ci: bump docker/login-action from 0567fa5ae8c9a197cb207537dc5cbb43ca3d803f to c94ce9fb468520275223c153574b00df6fe4bcc9 in the github-actions group#399
Conversation
dependabot
bot
added
dependencies
dependabot
bot
force-pushed
the
dependabot/github_actions/github-actions-bcdc11a1f0
branch
from
b2f103c to
acffc8c
Compare
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
This is the final PR Bugbot will review for you during this billing cycle
Your free Bugbot reviews will reset on February 9
Details
Your team is on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle for each member of your team.
To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.
|
|
||
| - name: Log in to Docker registry | ||
| uses: docker/login-action@0567fa5ae8c9a197cb207537dc5cbb43ca3d803f | ||
| uses: docker/login-action@3227f5311cb93ffd14d13e65d8cc400d30f4dd8a |
There was a problem hiding this comment.
Commit hash mismatch between PR description and code
High Severity
The docker/login-action commit hash in the code (3227f5311cb93ffd14d13e65d8cc400d30f4dd8a) does not match the commit hash stated in the PR description (c94ce9fb468520275223c153574b00df6fe4bcc9). This discrepancy in a Dependabot PR is concerning—either the PR was modified after generation or there's a mismatch that warrants verification. Using an unverified commit hash in CI/CD workflows poses a supply chain security risk.
Bumps the github-actions group with 1 update: [docker/login-action](https://github.com/docker/login-action). Updates `docker/login-action` from 0567fa5ae8c9a197cb207537dc5cbb43ca3d803f to c94ce9fb468520275223c153574b00df6fe4bcc9 - [Release notes](https://github.com/docker/login-action/releases) - [Commits](docker/login-action@0567fa5...c94ce9f) --- updated-dependencies: - dependency-name: docker/login-action dependency-version: c94ce9fb468520275223c153574b00df6fe4bcc9 dependency-type: direct:production dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
force-pushed
the
dependabot/github_actions/github-actions-bcdc11a1f0
branch
from
acffc8c to
247c97f
Compare
Bumps the github-actions group with 1 update: docker/login-action.
Updates
docker/login-actionfrom 0567fa5ae8c9a197cb207537dc5cbb43ca3d803f to c94ce9fb468520275223c153574b00df6fe4bcc9Commits
c94ce9fMerge pull request #915 from docker/dependabot/npm_and_yarn/lodash-4.17.238339c95Merge pull request #912 from docker/scopec83e932build(deps): bump lodash from 4.17.21 to 4.17.23b268aa5chore: update generated contenta603229documentation for scope input7567f92Add scope input to set scopes for the authentication tokenDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore <dependency name> major versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)@dependabot ignore <dependency name> minor versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)@dependabot ignore <dependency name>will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)@dependabot unignore <dependency name>will remove all of the ignore conditions of the specified dependency@dependabot unignore <dependency name> <ignore condition>will remove the ignore condition of the specified dependency and ignore conditionsNote
Low Risk
CI-only change that bumps a pinned third-party GitHub Action; risk is limited to potential workflow auth/login behavior differences.
Overview
Updates
.github/workflows/build.ymlto use a newer pinned commit ofdocker/login-actionfor the Docker registry login step, leaving the rest of the build/deploy workflow unchanged.Written by Cursor Bugbot for commit 247c97f. This will update automatically on new commits. Configure here.