Merge pull request #268 from docker/dependabot/github_actions/codecov/codecov-action-6.0.0

build(deps): bump codecov/codecov-action from 5.5.4 to 6.0.0
2026-04-01 13:58:20 +01:00 · 2026-03-31 09:27:41 +02:00 · 2026-03-31 01:51:28 +00:00 · 2026-03-30 18:50:33 -07:00 · 2026-03-30 14:25:09 +02:00 · 2026-03-30 14:24:46 +02:00
15 changed files with 143 additions and 34 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -4,6 +4,12 @@ updates:
    directory: "/"
    schedule:
      interval: "daily"
+    cooldown:
+      default-days: 2
+    groups:
+      crazy-max-dot-github:
+        patterns:
+          - "crazy-max/.github/*"
    labels:
      - "dependencies"
      - "bot"
@@ -11,6 +17,8 @@ updates:
    directory: "/"
    schedule:
      interval: "daily"
+    cooldown:
+      default-days: 2
    versioning-strategy: "increase"
    allow:
      - dependency-type: "production"
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,5 +1,8 @@
 name: ci

+permissions:
+  contents: read
+
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
@@ -22,7 +25,7 @@ jobs:
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Set up QEMU
        id: qemu
@@ -45,7 +48,7 @@ jobs:
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Set up QEMU
        id: qemu
@@ -62,7 +65,7 @@ jobs:
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Stop docker
        run: |
@@ -92,7 +95,7 @@ jobs:
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Set up QEMU
        id: qemu
@@ -116,7 +119,7 @@ jobs:
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Set up QEMU
        uses: ./
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -0,0 +1,46 @@
+name: codeql
+
+permissions:
+  contents: read
+
+on:
+  push:
+    branches:
+      - 'master'
+      - 'releases/v*'
+  pull_request:
+
+env:
+  NODE_VERSION: "24"
+
+jobs:
+  analyze:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      -
+        name: Enable corepack
+        run: |
+          corepack enable
+          yarn --version
+      -
+        name: Set up Node
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+      -
+        name: Initialize CodeQL
+        uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
+        with:
+          languages: javascript-typescript
+          build-mode: none
+      -
+        name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
+        with:
+          category: "/language:javascript-typescript"
--- a/.github/workflows/pr-assign-author.yml
+++ b/.github/workflows/pr-assign-author.yml
@@ -4,14 +4,14 @@ permissions:
  contents: read

 on:
-  pull_request_target:
+  pull_request_target: # zizmor: ignore[dangerous-triggers] safe to use without checkout
    types:
      - opened
      - reopened

 jobs:
  run:
-    uses: crazy-max/.github/.github/workflows/pr-assign-author.yml@1b673f36fad86812f538c1df9794904038a23cbf
+    uses: crazy-max/.github/.github/workflows/pr-assign-author.yml@bb328ea508cd6a89d0865555ddbeb148e5724aed # v1.3.0
    permissions:
      contents: read
      pull-requests: write
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -1,5 +1,12 @@
 name: publish

+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 on:
  release:
    types:
@@ -15,7 +22,7 @@ jobs:
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Publish
-        uses: actions/publish-immutable-action@v0.0.4
+        uses: actions/publish-immutable-action@4bc8754ffc40f27910afb20287dbbbb675a4e978 # v0.0.4
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -1,5 +1,8 @@
 name: test

+permissions:
+  contents: read
+
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
@@ -17,16 +20,16 @@ jobs:
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Test
-        uses: docker/bake-action@v6
+        uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0
        with:
          source: .
          targets: test
      -
        name: Upload coverage
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0
        with:
          files: ./coverage/clover.xml
          token: ${{ secrets.CODECOV_TOKEN }}
--- a/.github/workflows/update-dist.yml
+++ b/.github/workflows/update-dist.yml
@@ -1,5 +1,12 @@
 name: update-dist

+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 on:
  pull_request:
    types:
@@ -8,27 +15,27 @@ on:

 jobs:
  update-dist:
-    if: github.actor == 'dependabot[bot]'
+    if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == github.event.pull_request.head.repo.full_name
    runs-on: ubuntu-latest
    steps:
      -
        name: GitHub auth token from GitHub App
        id: docker-read-app
-        uses: actions/create-github-app-token@v2
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
        with:
          app-id: ${{ secrets.GHACTIONS_REPO_WRITE_APP_ID }}
          private-key: ${{ secrets.GHACTIONS_REPO_WRITE_APP_PRIVATE_KEY }}
          owner: docker
      -
        name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          ref: ${{ github.event.pull_request.head.ref }}
          fetch-depth: 0
-          token: ${{ steps.docker-read-app.outputs.token || github.token }}
+          token: ${{ steps.docker-read-app.outputs.token }}
      -
        name: Build
-        uses: docker/bake-action@v6
+        uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0
        with:
          source: .
          targets: build
--- a/.github/workflows/validate.yml
+++ b/.github/workflows/validate.yml
@@ -1,5 +1,8 @@
 name: validate

+permissions:
+  contents: read
+
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
@@ -15,15 +18,15 @@ jobs:
  prepare:
    runs-on: ubuntu-latest
    outputs:
-      targets: ${{ steps.generate.outputs.targets }}
+      matrix: ${{ steps.generate.outputs.matrix }}
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
-        name: List targets
+        name: Generate matrix
        id: generate
-        uses: docker/bake-action/subaction/list-targets@v6
+        uses: docker/bake-action/subaction/matrix@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0
        with:
          target: validate

@@ -34,10 +37,10 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        target: ${{ fromJson(needs.prepare.outputs.targets) }}
+        include: ${{ fromJson(needs.prepare.outputs.matrix) }}
    steps:
      -
        name: Validate
-        uses: docker/bake-action@v6
+        uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0
        with:
          targets: ${{ matrix.target }}
--- a/.github/workflows/zizmor.yml
+++ b/.github/workflows/zizmor.yml
@@ -0,0 +1,29 @@
+name: zizmor
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - 'master'
+      - 'releases/v*'
+    tags:
+      - 'v*'
+  pull_request:
+
+jobs:
+  zizmor:
+    uses: crazy-max/.github/.github/workflows/zizmor.yml@bb328ea508cd6a89d0865555ddbeb148e5724aed # v1.3.0
+    permissions:
+      contents: read
+      security-events: write
+    with:
+      min-severity: medium
+      min-confidence: medium
+      persona: pedantic
--- a/.github/zizmor.yml
+++ b/.github/zizmor.yml
@@ -0,0 +1,3 @@
+rules:
+  secrets-outside-env: # FIXME: remove this rule when zizmor 1.24.0 is released, fixing the right persona attached to this rule: https://github.com/zizmorcore/zizmor/pull/1783
+    disable: true
--- a/README.md
+++ b/README.md
@@ -32,7 +32,7 @@ jobs:
    steps:
      -
        name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@v4
 ```

 > [!NOTE]
@@ -42,10 +42,10 @@ jobs:
 > ```yaml
 >     -
 >       name: Set up QEMU
->       uses: docker/setup-qemu-action@v3
+>       uses: docker/setup-qemu-action@v4
 >     -
 >       name: Set up Docker Buildx
->       uses: docker/setup-buildx-action@v3
+>       uses: docker/setup-buildx-action@v4
 > ```

 ## Customizing
--- a/dist/index.js
+++ b/dist/index.js
--- a/dist/index.js.map
+++ b/dist/index.js.map
--- a/package.json
+++ b/package.json
@@ -23,7 +23,7 @@
  "packageManager": "yarn@4.9.2",
  "dependencies": {
    "@actions/core": "^3.0.0",
-    "@docker/actions-toolkit": "^0.77.0"
+    "@docker/actions-toolkit": "^0.79.0"
  },
  "devDependencies": {
    "@eslint/js": "^9.39.3",
--- a/yarn.lock
+++ b/yarn.lock
@@ -367,9 +367,9 @@ __metadata:
  languageName: node
  linkType: hard

-"@docker/actions-toolkit@npm:^0.77.0":
-  version: 0.77.0
-  resolution: "@docker/actions-toolkit@npm:0.77.0"
+"@docker/actions-toolkit@npm:^0.79.0":
+  version: 0.79.0
+  resolution: "@docker/actions-toolkit@npm:0.79.0"
  dependencies:
    "@actions/artifact": "npm:^6.2.0"
    "@actions/cache": "npm:^6.0.0"
@@ -393,7 +393,7 @@ __metadata:
    semver: "npm:^7.7.4"
    tar-stream: "npm:^3.1.7"
    tmp: "npm:^0.2.5"
-  checksum: 10/f3ae817a5a6827efc63d1a1730e918801a8fa33867cda72bd7a1f78309631c45d91de60bc57985c7520fae168e96daed0fcab0003b5fab9b50bdd7aa355d651b
+  checksum: 10/d64849ba49b2b59e2e93237a70be03fd7c43b1f7f01bac3f7557616ba5f59be785cb12a273bbb6a71c1e0d959f1bc6c673111b587c57bd2d6da105dcc500921a
  languageName: node
  linkType: hard

@@ -2098,7 +2098,7 @@ __metadata:
  resolution: "docker-setup-qemu@workspace:."
  dependencies:
    "@actions/core": "npm:^3.0.0"
-    "@docker/actions-toolkit": "npm:^0.77.0"
+    "@docker/actions-toolkit": "npm:^0.79.0"
    "@eslint/js": "npm:^9.39.3"
    "@types/node": "npm:^24.11.0"
    "@typescript-eslint/eslint-plugin": "npm:^8.56.1"
Author	SHA1	Message	Date
CrazyMax	6412e4f975	Merge pull request #268 from docker/dependabot/github_actions/codecov/codecov-action-6.0.0 build(deps): bump codecov/codecov-action from 5.5.4 to 6.0.0	2026-03-31 09:27:41 +02:00
dependabot[bot]	3329a8ce3d	build(deps): bump codecov/codecov-action from 5.5.4 to 6.0.0 Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 5.5.4 to 6.0.0. - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](`75cd11691c...57e3a136b7`) --- updated-dependencies: - dependency-name: codecov/codecov-action dependency-version: 6.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>	2026-03-31 01:51:28 +00:00
Tõnis Tiigi	cf45d1535a	Merge pull request #267 from crazy-max/zizmor ci: zizmor workflow	2026-03-30 18:50:33 -07:00
CrazyMax	7b4ca36676	fix zizmor findings Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>	2026-03-30 14:25:09 +02:00
CrazyMax	9d536b88bb	ci: zizmor workflow Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>	2026-03-30 14:24:46 +02:00
Tõnis Tiigi	6804d31319	Merge pull request #260 from crazy-max/update-crazy-max-actions ci: bump crazy-max/.github to 1.1.0	2026-03-25 10:44:07 -07:00
CrazyMax	f03c104308	ci: bump crazy-max/.github to 1.1.0 Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>	2026-03-25 12:47:34 +01:00
CrazyMax	6632d370ea	Merge pull request #256 from crazy-max/codeql ci: enable SAST scanning with CodeQL	2026-03-20 16:57:34 +01:00
CrazyMax	ff0bafa2b5	ci: enable SAST scanning with CodeQL Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>	2026-03-20 12:00:52 +01:00
CrazyMax	b99055d793	Merge pull request #252 from docker/dependabot/github_actions/actions/create-github-app-token-3 build(deps): bump actions/create-github-app-token from 2 to 3	2026-03-16 12:47:25 +01:00
dependabot[bot]	f80e0ace51	build(deps): bump actions/create-github-app-token from 2 to 3 Bumps [actions/create-github-app-token](https://github.com/actions/create-github-app-token) from 2 to 3. - [Release notes](https://github.com/actions/create-github-app-token/releases) - [Commits](https://github.com/actions/create-github-app-token/compare/v2...v3) --- updated-dependencies: - dependency-name: actions/create-github-app-token dependency-version: '3' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>	2026-03-16 06:17:10 +00:00
Tõnis Tiigi	a4bc6cde7e	Merge pull request #248 from docker/dependabot/github_actions/docker/bake-action-7 build(deps): bump docker/bake-action from 6 to 7	2026-03-09 12:36:36 -07:00
CrazyMax	83ebb81e64	ci: switch to matrix subaction Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>	2026-03-06 10:13:48 +01:00
dependabot[bot]	9586bd4603	build(deps): bump docker/bake-action from 6 to 7 Bumps [docker/bake-action](https://github.com/docker/bake-action) from 6 to 7. - [Release notes](https://github.com/docker/bake-action/releases) - [Commits](https://github.com/docker/bake-action/compare/v6...v7) --- updated-dependencies: - dependency-name: docker/bake-action dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>	2026-03-06 06:16:16 +00:00
CrazyMax	72cd565084	Merge pull request #246 from crazy-max/update-readme readme: update to v4	2026-03-05 09:20:21 +01:00
CrazyMax	b7a46cd9ec	readme: update to v4 Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>	2026-03-05 09:10:56 +01:00
CrazyMax	7430fdb955	Merge pull request #247 from docker/dependabot/npm_and_yarn/docker/actions-toolkit-0.79.0 build(deps): bump @docker/actions-toolkit from 0.77.0 to 0.79.0	2026-03-05 08:36:15 +01:00
github-actions[bot]	618b42c7b3	chore: update generated content	2026-03-05 06:18:42 +00:00
dependabot[bot]	3fcc89cfff	build(deps): bump @docker/actions-toolkit from 0.77.0 to 0.79.0 Bumps [@docker/actions-toolkit](https://github.com/docker/actions-toolkit) from 0.77.0 to 0.79.0. - [Release notes](https://github.com/docker/actions-toolkit/releases) - [Commits](https://github.com/docker/actions-toolkit/compare/v0.77.0...v0.79.0) --- updated-dependencies: - dependency-name: "@docker/actions-toolkit" dependency-version: 0.79.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>	2026-03-05 06:17:21 +00:00