Skip to content

build(deps): bump docker/login-action from 3.6.0 to 4.1.0#74980

Merged
steipete merged 1 commit into
mainfrom
dependabot/github_actions/docker/login-action-4.1.0
Jun 5, 2026
Merged

build(deps): bump docker/login-action from 3.6.0 to 4.1.0#74980
steipete merged 1 commit into
mainfrom
dependabot/github_actions/docker/login-action-4.1.0

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 30, 2026
edited
Loading

Bumps docker/login-action from 3.6.0 to 4.1.0.

Release notes

Sourced from docker/login-action's releases.

v4.1.0

Full Changelog: docker/login-action@v4.0.0...v4.1.0

v4.0.0

Full Changelog: docker/login-action@v3.7.0...v4.0.0

v3.7.0

Full Changelog: docker/login-action@v3.6.0...v3.7.0

Commits
  • 4907a6d Merge pull request #930 from docker/dependabot/npm_and_yarn/aws-sdk-dependenc...
  • 1e233e6 chore: update generated content
  • 6c24ead build(deps): bump the aws-sdk-dependencies group with 2 updates
  • ee034d7 Merge pull request #958 from docker/dependabot/npm_and_yarn/lodash-4.18.1
  • 1527209 Merge pull request #937 from docker/dependabot/npm_and_yarn/proxy-agent-depen...
  • d39362a build(deps): bump lodash from 4.17.23 to 4.18.1
  • a6f092b chore: update generated content
  • 60953f0 build(deps): bump the proxy-agent-dependencies group with 2 updates
  • 62c6885 Merge pull request #936 from docker/dependabot/npm_and_yarn/docker/actions-to...
  • 102c0e6 chore: update generated content
  • Additional commits viewable in compare view

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Apr 30, 2026
@clawsweeper
Copy link
Copy Markdown
Contributor

clawsweeper Bot commented Apr 30, 2026
edited
Loading

Codex review: needs maintainer review before merge. Reviewed May 30, 2026, 9:55 AM ET / 13:55 UTC.

Summary
The branch updates the Live Media Runner Image workflow's GHCR login step from docker/login-action v3.6.0 to the v4.1.0 release SHA.

PR surface: Config 0. Total 0 across 1 file.

Reproducibility: not applicable. this is a workflow dependency upgrade rather than a reported runtime bug. The reviewed behavior is the one-line pinned action change in the live-media image workflow.

Review metrics: 2 noteworthy metrics.

  • Action runtime changed: 1 action runtime moves node20 -> node24. docker/login-action v4.1.0 uses node24 and upstream v4.0 notes require a sufficiently new Actions runner, so this needs workflow-runner verification.
  • Sibling GHCR login pins: 8 existing v4.1.0 SHA uses, 1 remaining v3.6.0 use. Current main already uses the target pin in docker-release and install-smoke, making this PR an alignment change for the remaining live-media workflow.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🌊 off-meta tidepool
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

  • Run or monitor the Live Media Runner Image workflow and confirm the v4.1.0 action logs into GHCR and pushes the image successfully.

Risk before merge

  • [P1] docker/login-action v4 runs on node24, and upstream release notes require Actions Runner v2.327.1 or later; a Blacksmith runner mismatch would break the live-media image publish workflow.
  • [P1] The workflow handles GHCR token login and image push, so normal static checks do not prove the operational path that this dependency upgrade changes.

Maintainer options:

  1. Verify the workflow before merge (recommended)
    Run or observe the Live Media Runner Image workflow with the updated action and confirm GHCR login and image push both succeed on the Blacksmith runner.
  2. Accept monitored rollout
    Maintainers may land the alignment change because sibling workflows already use the same pinned v4.1.0 SHA, then monitor the next workflow_dispatch or push-triggered image build.

Next step before merge

  • No automated repair is needed; the remaining action is maintainer verification of the semver-major GitHub Action upgrade in the image publishing workflow.

Security
Cleared: The diff keeps the same workflow permissions and credential flow, and the new docker/login-action reference is pinned to the verified v4.1.0 release SHA.

Review details

Best possible solution:

Land the SHA-pinned update after confirming the Live Media Runner Image workflow succeeds on the current runner; if not, update runner support or keep the old pin until the runner path is ready.

Do we have a high-confidence way to reproduce the issue?

Not applicable; this is a workflow dependency upgrade rather than a reported runtime bug. The reviewed behavior is the one-line pinned action change in the live-media image workflow.

Is this the best way to solve the issue?

Yes, the patch is the narrowest maintainable update and the upstream v4 action keeps the inputs used by this workflow. The remaining question is operational proof that the node24 action runs successfully on the repository's Blacksmith workflow path.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 65fe2b7e911f.

Label changes

Label changes:

  • add rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🌊 off-meta tidepool and patch quality is 🐚 platinum hermit.
  • remove rating: 🦐 gold shrimp: Current PR rating is rating: 🐚 platinum hermit, so this older rating label is no longer current.

Label justifications:

  • P3: This is low-risk dependency and workflow maintenance with limited blast radius, but it still needs maintainer workflow verification.
  • merge-risk: 🚨 automation: A semver-major GitHub Action upgrade changes the runtime for a GHCR image publishing workflow, which green code tests do not fully prove.
  • rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🌊 off-meta tidepool and patch quality is 🐚 platinum hermit.
  • status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Not applicable: Dependabot bot dependency PRs are exempt from contributor real-behavior proof, though maintainer workflow proof is still recommended before merge.
Evidence reviewed

PR surface:

Config 0. Total 0 across 1 file.

View PR surface stats
Area Files Added Removed Net
Source 0 0 0 0
Tests 0 0 0 0
Docs 0 0 0 0
Config 1 1 1 0
Generated 0 0 0 0
Other 0 0 0 0
Total 1 1 1 0

What I checked:

  • Repository policy read: Root AGENTS.md was read in full and applied to the PR review, including dependency-contract proof and workflow/security review guidance. (AGENTS.md:1, 65fe2b7e911f)
  • Current main workflow still uses v3.6.0 here: Current main has the live-media image workflow logging into GHCR with docker/login-action pinned to the v3.6.0 commit. (.github/workflows/live-media-runner-image.yml:32, 65fe2b7e911f)
  • PR diff is a one-line pinned action upgrade: The PR changes only the Login to GHCR step from the v3.6.0 SHA to the v4.1.0 SHA. (.github/workflows/live-media-runner-image.yml:32, 5fcfba32b2eb)
  • Upstream tag and action metadata checked: docker/login-action tag v4.1.0 resolves to 4907a6ddec9925e35a0a9e82d7399ccc52663121, and that action keeps the registry/username/password inputs while running on node24. (4907a6ddec99)
  • Semver-major runtime requirement checked: Upstream v4.0.0 release notes state that docker/login-action v4 uses Node 24 and requires Actions Runner v2.327.1 or later.
  • Sibling workflows already use this v4 SHA: Current main already uses the same pinned v4.1.0 SHA in docker-release and install-smoke GHCR login steps, while live-media remains the only old v3.6.0 login-action pin found under workflows. (.github/workflows/docker-release.yml:90, 65fe2b7e911f)

Likely related people:

  • Ayaan Zaidi: Blame and file history show commit 8ba79d7 introduced the live-media runner image workflow and its current docker/login-action v3.6.0 pin. (role: introduced current workflow; confidence: high; commits: 8ba79d72b45e; files: .github/workflows/live-media-runner-image.yml, .github/images/live-media-runner/Dockerfile, docs/ci.md)
  • Peter Steinberger: The latest release tag commit 27ae826 added sibling Docker release/install-smoke workflows that already use the same docker/login-action v4.1.0 SHA. (role: adjacent release workflow contributor; confidence: medium; commits: 27ae826f6525; files: .github/workflows/docker-release.yml, .github/workflows/install-smoke.yml, .github/workflows/live-media-runner-image.yml)
What the crustacean ranks mean
  • 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
  • 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
  • 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
  • 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
  • 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
  • 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
  • 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works
  • ClawSweeper keeps one durable marker-backed review comment per issue or PR.
  • Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
  • A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
  • PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
  • Maintainers can also comment @clawsweeper review to request a fresh review only.
  • Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
  • Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
  • Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

@dependabot dependabot Bot changed the title build(deps): bump docker/login-action from 3.6.0 to 4.1.0 chore(deps): bump docker/login-action from 3.6.0 to 4.1.0 May 3, 2026
@dependabot dependabot Bot force-pushed the dependabot/github_actions/docker/login-action-4.1.0 branch from ad240aa to 494de0b Compare May 3, 2026 12:02
@dependabot dependabot Bot changed the title chore(deps): bump docker/login-action from 3.6.0 to 4.1.0 build(deps): bump docker/login-action from 3.6.0 to 4.1.0 May 10, 2026
@dependabot dependabot Bot force-pushed the dependabot/github_actions/docker/login-action-4.1.0 branch from 494de0b to 0dcab8f Compare May 10, 2026 14:57
@dependabot dependabot Bot force-pushed the dependabot/github_actions/docker/login-action-4.1.0 branch from 0dcab8f to 61feffe Compare May 23, 2026 17:26
@clawsweeper clawsweeper Bot added rating: 🦐 gold shrimp Decent PR readiness signal, but merge confidence is limited. status: 👀 ready for maintainer look ClawSweeper has no concrete contributor-facing blocker left for this PR. labels May 23, 2026
@clawsweeper
Copy link
Copy Markdown
Contributor

clawsweeper Bot commented May 23, 2026

ClawSweeper PR egg

✨ Hatched: 🥚 common Brave Lint Imp

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

  • Merged PRs are hatchable.
  • Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
  • Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

Rarity: 🥚 common.
Trait: polishes edge cases.
Image traits: location workflow harbor; accessory CI status badge; palette coral, mint, and warm cream; mood celebratory; pose peeking out from the egg shell; shell starlit enamel shell; lighting golden review-room light; background small review tokens.
Share on X: post this hatch
Copy: My PR egg hatched a 🥚 common Brave Lint Imp in ClawSweeper.

What is this egg doing here?
  • Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
  • The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
  • Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
  • The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
  • Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.

@dependabot dependabot Bot force-pushed the dependabot/github_actions/docker/login-action-4.1.0 branch from 61feffe to 5fcfba3 Compare May 23, 2026 18:30
@clawsweeper clawsweeper Bot added P3 Low-priority cleanup, docs, polish, ergonomics, or speculative work. merge-risk: 🚨 automation 🚨 May affect CI, automerge, proof capture, label sync, or maintainer automation. rating: 🐚 platinum hermit Good normal PR readiness with ordinary maintainer review expected. and removed rating: 🦐 gold shrimp Decent PR readiness signal, but merge confidence is limited. labels May 23, 2026
@dependabot @steipete
build(deps): bump docker/login-action from 3.6.0 to 4.1.0
5de90a5 
Bumps [docker/login-action](https://github.com/docker/login-action) from 3.6.0 to 4.1.0.
- [Release notes](https://github.com/docker/login-action/releases)
- [Commits](docker/login-action@v3.6.0...4907a6d)

---
updated-dependencies:
- dependency-name: docker/login-action
  dependency-version: 4.1.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
@steipete steipete force-pushed the dependabot/github_actions/docker/login-action-4.1.0 branch from 5fcfba3 to 5de90a5 Compare June 5, 2026 21:08
@steipete steipete merged commit 2ab4eaa into main Jun 5, 2026
143 checks passed
@steipete steipete deleted the dependabot/github_actions/docker/login-action-4.1.0 branch June 5, 2026 21:12
@github-actions github-actions Bot mentioned this pull request Jun 5, 2026
Open
@Haderach-Ram Haderach-Ram mentioned this pull request Jun 6, 2026
Open
github-actions Bot pushed a commit to Desicool/openclaw that referenced this pull request Jun 6, 2026
@dependabot
build(deps): bump docker/login-action from 3.6.0 to 4.1.0 (openclaw#7…
0db3a53 
…4980)

Bumps [docker/login-action](https://github.com/docker/login-action) from 3.6.0 to 4.1.0.
- [Release notes](https://github.com/docker/login-action/releases)
- [Commits](docker/login-action@v3.6.0...4907a6d)

---
updated-dependencies:
- dependency-name: docker/login-action
  dependency-version: 4.1.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
849261680 pushed a commit to 849261680/openclaw that referenced this pull request Jun 7, 2026
@dependabot @849261680
build(deps): bump docker/login-action from 3.6.0 to 4.1.0 (openclaw#7…
227ceec 
…4980)

Bumps [docker/login-action](https://github.com/docker/login-action) from 3.6.0 to 4.1.0.
- [Release notes](https://github.com/docker/login-action/releases)
- [Commits](docker/login-action@v3.6.0...4907a6d)

---
updated-dependencies:
- dependency-name: docker/login-action
  dependency-version: 4.1.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code merge-risk: 🚨 automation 🚨 May affect CI, automerge, proof capture, label sync, or maintainer automation. P3 Low-priority cleanup, docs, polish, ergonomics, or speculative work. rating: 🐚 platinum hermit Good normal PR readiness with ordinary maintainer review expected. size: XS status: 👀 ready for maintainer look ClawSweeper has no concrete contributor-facing blocker left for this PR.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@steipete