docker · derekmisler · Mar 12, 2026 · Mar 12, 2026
@@ -26,6 +26,7 @@ jobs:
     runs-on: ubuntu-latest
     outputs:
       version: ${{ steps.version.outputs.version }}
+      sha: ${{ steps.release-commit.outputs.sha }}
 
     steps:
       - name: Checkout code
@@ -164,6 +165,113 @@ jobs:
 
           echo "Updated 'latest' tag to point to ${VERSION} ($RELEASE_SHA)"
 
+  update-pinata:
+    name: Update pinata pr-review workflow
+    needs: release
+    if: success()
+    runs-on: ubuntu-latest
+    concurrency:
+      group: update-pinata
+      cancel-in-progress: false
+    steps:
+      - name: Generate GitHub App token
+        id: app-token
+        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2
+        with:
+          app_id: ${{ secrets.CAGENT_REVIEWER_APP_ID }}
+          private_key: ${{ secrets.CAGENT_REVIEWER_APP_PRIVATE_KEY }}
+          repository: docker/pinata
+
+      - name: Checkout pinata
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          repository: docker/pinata
+          token: ${{ steps.app-token.outputs.token }}
+
+      - name: Update cagent-action reference
+        id: update
+        env:
+          SHA: ${{ needs.release.outputs.sha }}
+          VERSION: ${{ needs.release.outputs.version }}
+        run: |
+          FILE=".github/workflows/pr-review.yml"
+          if [ ! -f "$FILE" ]; then
+            echo "::error::$FILE not found in pinata"
+            exit 1
+          fi
+
+          if [ -z "$SHA" ] || [ -z "$VERSION" ]; then
+            echo "::error::SHA or VERSION is empty (SHA='$SHA', VERSION='$VERSION')"
+            exit 1
+          fi
+
+          PATTERN='cagent-action/\.github/workflows/review-pr\.yml@[[:xdigit:]]\{40\} # v[0-9.]*'
+          if ! grep -q "$PATTERN" "$FILE"; then
+            echo "::error::Expected cagent-action reference pattern not found in $FILE — format may have changed"
+            exit 1
+          fi
+
+          sed -i "s|${PATTERN}|cagent-action/.github/workflows/review-pr.yml@${SHA} # ${VERSION}|" "$FILE"
+
+          if git diff --quiet "$FILE"; then
+            echo "File already up to date, skipping."
+            echo "skip=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "Updated reference to ${SHA} # ${VERSION}"
+            echo "skip=false" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Create or update PR
+        if: steps.update.outputs.skip != 'true'
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+          VERSION: ${{ needs.release.outputs.version }}
+          SHA: ${{ needs.release.outputs.sha }}
+        run: |
+          BRANCH="auto/update-cagent-action"
+          RELEASE_URL="https://github.com/docker/cagent-action/releases/tag/$VERSION"
+
+          git config user.name "docker-agent[bot]"
+          git config user.email "259137750+docker-agent[bot]@users.noreply.github.com"
+
+          git checkout -B "$BRANCH"
+          git add .github/workflows/pr-review.yml
+          git commit -m "chore: update cagent-action to $VERSION"
+
+          # Force-push to handle both new and existing branches.
+          # This branch is exclusively managed by this workflow, so --force is safe.
+          git push --force origin "$BRANCH"
+
+          EXISTING_PR=$(gh pr list --head "$BRANCH" --state open --json number --jq '.[0].number')
+
+          PR_BODY="$(cat <<EOF
+          ## Summary
+          Updates \`cagent-action\` reference in \`pr-review.yml\` to [$VERSION]($RELEASE_URL).
+          - **Commit**: \`${SHA}\`
+          - **Version**: \`${VERSION}\`
+          > Auto-generated by the [release](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) workflow.
+
+          /skip-builds
+          /skip-tests
+          EOF
+          )"
+
+          if [ -n "$EXISTING_PR" ]; then
+            echo "Updating existing PR #$EXISTING_PR"
+            gh pr edit "$EXISTING_PR" \
+              --title "chore: update cagent-action to $VERSION" \
+              --body "$PR_BODY" \
+              --add-reviewer "derekmisler"
+          else
+            echo "Creating new PR"
+            gh pr create \
+              --title "chore: update cagent-action to $VERSION" \
+              --body "$PR_BODY" \
+              --label "team/gordon" \
+              --label "merge/auto" \
+              --reviewer "derekmisler"
+          fi
+
   publish-agent:
     name: Push review-pr agent to Docker Hub
     needs: release

@@ -1,3 +1,5 @@
+version: "6"
+
 models:
   haiku:
     provider: anthropic

@@ -1,3 +1,5 @@
+version: "6"
+
 models:
   sonnet:
     provider: anthropic

@@ -1,3 +1,5 @@
+version: "6"
+
 models:
   sonnet:
     provider: anthropic