Skip to content

chore(deps): bump docker/login-action from 4.2.0 to 4.4.0#4047

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/docker/login-action-4.4.0
Open

chore(deps): bump docker/login-action from 4.2.0 to 4.4.0#4047
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/docker/login-action-4.4.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 9, 2026

Copy link
Copy Markdown
Contributor

Bumps docker/login-action from 4.2.0 to 4.4.0.

Release notes

Sourced from docker/login-action's releases.

v4.4.0

Full Changelog: docker/login-action@v4.3.0...v4.4.0

v4.3.0

Full Changelog: docker/login-action@v4.2.0...v4.3.0

Commits
  • af1e73f Merge pull request #1034 from docker/dependabot/npm_and_yarn/aws-sdk-dependen...
  • da722bd [dependabot skip] chore: update generated content
  • 2916ad6 build(deps): bump the aws-sdk-dependencies group across 1 directory with 2 up...
  • ca0a662 Merge pull request #1035 from crazy-max/fix-registry-auth-empty-mask
  • c455755 chore: update generated content
  • 4835190 skip empty registry-auth secret mask
  • 992421c Merge pull request #1033 from docker/dependabot/github_actions/docker/bake-ac...
  • b249b43 Merge pull request #1032 from docker/dependabot/github_actions/docker/bake-ac...
  • 1b67977 build(deps): bump docker/bake-action from 7.2.0 to 7.3.0
  • 9d49d6a build(deps): bump docker/bake-action/subaction/matrix
  • Additional commits viewable in compare view


Agent Server images for this PR

GHCR package: https://github.com/OpenHands/agent-sdk/pkgs/container/agent-server

Variants & Base Images

Variant Architectures Base Image Docs / Tags
java amd64, arm64 eclipse-temurin:17-jdk Link
python amd64, arm64 nikolaik/python-nodejs:python3.13-nodejs22-slim Link
golang amd64, arm64 golang:1.21-bookworm Link

Pull (multi-arch manifest)

# Each variant is a multi-arch manifest supporting both amd64 and arm64
docker pull ghcr.io/openhands/agent-server:b495c13-python

Run

docker run -it --rm \
  -p 8000:8000 \
  --name agent-server-b495c13-python \
  ghcr.io/openhands/agent-server:b495c13-python

All tags pushed for this build

ghcr.io/openhands/agent-server:b495c13-golang-amd64
ghcr.io/openhands/agent-server:b495c1345d40cdb0bfc2894db3d444fd4d44c015-golang-amd64
ghcr.io/openhands/agent-server:dependabot-github-actions-docker-login-action-4.4.0-golang-amd64
ghcr.io/openhands/agent-server:b495c13-golang_tag_1.21-bookworm-amd64
ghcr.io/openhands/agent-server:b495c13-golang-arm64
ghcr.io/openhands/agent-server:b495c1345d40cdb0bfc2894db3d444fd4d44c015-golang-arm64
ghcr.io/openhands/agent-server:dependabot-github-actions-docker-login-action-4.4.0-golang-arm64
ghcr.io/openhands/agent-server:b495c13-golang_tag_1.21-bookworm-arm64
ghcr.io/openhands/agent-server:b495c13-java-amd64
ghcr.io/openhands/agent-server:b495c1345d40cdb0bfc2894db3d444fd4d44c015-java-amd64
ghcr.io/openhands/agent-server:dependabot-github-actions-docker-login-action-4.4.0-java-amd64
ghcr.io/openhands/agent-server:b495c13-eclipse-temurin_tag_17-jdk-amd64
ghcr.io/openhands/agent-server:b495c13-java-arm64
ghcr.io/openhands/agent-server:b495c1345d40cdb0bfc2894db3d444fd4d44c015-java-arm64
ghcr.io/openhands/agent-server:dependabot-github-actions-docker-login-action-4.4.0-java-arm64
ghcr.io/openhands/agent-server:b495c13-eclipse-temurin_tag_17-jdk-arm64
ghcr.io/openhands/agent-server:b495c13-python-amd64
ghcr.io/openhands/agent-server:b495c1345d40cdb0bfc2894db3d444fd4d44c015-python-amd64
ghcr.io/openhands/agent-server:dependabot-github-actions-docker-login-action-4.4.0-python-amd64
ghcr.io/openhands/agent-server:b495c13-nikolaik_s_python-nodejs_tag_python3.13-nodejs22-slim-amd64
ghcr.io/openhands/agent-server:b495c13-python-arm64
ghcr.io/openhands/agent-server:b495c1345d40cdb0bfc2894db3d444fd4d44c015-python-arm64
ghcr.io/openhands/agent-server:dependabot-github-actions-docker-login-action-4.4.0-python-arm64
ghcr.io/openhands/agent-server:b495c13-nikolaik_s_python-nodejs_tag_python3.13-nodejs22-slim-arm64
ghcr.io/openhands/agent-server:b495c13-golang
ghcr.io/openhands/agent-server:b495c1345d40cdb0bfc2894db3d444fd4d44c015-golang
ghcr.io/openhands/agent-server:dependabot-github-actions-docker-login-action-4.4.0-golang
ghcr.io/openhands/agent-server:b495c13-golang_tag_1.21-bookworm
ghcr.io/openhands/agent-server:b495c13-java
ghcr.io/openhands/agent-server:b495c1345d40cdb0bfc2894db3d444fd4d44c015-java
ghcr.io/openhands/agent-server:dependabot-github-actions-docker-login-action-4.4.0-java
ghcr.io/openhands/agent-server:b495c13-eclipse-temurin_tag_17-jdk
ghcr.io/openhands/agent-server:b495c13-python
ghcr.io/openhands/agent-server:b495c1345d40cdb0bfc2894db3d444fd4d44c015-python
ghcr.io/openhands/agent-server:dependabot-github-actions-docker-login-action-4.4.0-python
ghcr.io/openhands/agent-server:b495c13-nikolaik_s_python-nodejs_tag_python3.13-nodejs22-slim

About Multi-Architecture Support

  • Each variant tag (e.g., b495c13-python) is a multi-arch manifest supporting both amd64 and arm64
  • Docker automatically pulls the correct architecture for your platform
  • Individual architecture tags (e.g., b495c13-python-amd64) are also available if needed

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jul 9, 2026
@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Python API breakage checks — ✅ PASSED

Result:PASSED

Action log

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

REST API breakage checks (OpenAPI) — ✅ PASSED

Result:PASSED

Action log

Bumps [docker/login-action](https://github.com/docker/login-action) from 4.2.0 to 4.4.0.
- [Release notes](https://github.com/docker/login-action/releases)
- [Commits](docker/login-action@650006c...af1e73f)

---
updated-dependencies:
- dependency-name: docker/login-action
  dependency-version: 4.4.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/github_actions/docker/login-action-4.4.0 branch from 5149ee6 to b495c13 Compare July 13, 2026 10:49
@enyst

enyst commented Jul 13, 2026

Copy link
Copy Markdown
Member

@OpenHands verify this pr from the pov of supply chain risk; review it and feel free to use gh review with event

@openhands-ai

openhands-ai Bot commented Jul 13, 2026

Copy link
Copy Markdown

I'm on it! enyst can track my progress at all-hands.dev

@enyst enyst left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟢 Good taste

Supply-chain verification completed:

  • The PR remains narrowly scoped to three docker/login-action references and preserves this repository’s full-commit-SHA pinning policy.
  • v4.4.0 is an immutable upstream release published on 2026-07-03 (more than 10 days old), and its tag resolves exactly to the pinned af1e73f918a031802d376d3c8bbc3fe56130a9b0 commit.
  • The pinned commit has a valid GitHub signature. The only hand-written runtime source change is the guarded empty-password mask fix; the remaining runtime changes are generated bundle/dependency updates with published release notes. No new runtime install hook was introduced.
  • The updated direct dependencies are established, available, and not deprecated. I found no published GitHub security advisories for docker/login-action.
  • Upstream CI passed its GHCR, registry-auth, ECR, and other login scenarios on this release commit.
  • PR-specific Agent Server run 29244078029 completed successfully on head b495c13; all six image-build jobs and all three manifest jobs successfully ran Log in to GHCR and its post step using the new pinned action.

[RISK ASSESSMENT]

  • [Overall PR] ⚠️ Risk Assessment: 🟡 MEDIUM
    The action handles registry credentials and runs in workflows with package permissions, so its inherent impact is security-sensitive. The immutable full-SHA pin, verified release provenance, release age, narrow source delta, upstream validation, and successful PR-specific credential-path execution reduce the residual risk to an acceptable level.

VERDICT:Worth merging

KEY INSIGHT: The sensitive action remains immutable and the exact pinned artifact was exercised successfully on this PR.

This review was generated by an AI agent (OpenHands) on behalf of the requester.

@openhands-ai

openhands-ai Bot commented Jul 13, 2026

Copy link
Copy Markdown

Reviewed and approved PR #4047 on head b495c1345d40cdb0bfc2894db3d444fd4d44c015.

Key findings:

  • v4.4.0 is over 10 days old and its immutable tag resolves exactly to the pinned full SHA af1e73f918a031802d376d3c8bbc3fe56130a9b0.
  • The upstream commit has a valid GitHub signature and published release notes.
  • Runtime source changes are narrow; bundled dependency updates are established and non-deprecated, with no published repository advisories found.
  • Upstream login scenarios passed.
  • PR-specific Agent Server CI completed successfully; all six image builds and three manifest jobs exercised the updated GHCR login action successfully.

I rated inherent risk medium because the action handles registry credentials with package permissions, but the pinning, provenance, age, and CI evidence reduce residual risk to an acceptable level. No repository files were changed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant