chore(deps): bump docker/login-action from 4.2.0 to 4.4.0#4047
chore(deps): bump docker/login-action from 4.2.0 to 4.4.0#4047dependabot[bot] wants to merge 1 commit into
Conversation
Python API breakage checks — ✅ PASSEDResult: ✅ PASSED |
REST API breakage checks (OpenAPI) — ✅ PASSEDResult: ✅ PASSED |
Bumps [docker/login-action](https://github.com/docker/login-action) from 4.2.0 to 4.4.0. - [Release notes](https://github.com/docker/login-action/releases) - [Commits](docker/login-action@650006c...af1e73f) --- updated-dependencies: - dependency-name: docker/login-action dependency-version: 4.4.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
5149ee6 to
b495c13
Compare
|
@OpenHands verify this pr from the pov of supply chain risk; review it and feel free to use gh review with event |
|
I'm on it! enyst can track my progress at all-hands.dev |
enyst
left a comment
There was a problem hiding this comment.
🟢 Good taste
Supply-chain verification completed:
- The PR remains narrowly scoped to three
docker/login-actionreferences and preserves this repository’s full-commit-SHA pinning policy. v4.4.0is an immutable upstream release published on 2026-07-03 (more than 10 days old), and its tag resolves exactly to the pinnedaf1e73f918a031802d376d3c8bbc3fe56130a9b0commit.- The pinned commit has a valid GitHub signature. The only hand-written runtime source change is the guarded empty-password mask fix; the remaining runtime changes are generated bundle/dependency updates with published release notes. No new runtime install hook was introduced.
- The updated direct dependencies are established, available, and not deprecated. I found no published GitHub security advisories for
docker/login-action. - Upstream CI passed its GHCR, registry-auth, ECR, and other login scenarios on this release commit.
- PR-specific Agent Server run 29244078029 completed successfully on head
b495c13; all six image-build jobs and all three manifest jobs successfully ranLog in to GHCRand its post step using the new pinned action.
[RISK ASSESSMENT]
- [Overall PR]
⚠️ Risk Assessment: 🟡 MEDIUM
The action handles registry credentials and runs in workflows with package permissions, so its inherent impact is security-sensitive. The immutable full-SHA pin, verified release provenance, release age, narrow source delta, upstream validation, and successful PR-specific credential-path execution reduce the residual risk to an acceptable level.
VERDICT: ✅ Worth merging
KEY INSIGHT: The sensitive action remains immutable and the exact pinned artifact was exercised successfully on this PR.
This review was generated by an AI agent (OpenHands) on behalf of the requester.
|
Reviewed and approved PR #4047 on head Key findings:
I rated inherent risk medium because the action handles registry credentials with package permissions, but the pinning, provenance, age, and CI evidence reduce residual risk to an acceptable level. No repository files were changed. |
Bumps docker/login-action from 4.2.0 to 4.4.0.
Release notes
Sourced from docker/login-action's releases.
Commits
af1e73fMerge pull request #1034 from docker/dependabot/npm_and_yarn/aws-sdk-dependen...da722bd[dependabot skip] chore: update generated content2916ad6build(deps): bump the aws-sdk-dependencies group across 1 directory with 2 up...ca0a662Merge pull request #1035 from crazy-max/fix-registry-auth-empty-maskc455755chore: update generated content4835190skip empty registry-auth secret mask992421cMerge pull request #1033 from docker/dependabot/github_actions/docker/bake-ac...b249b43Merge pull request #1032 from docker/dependabot/github_actions/docker/bake-ac...1b67977build(deps): bump docker/bake-action from 7.2.0 to 7.3.09d49d6abuild(deps): bump docker/bake-action/subaction/matrixAgent Server images for this PR
• GHCR package: https://github.com/OpenHands/agent-sdk/pkgs/container/agent-server
Variants & Base Images
eclipse-temurin:17-jdknikolaik/python-nodejs:python3.13-nodejs22-slimgolang:1.21-bookwormPull (multi-arch manifest)
# Each variant is a multi-arch manifest supporting both amd64 and arm64 docker pull ghcr.io/openhands/agent-server:b495c13-pythonRun
All tags pushed for this build
About Multi-Architecture Support
b495c13-python) is a multi-arch manifest supporting both amd64 and arm64b495c13-python-amd64) are also available if needed