Skip to content

chore(deps): update docker/metadata-action action to v6.1.0#83

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/docker-metadata-action-6.x
Open

chore(deps): update docker/metadata-action action to v6.1.0#83
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/docker-metadata-action-6.x

Conversation

@renovate

@renovate renovate Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Type Update Change Pending
docker/metadata-action action minor v6.0.0v6.1.0 v6.2.0

Release Notes

docker/metadata-action (docker/metadata-action)

v6.1.0

Compare Source

  • Bump @​docker/actions-toolkit from 0.79.0 to 0.90.0 in #​613
  • Bump brace-expansion from 1.1.12 to 5.0.6 in #​658 #​630
  • Bump csv-parse from 6.1.0 to 6.2.1 in #​617
  • Bump fast-xml-parser from 5.4.2 to 5.8.0 in #​620
  • Bump flatted from 3.3.3 to 3.4.2 in #​623
  • Bump glob from 10.3.15 to 10.5.0 in #​621
  • Bump handlebars from 4.7.8 to 4.7.9 in #​629
  • Bump lodash from 4.17.23 to 4.18.1 in #​639
  • Bump moment-timezone from 0.6.0 to 0.6.1 in #​619
  • Bump picomatch from 4.0.3 to 4.0.4 in #​626
  • Bump postcss from 8.5.6 to 8.5.10 in #​649
  • Bump tar from 6.2.1 to 7.5.15 in #​657
  • Bump undici from 6.23.0 to 6.25.0 in #​614
  • Bump vite from 7.3.1 to 7.3.2 in #​637

Full Changelog: docker/metadata-action@v6.0.0...v6.1.0


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday through Friday (* 0-4,22-23 * * 1-5)
    • Only on Sunday and Saturday (* * * * 0,6)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown

Renovate PR Review Results

⚖️ Safety Assessment: ✅ Safe

🔍 Release Content Analysis

Version Update: v6.0.0v6.1.0 (Minor version bump)

Release Type: Maintenance release focused on dependency updates

Key Changes:

  • Build System Update: Main entry point changed from dist/index.js to dist/index.cjs in action.yml (internal build artifact change, no API impact)
  • 14 Dependency Updates: All updates are internal dependency bumps for security and maintenance purposes
    • Critical updates: @docker/actions-toolkit (0.79.0 → 0.90.0), lodash (4.17.23 → 4.18.1), undici (6.23.0 → 6.25.0)
    • Security-related: handlebars (4.7.8 → 4.7.9), postcss (8.5.6 → 8.5.10), tar (6.2.1 → 7.5.15)
    • Other maintenance updates: brace-expansion, csv-parse, fast-xml-parser, flatted, glob, moment-timezone, picomatch, vite

Breaking Changes: None identified

Security Fixes: Multiple dependency updates address known vulnerabilities in underlying libraries (handlebars, postcss, tar, undici, lodash)

🎯 Impact Scope Investigation

Usage Location: Single usage found in .github/workflows/release-please.yml:64

Current Configuration:

- uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0
  id: meta
  with:
    images: ghcr.io/codize-dev/sandbox
    tags: |
      type=semver,pattern={{version}},value=${{ needs.release-please.outputs.tag }}
      type=semver,pattern={{major}}.{{minor}},value=${{ needs.release-please.outputs.tag }}
      type=semver,pattern={{major}},value=${{ needs.release-please.outputs.tag }}
      type=sha,format=long,prefix=
      type=raw,value=latest,enable={{is_default_branch}}

API Compatibility: All inputs (images, tags) and outputs (tags, labels) remain unchanged. The action signature is fully backward compatible.

Impact Assessment:

  • ✅ No code modifications required
  • ✅ No configuration changes needed
  • ✅ Existing tag generation patterns remain valid
  • ✅ Output schema unchanged (workflow continues to consume steps.meta.outputs.tags and steps.meta.outputs.labels without modification)

Dependency Impact: This is a GitHub Action dependency, not a project runtime dependency. No impact on the sandbox codebase, build process, or application behavior.

💡 Recommended Actions

Immediate Actions:

  1. Merge PR: This update is safe to merge immediately
  2. No Migration Required: Existing workflow configuration is fully compatible

Verification (Post-merge):

  1. Monitor the next release workflow run to ensure Docker image tagging and publishing continues to work correctly
  2. Verify that generated tags match the expected pattern in GHCR (ghcr.io/codize-dev/sandbox)

Benefits of Merging:

  • Security improvements through dependency updates (handlebars, postcss, tar, undici, lodash)
  • Updated toolkit dependencies for better GitHub Actions integration
  • Maintenance updates ensure continued compatibility with GitHub Actions platform

🔗 Reference Links

Generated by koki-develop/claude-renovate-review

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants