlist): 0
• Heuristic findings (post-allowlist): 54

Top findings

• dist/sourcemap-register.cjs:1 codepoint_decoder :: (()=>{var e={296:e=>{var r=Object.prototype.toString;var n=typeof Buffer!=="undefined"&&typeof Buffer.alloc==="function"&&typeof Buffer.allocUnsafe==="function"&&typeof Buffer.from==="function";function isArrayBuffer(e){return r.call(e).slice(8,-1)==="ArrayBuffer"}function fromArrayBuffer(e,r,t){r>>>=0;var o=e.byteLength-r;if(o<0){throw new RangeError("'offset' is out of bounds")}if(t===undefined){t=o}else{t>>>=0;if(t>o){throw new RangeError("'length' is out of bounds")}}return n?Buffer.from(e.s...[truncated]
• dist/index.js:1 codepoint_decoder :: import './sourcemap-register.cjs';import{createRequire as e}from"module";var t={3311:function(e,t){var r=this&&this.__awaiter||function(e,t,r,n){function adopt(e){return e instanceof r?e:new r((function(t){t(e)}))}return new(r||(r=Promise))((function(r,s){function fulfilled(e){try{step(n.next(e))}catch(e){s(e)}}function rejected(e){try{step(n["throw"](e))}catch(e){s(e)}}function step(e){e.done?r(e.value):adopt(e.value).then(fulfilled,rejected)}step((n=n.apply(e,t||[])).next())}))};Object.defineP...[truncated]
• dist/index.js:8 codepoint_decoder :: */const s=r(9896);const o=r(857);const i=r(6928);const a=r(6982);const c={fs:s.constants,os:o.constants};const l="0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz",A=/XXXXXX/,u=3,d=(c.O_CREAT||c.fs.O_CREAT)|(c.O_EXCL||c.fs.O_EXCL)|(c.O_RDWR||c.fs.O_RDWR),p=o.platform()==="win32",m=c.EBADF||c.os.errno.EBADF,g=c.ENOENT||c.os.errno.ENOENT,h=448,f=384,E="exit",y=[],C=s.rmdirSync.bind(s);let I=false;function rimraf(e,t){return s.rm(e,{recursive:true},t)}function FN_RIMRAF_SYNC(e){retur...[truncated]
• dist/index.js:9 codepoint_decoder :: /*! formdata-polyfill. MIT License. Jimmy Wärting <https://jimmy.warting.se/opensource> */;const escape=e=>e.replace(/\n/g,"%0A").replace(/\r/g,"%0D").replace(/"/g,"%22");const normalizeLinefeeds=e=>e.replace(/\r?\n|\r/g,"\r\n");const n=[];const s=new Uint8Array([13,10]);A=0;let o=false;for(const[t,i]of e){if(typeof i==="string"){const e=b.encode(r+; name="${escape(normalizeLinefeeds(t))}"+\r\n\r\n${normalizeLinefeeds(i)}\r\n);n.push(e);A+=e.byteLength}else{const e=b.encode(${r}; name="${es...[truncated]
• dist/index.js:10 codepoint_decoder :: /*! ws. MIT License. Einar Otto Stangvik <einaros@gmail.com> */a[i-4]=r[0];a[i-3]=r[1];a[i-2]=r[2];a[i-1]=r[3];a[1]=o;if(o===126){a.writeUInt16BE(s,2)}else if(o===127){a[2]=a[3]=0;a.writeUIntBE(s,4,6)}a[1]|=128;for(let e=0;e<s;++e){a[i+e]=t[e]^r[e&3]}return a}}e.exports={WebsocketFrameSend:WebsocketFrameSend}},9469:(e,t,r)=>{const{createInflateRaw:n,Z_DEFAULT_WINDOWBITS:s}=r(8522);const{isValidClientWindowBits:o}=r(8625);const i=Buffer.from([0,0,255,255]);const a=Symbol("kBuffer");const c=Symbol...[truncated]
• dist/index.js:15 codepoint_decoder :: /* v8 ignore else -- @preserve */var rm="0.0.0-development";function _buildMessageForResponseErrors(e){returnRequest failed due to following response errors:\n+e.errors.map((e=> - ${e.message})).join("\n")}var nm=class extends Error{constructor(e,t,r){super(_buildMessageForResponseErrors(r));this.request=e;this.headers=t;this.response=r;this.errors=r.errors;this.data=r.data;if(Error.captureStackTrace){Error.captureStackTrace(this,this.constructor)}}name="GraphqlResponseError";errors;data};va...[truncated]
• dist/index.js.map:1 codepoint_decoder :: {"version":3,"file":"index.js","names":["__awaiter","this","thisArg","_arguments","P","generator","adopt","value","resolve","Promise","reject","fulfilled","step","next","e","rejected","result","done","then","apply","Object","defineProperty","exports","ClientStreamingCall","constructor","method","requestHeaders","request","headers","response","status","trailers","requests","onfulfilled","onrejected","promiseFinished","reason","all","Deferred","DeferredState","preventUnhandledRejectionWarning","_s...[truncated]
• dist/index.js.map:1 dynamic_require_import :: {"version":3,"file":"index.js","names":["__awaiter","this","thisArg","_arguments","P","generator","adopt","value","resolve","Promise","reject","fulfilled","step","next","e","rejected","result","done","then","apply","Object","defineProperty","exports","ClientStreamingCall","constructor","method","requestHeaders","request","headers","response","status","trailers","requests","onfulfilled","onrejected","promiseFinished","reason","all","Deferred","DeferredState","preventUnhandledRejectionWarning","_s...[truncated]
• dist/sourcemap-register.cjs:1 shell_process_spawn :: (()=>{var e={296:e=>{var r=Object.prototype.toString;var n=typeof Buffer!=="undefined"&&typeof Buffer.alloc==="function"&&typeof Buffer.allocUnsafe==="function"&&typeof Buffer.from==="function";function isArrayBuffer(e){return r.call(e).slice(8,-1)==="ArrayBuffer"}function fromArrayBuffer(e,r,t){r>>>=0;var o=e.byteLength-r;if(o<0){throw new RangeError("'offset' is out of bounds")}if(t===undefined){t=o}else{t>>>=0;if(t>o){throw new RangeError("'length' is out of bounds")}}return n?Buffer.from(e.s...[truncated]
• dist/licenses.txt:25 shell_process_spawn :: @actions/exec
• yarn.lock:42 shell_process_spawn :: "@actions/exec": "npm:^3.0.0"
• yarn.lock:58 shell_process_spawn :: "@actions/exec": "npm:^3.0.0"
• yarn.lock:64 shell_process_spawn :: "@actions/exec@npm:^3.0.0":
• yarn.lock:66 shell_process_spawn :: resolution: "@actions/exec@npm:3.0.0"
• yarn.lock:130 shell_process_spawn :: "@actions/exec": "npm:^3.0.0"
• yarn.lock:377 shell_process_spawn :: "@actions/exec": "npm:^3.0.0"
• yarn.lock:2047 shell_process_spawn :: "cross-spawn@npm:^7.0.0, cross-spawn@npm:^7.0.6":
• yarn.lock:2049 shell_process_spawn :: resolution: "cross-spawn@npm:7.0.6"
• yarn.lock:2367 shell_process_spawn :: cross-spawn: "npm:^7.0.6"
• yarn.lock:2591 shell_process_spawn :: cross-spawn: "npm:^7.0.0"