chore(ci): bump docker/setup-buildx-action from 3.12.0 to 4.1.0

[dependabot]

Bumps docker/setup-buildx-action from 3.12.0 to 4.1.0.

Release notes

Sourced from docker/setup-buildx-action's releases.

v4.1.0

• Bump @​docker/actions-toolkit from 0.79.0 to 0.90.0 in docker/setup-buildx-action#489
• Bump brace-expansion from 1.1.12 to 5.0.6 in docker/setup-buildx-action#547 docker/setup-buildx-action#508
• Bump fast-xml-builder from 1.0.0 to 1.2.0 in docker/setup-buildx-action#540
• Bump fast-xml-parser from 5.4.2 to 5.8.0 in docker/setup-buildx-action#496
• Bump flatted from 3.3.3 to 3.4.2 in docker/setup-buildx-action#499
• Bump glob from 10.3.12 to 13.0.6 in docker/setup-buildx-action#495
• Bump handlebars from 4.7.8 to 4.7.9 in docker/setup-buildx-action#504
• Bump lodash from 4.17.23 to 4.18.1 in docker/setup-buildx-action#523
• Bump picomatch from 4.0.3 to 4.0.4 in docker/setup-buildx-action#503
• Bump postcss from 8.5.6 to 8.5.10 in docker/setup-buildx-action#537
• Bump tar from 6.2.1 to 7.5.15 in docker/setup-buildx-action#545
• Bump undici from 6.23.0 to 6.25.0 in docker/setup-buildx-action#492
• Bump vite from 7.3.1 to 7.3.2 in docker/setup-buildx-action#520

Full Changelog: docker/setup-buildx-action@v4.0.0...v4.1.0

v4.0.0

• Node 24 as default runtime (requires Actions Runner v2.327.1 or later) by @​crazy-max in docker/setup-buildx-action#483
• Remove deprecated inputs/outputs by @​crazy-max in docker/setup-buildx-action#464
• Switch to ESM and update config/test wiring by @​crazy-max in docker/setup-buildx-action#481
• Bump @​actions/core from 1.11.1 to 3.0.0 in docker/setup-buildx-action#475
• Bump @​docker/actions-toolkit from 0.63.0 to 0.79.0 in docker/setup-buildx-action#482 docker/setup-buildx-action#485
• Bump js-yaml from 4.1.0 to 4.1.1 in docker/setup-buildx-action#452
• Bump lodash from 4.17.21 to 4.17.23 in docker/setup-buildx-action#472
• Bump minimatch from 3.1.2 to 3.1.5 in docker/setup-buildx-action#480

Full Changelog: docker/setup-buildx-action@v3.12.0...v4.0.0

Commits

• d7f5e7f Merge pull request #489 from docker/dependabot/npm_and_yarn/docker/actions-to...
• 92bc5c9 chore: update generated content
• da11e35 build(deps): bump @​docker/actions-toolkit from 0.79.0 to 0.90.0
• f021e16 Merge pull request #492 from docker/dependabot/npm_and_yarn/undici-6.24.1
• b5af94f chore: update generated content
• 16ad977 build(deps): bump undici from 6.23.0 to 6.25.0
• d7a12d7 Merge pull request #495 from docker/dependabot/npm_and_yarn/glob-10.5.0
• 28ff27d build(deps): bump glob from 10.3.12 to 13.0.6
• daf436b Merge pull request #496 from docker/dependabot/npm_and_yarn/fast-xml-parser-5...
• 9725348 chore: update generated content
• Additional commits viewable in compare view

[dependabot]

Labels

The following labels could not be found: dependencies, github-actions. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[lml2468]

@dependabot rebase

Rebasing to pick up the current CI (a fresh Build + code-review run). With the review gate now at 1 approval, these CI-action bumps can merge once checks are green. — automated PR-review cadence (OCT-13)

[lml2468]

QA Verdict: APPROVE

Scope: GitHub Actions runtime bump in .github/workflows/docker-publish.yml (docker/setup-buildx-action v3.12.0 → v4.1.0, 2 occurrences).

Coverage

• No application code paths modified; only CI tooling pinning.
• CI Build job (which exercises the new action) is SUCCESS.
• Dependency Review, OSV-Scanner, Secret Scan all green.
• Both invocation sites updated identically — no drift between the two job stages.

Risk / edge cases

• Major bump (v3 → v4) requires Actions Runner ≥ v2.327.1 (Node 24 default). GitHub-hosted runners are already on this; if any self-hosted runner exists it would need verification. CI green confirms current runner satisfies the requirement.
• check-sprint workflow shows FAILURE on this PR — unrelated to functional change (sprint-compliance check, not the build itself).

Action: no test gaps identified for this CI bump; the build job itself is the regression test.

[lml2468]

Security Verdict: APPROVE (CLEARED)

Scope: supply-chain review of docker/setup-buildx-action SHA pin bump.

Supply chain

• Pinned by commit SHA d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 (v4.1.0) — SHA pinning preserved (does not regress to mutable tag).
• Upstream source: official docker/setup-buildx-action repo.
• v4.x notable internal deps (per release notes): @docker/actions-toolkit 0.79→0.90, undici 6.23→6.25, tar 6→7, glob 10→13, handlebars 4.7.9, lodash 4.18.1. No known CVEs against the new minimums.

Permissions / capabilities

• No new permission scope requested in the workflow file.
• Action runs in same docker-publish.yml build/push context as before; auth still flows through existing docker/login-action@v3.7.0.

Checks

• dependency-review: SUCCESS
• scan-pr / osv-scan: SUCCESS
• secret-scan / gitleaks: SUCCESS

STRIDE quick pass: no new spoofing/tampering/repudiation/info-disclosure/DoS/elevation surface introduced; the action only sets up buildx.

Action: none — cleared for merge from a security standpoint.

[lml2468]

Code Review Verdict: APPROVE

Scope: .github/workflows/docker-publish.yml — 2 hunks, +2/-2.

Correctness

• Both Set up Docker Buildx steps (build job and merge-manifests job) updated to the same SHA — change is consistently applied; no half-bump that would leave one job behind another.
• SHA + version-comment format (<sha> # vX.Y.Z) matches the convention used by neighbouring actions/checkout, docker/login-action, etc. in this file.

Readability / maintainability

• Minimal, mechanical Dependabot bump — no logic changes, no new inputs/outputs consumed from the action.
• Maintains the project's pinned-by-SHA discipline, which is what we want long-term for third-party actions.

Design fit

• v4.x action signature is compatible with the existing zero-arg invocation (uses: docker/setup-buildx-action@<sha>); we don't pass any inputs that were renamed or removed across the major.
• Build job ran end-to-end against the new action and produced an image — strongest signal of compatibility.

Action: none — approved.

[lml2468]

Aggregate Verdict: APPROVED — 等人工合并

3 reviewer personas have all reported APPROVE on commit 4e58070. No blocking findings.

Reviewer	Verdict	Summary
qa-engineer	✅ APPROVE	CI Build SUCCESS; no app code paths touched — the workflow run itself is the regression test. check-sprint FAILURE is unrelated (sprint-compliance, not the build).
security-engineer	✅ APPROVE (CLEARED)	SHA pinning preserved (d7f5e7f…); upstream is official docker/setup-buildx-action; no new permission scope; dependency-review / OSV / gitleaks all green.
code-reviewer	✅ APPROVE	Both invocation sites (build + merge-manifests) updated to the same SHA; matches repo's <sha> # vX.Y.Z pinning convention; v4 action signature compatible with existing zero-arg usage.

Merge readiness

• mergeable: MERGEABLE, mergeStateStatus: UNSTABLE (caused only by the unrelated check-sprint workflow — flagged for human awareness, not blocking).
• Major version bump (v3 → v4) requires Actions Runner ≥ v2.327.1 (Node 24); GitHub-hosted runners already satisfy this and the Build job exercising the new action passed end-to-end.

Awaiting human merge. Per loop policy, review-lead never invokes gh pr merge.