Bump docker/build-push-action from 7.1.0 to 7.2.0

[dependabot]

Bumps docker/build-push-action from 7.1.0 to 7.2.0.

Release notes

Sourced from docker/build-push-action's releases.

v7.2.0

• Bump @​actions/core from 3.0.0 to 3.0.1 in docker/build-push-action#1525
• Bump @​docker/actions-toolkit from 0.87.0 to 0.90.0 in docker/build-push-action#1517
• Bump brace-expansion from 2.0.2 to 5.0.6 in docker/build-push-action#1534
• Bump fast-xml-builder from 1.1.4 to 1.2.0 in docker/build-push-action#1529
• Bump fast-xml-parser from 5.5.7 to 5.8.0 in docker/build-push-action#1521
• Bump postcss from 8.5.6 to 8.5.10 in docker/build-push-action#1526
• Bump tar from 6.2.1 to 7.5.15 in docker/build-push-action#1533

Full Changelog: docker/build-push-action@v7.1.0...v7.2.0

Commits

• f9f3042 Merge pull request #1517 from docker/dependabot/npm_and_yarn/docker/actions-t...
• 812d5fd chore: update generated content
• b6f6693 chore(deps): Bump @​docker/actions-toolkit from 0.87.0 to 0.90.0
• c1c626e Merge pull request #1525 from docker/dependabot/npm_and_yarn/actions/core-3.0.1
• 51bb284 chore: update generated content
• 5f7884d chore(deps): Bump @​actions/core from 3.0.0 to 3.0.1
• e01deff Merge pull request #1521 from docker/dependabot/npm_and_yarn/fast-xml-parser-...
• 3804d49 chore: update generated content
• 71e8947 chore(deps): Bump fast-xml-parser from 5.5.7 to 5.8.0
• 4925ad2 Merge pull request #1526 from docker/dependabot/npm_and_yarn/postcss-8.5.10
• Additional commits viewable in compare view

You can trigger a rebase of this PR by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

[superagent-security]

Superagent found 1 security concern(s).

[superagent-security]

P1: Docker publish workflow uses a mutable action tag

docker/build-push-action@v7.2.0 is a mutable tag in a publish workflow.

Pin the action to the v7.2.0 commit SHA and keep # v7.2.0 as a comment.

AI prompt

Check if this security scanner issue is valid. If so, understand the root cause and fix it. If appropriate, update or add tests. Keep the change focused and preserve intended behavior.

<file name=".github/workflows/publish.yaml">
<violation number="1" location=".github/workflows/publish.yaml:119">
<priority>P1</priority>
<title>Docker publish workflow uses a mutable action tag</title>
<evidence>The PR updates the publish workflow to `uses: docker/build-push-action@v7.2.0`. This remains pinned to a mutable tag in a Docker publishing path, so a moved or compromised upstream tag could cause the release workflow to execute different action code while building and pushing images.</evidence>
<recommendation>Pin `docker/build-push-action` to the full 40-character commit SHA for the intended v7.2.0 release and keep the version as a comment, e.g. `uses: docker/build-push-action@&lt;full-commit-sha&gt; # v7.2.0`. Apply SHA pinning consistently to actions used in release/publish workflows.</recommendation>
</violation>
</file>