deps(deps): bump docker/setup-buildx-action from 3.12.0 to 4.0.0#250
Closed
dependabot[bot] wants to merge 1 commit into
Closed
deps(deps): bump docker/setup-buildx-action from 3.12.0 to 4.0.0#250dependabot[bot] wants to merge 1 commit into
dependabot[bot] wants to merge 1 commit into
Conversation
dependabot
Bot
added
the
dependencies
Contributor
Author
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
Semgrep Scan ResultsRepository:
Scanned at 2026-05-19 10:03 UTC |
Security Scan ResultsRepository:
Scanned at 2026-05-19 10:03 UTC |
dependabot
Bot
force-pushed
the
dependabot/github_actions/docker/setup-buildx-action-4.0.0
branch
2 times, most recently
from
a7573cd to
37b0d27
Compare
dependabot
Bot
force-pushed
the
dependabot/github_actions/docker/setup-buildx-action-4.0.0
branch
7 times, most recently
from
db81271 to
43eb208
Compare
Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 3.12.0 to 4.0.0. - [Release notes](https://github.com/docker/setup-buildx-action/releases) - [Commits](docker/setup-buildx-action@8d2750c...4d04d5d) --- updated-dependencies: - dependency-name: docker/setup-buildx-action dependency-version: 4.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/github_actions/docker/setup-buildx-action-4.0.0
branch
from
43eb208 to
01c5dbf
Compare
5 tasks
Cre-eD
added a commit
that referenced
this pull request
May 20, 2026
…label (#279) ## Summary - **Consolidates 12 open Dependabot PRs into one merge** so we pay for CI / review once instead of 12+ times. Closes #275 #276 #274 #242 #243 #244 #233 #237 #248 #249 #250 #251 (and the stale #162, superseded by the gomod group in #275). - **Gates `branch.yaml` (Blacksmith / paid) on Dependabot PRs behind a `ci-run` label**, so future Dependabot PRs stop burning multi-vCPU minutes on a doomed build (they can't decrypt `secrets.SC_CONFIG`). Cheap PR workflows (CodeQL, Semgrep, govulncheck, Fuzz, TruffleHog, DCO) still run on every Dependabot PR — they're free-tier and catch the supply-chain risk that matters for a bump. - **Adapts three upstream API breaks** that this bump batch introduces (disgo, pulumi-cloudflare, pulumi backend) — `go build ./...` and tests compile clean. ## What's bumped ### Go modules (group #275, post-tidy) 24 direct + transitive: `cloud.google.com/go/storage` 1.49.0→1.62.2 · `aws/aws-lambda-go` 1.47.0→1.54.0 · `aws/aws-sdk-go-v2/config` 1.29.7→1.32.17 · `cloudflare/cloudflare-go` 0.104.0→0.116.0 · `disgoorg/disgo` 0.18.5→0.19.3 · `fatih/color` 1.18.0→1.19.0 · `go-git/go-git/v5` 5.19.0→5.19.1 (also #276) · `onsi/gomega` 1.38.2→1.41.0 · `pulumi-aws/sdk/v6` 6.83.0→6.83.3 · `pulumi-cloudflare/sdk/v6` 6.2.0→6.15.0 · `pulumi-docker/sdk/v4` 4.5.8→4.11.2 · `pulumi-gcp/sdk/v8` 8.0.0→8.41.1 · `pulumi-kubernetes/sdk/v4` 4.18.1→4.31.0 · `pulumi-mongodbatlas/sdk/v3` 3.30.0→3.38.0 · `pulumi-random/sdk/v4` 4.17.0→4.20.0 · `pulumi/pkg/v3` 3.184.0→3.241.0 · `pulumi/sdk/v3` 3.214.0→3.241.0 · `samber/lo` 1.38.1→1.53.0 · `tmc/langchaingo` 0.1.13→0.1.14 · `mongo-driver` 1.16.1→1.17.9 · `k8s.io/apimachinery` 0.35.0→0.36.1 · `k8s.io/client-go` 0.35.0→0.36.1 · others. Major bump (out of group): `pulumi/pulumi-command/sdk` 0.9.2→1.2.1 (#237). ### Docker (group #242 + digests #243 #244) - `alpine` 3.21 → 3.23 (`github-actions.Dockerfile`, `github-actions-staging.Dockerfile`) - `caddy` digest `14f5b3e` → `f96a3b7` - `alpine/kubectl` digest `e9acf90` → `405e713` ### Python docs (group #274) 3 updates in `docs/requirements.in` / `docs/requirements.txt`. ### GitHub Actions - `actions/upload-artifact` v4.6.2 → v7.0.1 (#251) - `actions/download-artifact` v4.3.0 → v8.0.1 (#249) - `actions/cache` v4.3.0 → v5.0.5 (#248) - `docker/setup-buildx-action` v3.12.0 → v4.0.0 (#250) - `reecetech/version-increment` 2023.10.2 → 2024.10.1 (#233) ## Upstream API breaks adapted in `83401af` | Dep | Break | Fix | |---|---|---| | `disgoorg/disgo` 0.19 | `webhook.Client` interface → struct | Field type `*webhook.Client` | | `disgoorg/disgo` 0.19 | `CreateMessage` gained required `rest.CreateWebhookMessageParams` arg | Pass empty `rest.CreateWebhookMessageParams{}` | | `pulumi-cloudflare/sdk` v6.15 | `LookupZoneResult.ZoneId` `*string` → `string` | Drop `lo.FromPtr(...)` wrapper at 4 sites | | `pulumi/pkg/v3` v3.241 | `backend.RemoveStack` gained `removeBackups bool` arg | Pass `false, false` (preserve no-backup-delete behaviour) | ## CI gate — what changes ```yaml # .github/workflows/branch.yaml on: pull_request: types: [opened, synchronize, reopened, labeled] # `labeled` re-triggers jobs: build-setup: if: >- github.event_name != 'pull_request' || github.event.pull_request.user.login != 'dependabot[bot]' || contains(github.event.pull_request.labels.*.name, 'ci-run') ``` `finalize` carries the same guard so a Dependabot PR doesn't get a "build failed" Telegram sticky for a pipeline that was intentionally never run. **Operationally** — when a future Dependabot PR (or another consolidated batch like this one) needs full Blacksmith validation before merge, add the `ci-run` label and the workflow re-fires on label. ## Test plan - [x] `go build ./...` clean (local Go 1.26, CI uses 1.25) - [x] `go test -count=1 -run '^$' -vet=off ./...` (compile every test binary) clean - [ ] Add `ci-run` label to this PR (it's authored by a human, not Dependabot, so the gate is inert — CI runs anyway) and let `branch.yaml` produce a real green build - [ ] Verify the Blacksmith build's `build-setup` decrypts `SC_CONFIG` correctly (Dependabot's failure mode was secret access, not code) - [ ] After merge: confirm next Monday's Dependabot PRs land with the heavy workflow showing as skipped (cascade from `build-setup`) and only cheap CI fires --------- Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Dmitrii Creed <creeed22@gmail.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Contributor
Author
|
Looks like docker/setup-buildx-action is up-to-date now, so this is no longer needed. |
dependabot
Bot
deleted the
dependabot/github_actions/docker/setup-buildx-action-4.0.0
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps docker/setup-buildx-action from 3.12.0 to 4.0.0.
Release notes
Sourced from docker/setup-buildx-action's releases.
Commits
4d04d5dMerge pull request #485 from docker/dependabot/npm_and_yarn/docker/actions-to...cd74e05chore: update generated contenteee38ecbuild(deps): bump@docker/actions-toolkitfrom 0.77.0 to 0.79.07a83f65Merge pull request #484 from docker/dependabot/github_actions/docker/setup-qe...a5aa967Merge pull request #464 from crazy-max/rm-deprecatede73d53fbuild(deps): bump docker/setup-qemu-action from 3 to 428a438eMerge pull request #483 from crazy-max/node24034e9d3chore: update generated contentb4664d8remove deprecated inputs/outputsa8257denode 24 as default runtime