chore(ci): bump docker/metadata-action from 5.10.0 to 6.1.0#406
chore(ci): bump docker/metadata-action from 5.10.0 to 6.1.0#406dependabot[bot] wants to merge 1 commit into
Conversation
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
|
@dependabot rebase Rebasing to pick up the current CI (a fresh |
Bumps [docker/metadata-action](https://github.com/docker/metadata-action) from 5.10.0 to 6.1.0. - [Release notes](https://github.com/docker/metadata-action/releases) - [Commits](docker/metadata-action@c299e40...80c7e94) --- updated-dependencies: - dependency-name: docker/metadata-action dependency-version: 6.1.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/github_actions/docker/metadata-action-6.1.0
branch
from
1295d2b to
0be462b
Compare
lml2468
added
review:running:qa
lml2468
left a comment
lml2468
left a comment
There was a problem hiding this comment.
QA Verdict: APPROVED
Scope: CI workflow file only — single-line SHA-pinned bump of docker/metadata-action from v5.10.0 (c299e40c) to v6.1.0 (80c7e94d) in .github/workflows/docker-publish.yml. No application code, no test surface, no runtime user-facing behavior touched.
Verification:
- ✅ CI
Build,Detect changed paths,dependency-review,osv-scan,secret-scan,actionlint,Workflow Sanity— all green on head SHA0be462b. - ✅
code-reviewstatus: SUCCESS. ⚠️ check-sprint / check-sprintFAILED twice — root cause from log:No linked issue found. Please add a 'Closes #<issue>' reference. This is a board-policy gate that dependabot PRs inherently can't satisfy (no linked tracking issue on GH Project board). Not a regression introduced by this PR; same failure mode hits every dependabot PR in this repo (see e.g. #407, #408). Maintainer override / board-link is the human path.
Test coverage: N/A — the workflow itself is the test surface, and the next time docker-publish.yml actually runs (on main push) will be the live integration. The action consumes images, flavor: latest=auto, tags: type=semver,* inputs — all stable across v5→v6 (release notes confirm no input rename / removal for these). The downstream Create manifest list step already defends against zero-tag output (refusing to publish manifest) and uses an array-quoted jq pipeline (no shell injection vector regardless of action output).
Flakiness / boundaries: SHA-pinned (immutable target). No new env / inputs / outputs touched.
Verdict: approve — no QA blockers. check-sprint failure is policy, not code.
lml2468
added
review:done:qa:approve
lml2468
left a comment
lml2468
left a comment
There was a problem hiding this comment.
Security Verdict: CLEARED
Threat surface evaluated (STRIDE applied to a CI workflow consumer change):
| Vector | Assessment |
|---|---|
| Supply chain (Tampering) | Action is commit-SHA pinned to 80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 (immutable). Upstream maintainer unchanged (docker/metadata-action, official Docker org). v6.1.0 internals bump bundled deps (handlebars 4.7.9 patch, brace-expansion 5.0.6, undici 6.25.0, etc.) — all upward in version. No new transitive maintainer surface. |
| Major-version risk (v5→v6) | v6.0.0 switched runtime to Node 24 (requires Actions Runner ≥ v2.327.1) — log confirms runner 2.335.1, satisfies. v6 switched action source to ESM (internal-only, no contract change). "List inputs preserve # inside values" change does NOT affect this workflow: the tags: block contains only type=semver,... entries, no #-bearing values; YAML # comments above the keys are stripped by YAML parser before reaching the action. |
| Secrets / authN-authZ | No change to secrets.DOCKERHUB_USERNAME/DOCKERHUB_TOKEN usage. docker/metadata-action doesn't accept secrets as inputs (only image tags). environment: docker-hub-publish gate intact. |
| Output injection (Spoofing/Tampering downstream) | Downstream Create manifest list step uses tags=(-t "$tag") array assembly via jq -r '.tags[]' — no shell interpolation of action output, so a malicious tag output couldn't shell-inject. Existing defense survives the bump. |
| Disclosure | No new logging surface or output schema breakage; steps.meta.outputs.json shape preserved (v6 release notes don't deprecate the json output). |
| DoS | Action runtime characteristics unchanged. |
| Elevation | No privileged step added. |
SBOM diff: dependabot already vets the action repo's own deps in the bumped release (release notes enumerate 14 upstream lockfile bumps, all version-up). OSV-Scanner workflow gate passed on the PR head SHA.
Verdict: approve — supply-chain posture preserved, no new attack surface, downstream consumer defenses intact.
lml2468
added
review:done:security:approve
lml2468
left a comment
lml2468
left a comment
There was a problem hiding this comment.
Code Review Verdict: APPROVED
Diff: 1 file, +1/-1.
- uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
+ uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0Correctness:
- SHA pin format preserved (
# vX.Y.Zcomment kept in sync with the SHA —80c7e94d…does map to the v6.1.0 tag per the upstream commit log in the PR body). - Action input contract used here (
images,flavor: latest=auto,tags: type=semver,pattern=…,type=raw,value=…,enable=…) — all four input shapes carry over unchanged from v5→v6 per release notes. Nowith:block edits needed. steps.meta.outputs.jsonconsumed by the next step; v6 preserves thejsonoutput schema (release notes don't deprecate it; v6 changes are runtime/ESM/bundled-deps only).
Readability / maintainability:
- Comment block above
flavor: latest=autoretains the rationale paragraph — bump preserves the surrounding documentation context. - Repo-wide convention is
# vX.Y.Znext to SHA, this PR conforms.
Design fit: Consistent with the repo's broader "SHA-pin every third-party action, dependabot drives the bumps" pattern — see #405 (actions/checkout 4.3.1→6.0.3, already complete/approved), #407 (docker/setup-buildx 3.12.0→4.1.0, queued), #408 (pnpm/action-setup 4.3.0→6.0.9, queued). Same shape, same upgrade discipline.
Nits: none.
Verdict: approve — mechanical, minimal, and matches established convention.
lml2468
added
review:done:code:approve
Aggregate Verdict: APPROVED — 等人工合并3 个 reviewer persona 已对该 PR 给出一致 verdict:
变更摘要: CI 状态:Build / dependency-review / osv-scan / secret-scan / actionlint / 全部 sanity check 通过; 合并门:满足 1-approval gate;等待人工 merge。Review-lead 不会自动合并。 |
1 participant
Bumps docker/metadata-action from 5.10.0 to 6.1.0.
Release notes
Sourced from docker/metadata-action's releases.
Commits
80c7e94Merge pull request #613 from docker/dependabot/npm_and_yarn/docker/actions-to...8e0ddabchore: update generated contenta8db14bchore(deps): Bump@docker/actions-toolkitfrom 0.79.0 to 0.90.063a7371Merge pull request #617 from docker/dependabot/npm_and_yarn/csv-parse-6.2.0c6916a6chore: update generated contentaca9205chore(deps): Bump csv-parse from 6.1.0 to 6.2.19dcfe60Merge pull request #629 from docker/dependabot/npm_and_yarn/handlebars-4.7.943dea76chore: update generated content7a56f5achore(deps): Bump handlebars from 4.7.8 to 4.7.9e49e0aaMerge pull request #658 from docker/dependabot/npm_and_yarn/brace-expansion-5...