From d4d22ad08afa6681ffa25b6f4562cb37b2fa6cf1 Mon Sep 17 00:00:00 2001 From: WarrenS Date: Wed, 28 Jan 2026 10:31:18 -0500 Subject: [PATCH 1/6] Potential fix for code scanning alert no. 4: Workflow does not contain permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- .github/workflows/release.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 19d1e97..3d0074a 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -95,6 +95,8 @@ jobs: release: needs: manifest runs-on: ubuntu-latest + permissions: + contents: write steps: - uses: actions/checkout@v6 From 3288e9069656d545322a776fb696d230764ece98 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 27 Apr 2026 01:33:54 +0000 Subject: [PATCH 2/6] Bump debian from trixie-20260112 to trixie-20260421 Bumps debian from trixie-20260112 to trixie-20260421. --- updated-dependencies: - dependency-name: debian dependency-version: trixie-20260421 dependency-type: direct:production ... Signed-off-by: dependabot[bot] --- Dockerfile.python-base | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile.python-base b/Dockerfile.python-base index 005a4de..3ecdfb2 100644 --- a/Dockerfile.python-base +++ b/Dockerfile.python-base @@ -2,7 +2,7 @@ # Build and push once per Python version: # docker build -f Dockerfile.python-base -t ghcr.io/yourorg/python-optimized:3.11.2-trixie . # docker push ghcr.io/yourorg/python-optimized:3.11.2-trixie -FROM debian:trixie-20260112 +FROM debian:trixie-20260421 ARG PYTHON_VERSION=3.11.2 ENV DEBIAN_FRONTEND=noninteractive From a7be057666d3f65b2d20488855e2698e3be8d81a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 9 Mar 2026 01:34:33 +0000 Subject: [PATCH 3/6] Bump docker/setup-buildx-action from 3 to 4 Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 3 to 4. - [Release notes](https://github.com/docker/setup-buildx-action/releases) - [Commits](https://github.com/docker/setup-buildx-action/compare/v3...v4) --- updated-dependencies: - dependency-name: docker/setup-buildx-action dependency-version: '4' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/build-and-validate.yaml | 2 +- .github/workflows/build-python-base.yaml | 2 +- .github/workflows/release.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build-and-validate.yaml b/.github/workflows/build-and-validate.yaml index 68bed4e..369acbb 100644 --- a/.github/workflows/build-and-validate.yaml +++ b/.github/workflows/build-and-validate.yaml @@ -29,7 +29,7 @@ jobs: uses: actions/checkout@v6 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@v4 - name: Log into registry ${{ env.REGISTRY }} uses: docker/login-action@v3 diff --git a/.github/workflows/build-python-base.yaml b/.github/workflows/build-python-base.yaml index cbfb0c6..046ec75 100644 --- a/.github/workflows/build-python-base.yaml +++ b/.github/workflows/build-python-base.yaml @@ -32,7 +32,7 @@ jobs: uses: actions/checkout@v6 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@v4 - name: Log into registry ${{ env.REGISTRY }} uses: docker/login-action@v3 diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 0ff696a..9a501a4 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -38,7 +38,7 @@ jobs: # Set up Docker Buildx - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@v4 - name: Log into registry ${{ env.REGISTRY }} uses: docker/login-action@v3 From eaefb83d3adc973011b4bda96b95501211f8f880 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 9 Mar 2026 01:34:20 +0000 Subject: [PATCH 4/6] Bump docker/login-action from 3 to 4 Bumps [docker/login-action](https://github.com/docker/login-action) from 3 to 4. - [Release notes](https://github.com/docker/login-action/releases) - [Commits](https://github.com/docker/login-action/compare/v3...v4) --- updated-dependencies: - dependency-name: docker/login-action dependency-version: '4' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/build-and-validate.yaml | 2 +- .github/workflows/build-python-base.yaml | 4 ++-- .github/workflows/release.yaml | 6 +++--- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build-and-validate.yaml b/.github/workflows/build-and-validate.yaml index 369acbb..6e7d85f 100644 --- a/.github/workflows/build-and-validate.yaml +++ b/.github/workflows/build-and-validate.yaml @@ -32,7 +32,7 @@ jobs: uses: docker/setup-buildx-action@v4 - name: Log into registry ${{ env.REGISTRY }} - uses: docker/login-action@v3 + uses: docker/login-action@v4 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} diff --git a/.github/workflows/build-python-base.yaml b/.github/workflows/build-python-base.yaml index 046ec75..b09f868 100644 --- a/.github/workflows/build-python-base.yaml +++ b/.github/workflows/build-python-base.yaml @@ -35,7 +35,7 @@ jobs: uses: docker/setup-buildx-action@v4 - name: Log into registry ${{ env.REGISTRY }} - uses: docker/login-action@v3 + uses: docker/login-action@v4 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} @@ -84,7 +84,7 @@ jobs: uses: actions/checkout@v6 - name: Log into registry ${{ env.REGISTRY }} - uses: docker/login-action@v3 + uses: docker/login-action@v4 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 9a501a4..0797d7a 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -41,7 +41,7 @@ jobs: uses: docker/setup-buildx-action@v4 - name: Log into registry ${{ env.REGISTRY }} - uses: docker/login-action@v3 + uses: docker/login-action@v4 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} @@ -92,7 +92,7 @@ jobs: uses: actions/checkout@v6 - name: Log into registry ${{ env.REGISTRY }} - uses: docker/login-action@v3 + uses: docker/login-action@v4 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} @@ -114,7 +114,7 @@ jobs: packages: write steps: - name: Log into registry ${{ env.REGISTRY }} - uses: docker/login-action@v3 + uses: docker/login-action@v4 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} From 913e119692b9742f238ca889fec7030edc310c1a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 9 Mar 2026 01:34:28 +0000 Subject: [PATCH 5/6] Bump docker/metadata-action from 5 to 6 Bumps [docker/metadata-action](https://github.com/docker/metadata-action) from 5 to 6. - [Release notes](https://github.com/docker/metadata-action/releases) - [Commits](https://github.com/docker/metadata-action/compare/v5...v6) --- updated-dependencies: - dependency-name: docker/metadata-action dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/build-python-base.yaml | 2 +- .github/workflows/release.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-python-base.yaml b/.github/workflows/build-python-base.yaml index b09f868..71a989f 100644 --- a/.github/workflows/build-python-base.yaml +++ b/.github/workflows/build-python-base.yaml @@ -54,7 +54,7 @@ jobs: - name: Extract Docker metadata id: meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@v6 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} tags: | diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 0797d7a..b501dc4 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -58,7 +58,7 @@ jobs: # Use docker/metadata-action to generate tags with an architecture suffix - name: Extract Docker metadata id: meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@v6 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} tags: | From 394bb3dba1b279d8636a7bca901aa440dd463e90 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 9 Mar 2026 01:34:24 +0000 Subject: [PATCH 6/6] Bump docker/build-push-action from 6 to 7 Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 6 to 7. - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](https://github.com/docker/build-push-action/compare/v6...v7) --- updated-dependencies: - dependency-name: docker/build-push-action dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/build-python-base.yaml | 2 +- .github/workflows/release.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-python-base.yaml b/.github/workflows/build-python-base.yaml index 71a989f..4379693 100644 --- a/.github/workflows/build-python-base.yaml +++ b/.github/workflows/build-python-base.yaml @@ -61,7 +61,7 @@ jobs: type=raw,value=${{ steps.python.outputs.version }}-trixie-${{ matrix.platform == 'linux/amd64' && 'amd64' || 'arm64' }} - name: Build and push Python base image for ${{ matrix.platform }} - uses: docker/build-push-action@v6 + uses: docker/build-push-action@v7 with: context: . file: Dockerfile.python-base diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index b501dc4..f6c9c55 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -66,7 +66,7 @@ jobs: type=raw,value=${{ inputs.version }}-${{ matrix.arch }} - name: Build and push Docker image for ${{ matrix.platform }} - uses: docker/build-push-action@v6 + uses: docker/build-push-action@v7 with: context: . push: true