chore: update generated content

chore(deps): Bump @actions/core from 3.0.0 to 3.0.1
Bumps [@actions/core](https://github.com/actions/toolkit/tree/HEAD/packages/core) from 3.0.0 to 3.0.1. - [Changelog](https://github.com/actions/toolkit/blob/main/packages/core/RELEASES.md) - [Commits](https://github.com/actions/toolkit/commits/HEAD/packages/core) --- updated-dependencies: - dependency-name: "@actions/core" dependency-version: 3.0.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
2026-05-07 02:32:48 +08:00 · 2026-04-24 11:54:21 +00:00 · 2026-04-24 11:53:12 +00:00 · 2026-04-24 09:48:12 +02:00 · 2026-04-24 09:46:03 +02:00 · 2026-04-22 11:52:24 +00:00
18 changed files with 590 additions and 268 deletions
@@ -4,6 +4,12 @@ updates:
    directory: "/"
    schedule:
      interval: "daily"
+    cooldown:
+      default-days: 2
+    groups:
+      crazy-max-dot-github:
+        patterns:
+          - "crazy-max/.github/*"
    labels:
      - "dependencies"
      - "bot"
@@ -11,6 +17,10 @@ updates:
    directory: "/"
    schedule:
      interval: "daily"
+    cooldown:
+      default-days: 2
+      exclude:
+        - "@docker/actions-toolkit"
    versioning-strategy: "increase"
    allow:
      - dependency-type: "production"
@@ -1,6 +1,9 @@
 # reusable workflow
 name: .e2e-run

+permissions:
+  contents: read
+
 on:
  workflow_call:
    inputs:
@@ -19,12 +22,11 @@ on:
      slug:
        required: false
        type: string
-      username_secret:
+    secrets:
+      registry_username:
        required: false
-        type: string
-      password_secret:
+      registry_password:
        required: false
-        type: string

 env:
  HARBOR_VERSION: v2.13.2
@@ -50,17 +52,21 @@ jobs:
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Set up env
        if: inputs.type == 'local'
+        env:
+          ID: ${{ inputs.id }}
        run: |
-          cat ./.github/e2e/${{ inputs.id }}/env >> $GITHUB_ENV
+          cat ./.github/e2e/${ID}/env >> $GITHUB_ENV
      -
        name: Set up BuildKit config
+        env:
+          TYPE: ${{ inputs.type }}
        run: |
          touch /tmp/buildkitd.toml
-          if [ "${{ inputs.type }}" = "local" ]; then
+          if [ "${TYPE}" = "local" ]; then
            echo -e "[registry.\"${{ env.REGISTRY_FQDN }}\"]\nhttp = true\ninsecure = true" > /tmp/buildkitd.toml
          fi
      -
@@ -77,13 +83,15 @@ jobs:
      -
        name: Install ${{ inputs.name }}
        if: inputs.type == 'local'
+        env:
+          ID: ${{ inputs.id }}
        run: |
-          sudo -E bash ./.github/e2e/${{ inputs.id }}/install.sh
+          sudo -E bash ./.github/e2e/${ID}/install.sh
          sudo chown $(id -u):$(id -g) -R ~/.docker
      -
        name: Docker meta
        id: meta
-        uses: docker/metadata-action@v6
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
        with:
          images: ${{ env.REGISTRY_SLUG || inputs.slug }}
          tags: |
@@ -92,10 +100,10 @@ jobs:
            type=raw,gh-runid-${{ github.run_id }}
      -
        name: Set up QEMU
-        uses: docker/setup-qemu-action@v4
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
      -
        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
        with:
          version: ${{ matrix.buildx_version }}
          buildkitd-config: /tmp/buildkitd.toml
@@ -105,12 +113,12 @@ jobs:
            network=host
      -
        name: Login to Registry
-        if: github.event_name != 'pull_request' && (env.REGISTRY_USER || inputs.username_secret) != ''
-        uses: docker/login-action@v4
+        if: github.event_name != 'pull_request' && (inputs.type == 'remote' || env.REGISTRY_USER != '')
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          registry: ${{ env.REGISTRY_FQDN || inputs.registry }}
-          username: ${{ env.REGISTRY_USER || secrets[inputs.username_secret] }}
-          password: ${{ env.REGISTRY_PASSWORD || secrets[inputs.password_secret] }}
+          username: ${{ env.REGISTRY_USER || secrets.registry_username }}
+          password: ${{ env.REGISTRY_PASSWORD || secrets.registry_password }}
      -
        name: Build and push
        uses: ./
@@ -125,10 +133,14 @@ jobs:
          cache-to: type=inline
      -
        name: Inspect image
+        env:
+          SLUG: ${{ env.REGISTRY_SLUG || inputs.slug }}
        run: |
-          docker pull ${{ env.REGISTRY_SLUG || inputs.slug }}:${{ steps.meta.outputs.version }}
-          docker image inspect ${{ env.REGISTRY_SLUG || inputs.slug }}:${{ steps.meta.outputs.version }}
+          docker pull ${SLUG}:${{ steps.meta.outputs.version }}
+          docker image inspect ${SLUG}:${{ steps.meta.outputs.version }}
      -
        name: Check manifest
+        env:
+          SLUG: ${{ env.REGISTRY_SLUG || inputs.slug }}
        run: |
-          docker buildx imagetools inspect ${{ env.REGISTRY_SLUG || inputs.slug }}:${{ steps.meta.outputs.version }} --format '{{json .}}'
+          docker buildx imagetools inspect ${SLUG}:${{ steps.meta.outputs.version }} --format '{{json .}}'
@@ -1,5 +1,8 @@
 name: ci

+permissions:
+  contents: read
+
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
@@ -33,12 +36,12 @@ jobs:
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          path: action
      -
        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
        with:
          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
          driver-opts: |
@@ -53,22 +56,22 @@ jobs:
    runs-on: ubuntu-latest
    services:
      registry:
-        image: registry:2
+        image: registry:2.8.3@sha256:a3d8aaa63ed8681a604f1dea0aa03f100d5895b6a58ace528858a7b332415373
        ports:
          - 5000:5000
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          path: action
      -
        name: Set up QEMU
-        uses: docker/setup-qemu-action@v4
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
      -
        name: Set up Docker Buildx
        id: buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
        with:
          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
          driver-opts: |
@@ -98,26 +101,77 @@ jobs:
            exit 1
          fi

+  git-context-query:
+    runs-on: ubuntu-latest
+    env:
+      BUILDX_SEND_GIT_QUERY_AS_INPUT: true
+    services:
+      registry:
+        image: registry:2.8.3@sha256:a3d8aaa63ed8681a604f1dea0aa03f100d5895b6a58ace528858a7b332415373
+        ports:
+          - 5000:5000
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          path: action
+      -
+        name: Set up QEMU
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
+      -
+        name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+        with:
+          version: v0.29.0
+          driver-opts: |
+            network=host
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build and push
+        id: docker_build
+        uses: ./action
+        with:
+          file: ./test/Dockerfile
+          builder: ${{ steps.buildx.outputs.name }}
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: |
+            localhost:5000/name/app:latest
+            localhost:5000/name/app:1.0.0
+      -
+        name: Inspect
+        run: |
+          docker buildx imagetools inspect localhost:5000/name/app:1.0.0 --format '{{json .}}'
+      -
+        name: Check digest
+        run: |
+          if [ -z "${{ steps.docker_build.outputs.digest }}" ]; then
+            echo "::error::Digest should not be empty"
+            exit 1
+          fi
+
  git-context-secret:
    runs-on: ubuntu-latest
    services:
      registry:
-        image: registry:2
+        image: registry:2.8.3@sha256:a3d8aaa63ed8681a604f1dea0aa03f100d5895b6a58ace528858a7b332415373
        ports:
          - 5000:5000
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          path: action
      -
        name: Set up QEMU
-        uses: docker/setup-qemu-action@v4
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
      -
        name: Set up Docker Buildx
        id: buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
        with:
          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
          driver-opts: |
@@ -161,20 +215,20 @@ jobs:
    runs-on: ubuntu-latest
    services:
      registry:
-        image: registry:2
+        image: registry:2.8.3@sha256:a3d8aaa63ed8681a604f1dea0aa03f100d5895b6a58ace528858a7b332415373
        ports:
          - 5000:5000
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Set up QEMU
-        uses: docker/setup-qemu-action@v4
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
      -
        name: Set up Docker Buildx
        id: buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
        with:
          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
          driver-opts: |
@@ -210,17 +264,17 @@ jobs:
      DOCKER_IMAGE: localhost:5000/name/app
    services:
      registry:
-        image: registry:2
+        image: registry:2.8.3@sha256:a3d8aaa63ed8681a604f1dea0aa03f100d5895b6a58ace528858a7b332415373
        ports:
          - 5000:5000
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Docker meta
        id: meta
-        uses: docker/metadata-action@v6
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
        with:
          images: ${{ env.DOCKER_IMAGE }}
          tags: |
@@ -233,7 +287,7 @@ jobs:
            type=sha
      -
        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
        with:
          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
          driver-opts: |
@@ -272,7 +326,7 @@ jobs:
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Stop docker
        run: |
@@ -298,13 +352,13 @@ jobs:
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Set up QEMU
-        uses: docker/setup-qemu-action@v4
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
      -
        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
        with:
          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
          driver-opts: |
@@ -332,13 +386,13 @@ jobs:
    runs-on: ubuntu-latest
    services:
      registry:
-        image: registry:2
+        image: registry:2.8.3@sha256:a3d8aaa63ed8681a604f1dea0aa03f100d5895b6a58ace528858a7b332415373
        ports:
          - 5000:5000
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Build
        id: docker_build
@@ -354,7 +408,7 @@ jobs:
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Build
        uses: ./
@@ -373,10 +427,10 @@ jobs:
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
        with:
          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
          driver-opts: |
@@ -391,15 +445,38 @@ jobs:
            MYSECRET=foo
            INVALID_SECRET=

+  secret-files:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        uses: ./
+        with:
+          context: .
+          file: ./test/secret.Dockerfile
+          secret-files: |
+            MYSECRET=./test/secret.txt
+            INVALID_SECRET=
+
  secret-envs:
    runs-on: ubuntu-latest
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Set up Docker buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
        with:
          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
          driver-opts: |
@@ -421,10 +498,10 @@ jobs:
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
        with:
          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
          driver-opts: |
@@ -445,10 +522,10 @@ jobs:
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
        with:
          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
          driver-opts: |
@@ -467,10 +544,10 @@ jobs:
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
        with:
          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
          driver-opts: |
@@ -492,10 +569,10 @@ jobs:
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
        with:
          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
          driver-opts: |
@@ -515,10 +592,10 @@ jobs:
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
        with:
          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
          driver-opts: |
@@ -540,10 +617,10 @@ jobs:
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
        with:
          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
          driver-opts: |
@@ -576,10 +653,10 @@ jobs:
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
        with:
          version: ${{ matrix.buildx }}
          driver-opts: |
@@ -613,16 +690,16 @@ jobs:
            attr: ''
    services:
      registry:
-        image: registry:2
+        image: registry:2.8.3@sha256:a3d8aaa63ed8681a604f1dea0aa03f100d5895b6a58ace528858a7b332415373
        ports:
          - 5000:5000
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
        with:
          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
          driver-opts: |
@@ -665,16 +742,16 @@ jobs:
            output: /tmp/buildx-build
    services:
      registry:
-        image: registry:2
+        image: registry:2.8.3@sha256:a3d8aaa63ed8681a604f1dea0aa03f100d5895b6a58ace528858a7b332415373
        ports:
          - 5000:5000
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
        with:
          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
          driver-opts: |
@@ -717,20 +794,20 @@ jobs:
          - multi-sudo
    services:
      registry:
-        image: registry:2
+        image: registry:2.8.3@sha256:a3d8aaa63ed8681a604f1dea0aa03f100d5895b6a58ace528858a7b332415373
        ports:
          - 5000:5000
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Set up QEMU
-        uses: docker/setup-qemu-action@v4
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
      -
        name: Set up Docker Buildx
        id: buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
        with:
          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
          driver-opts: |
@@ -786,16 +863,16 @@ jobs:
            push: true
    services:
      registry:
-        image: registry:2
+        image: registry:2.8.3@sha256:a3d8aaa63ed8681a604f1dea0aa03f100d5895b6a58ace528858a7b332415373
        ports:
          - 5000:5000
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
        with:
          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
          driver: ${{ matrix.driver }}
@@ -856,19 +933,19 @@ jobs:
    runs-on: ubuntu-latest
    services:
      registry:
-        image: registry:2
+        image: registry:2.8.3@sha256:a3d8aaa63ed8681a604f1dea0aa03f100d5895b6a58ace528858a7b332415373
        ports:
          - 5000:5000
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Set up QEMU
-        uses: docker/setup-qemu-action@v4
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
      -
        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
        with:
          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
          driver-opts: |
@@ -905,19 +982,19 @@ jobs:
    runs-on: ubuntu-latest
    services:
      registry:
-        image: registry:2
+        image: registry:2.8.3@sha256:a3d8aaa63ed8681a604f1dea0aa03f100d5895b6a58ace528858a7b332415373
        ports:
          - 5000:5000
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Set up QEMU
-        uses: docker/setup-qemu-action@v4
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
      -
        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
        with:
          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
          driver-opts: |
@@ -946,19 +1023,19 @@ jobs:
    runs-on: ubuntu-latest
    services:
      registry:
-        image: registry:2
+        image: registry:2.8.3@sha256:a3d8aaa63ed8681a604f1dea0aa03f100d5895b6a58ace528858a7b332415373
        ports:
          - 5000:5000
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Set up QEMU
-        uses: docker/setup-qemu-action@v4
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
      -
        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
        with:
          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
          driver-opts: |
@@ -967,7 +1044,7 @@ jobs:
          buildkitd-flags: --debug
      -
        name: Cache Build
-        uses: actions/cache@v5
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: /tmp/.buildx-cache
          key: ${{ runner.os }}-local-test-${{ github.sha }}
@@ -1004,7 +1081,7 @@ jobs:
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Uninstall docker cli
        run: |
@@ -1015,7 +1092,7 @@ jobs:
          fi
      -
        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
        with:
          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
          driver-opts: |
@@ -1033,10 +1110,10 @@ jobs:
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
        with:
          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
          driver-opts: |
@@ -1055,10 +1132,10 @@ jobs:
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
        with:
          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
          driver: docker
@@ -1083,16 +1160,16 @@ jobs:
    runs-on: ubuntu-latest
    services:
      registry:
-        image: registry:2
+        image: registry:2.8.3@sha256:a3d8aaa63ed8681a604f1dea0aa03f100d5895b6a58ace528858a7b332415373
        ports:
          - 5000:5000
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
        with:
          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
          driver-opts: |
@@ -1120,7 +1197,7 @@ jobs:
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Set malformed docker config
        run: |
@@ -1136,7 +1213,7 @@ jobs:
    runs-on: ubuntu-latest
    services:
      squid-proxy:
-        image: ubuntu/squid:latest
+        image: ubuntu/squid:latest@sha256:6a097f68bae708cedbabd6188d68c7e2e7a38cedd05a176e1cc0ba29e3bbe029
        ports:
          - 3128:3128
    steps:
@@ -1147,7 +1224,7 @@ jobs:
          curl --retry 5 --retry-all-errors --retry-delay 0 --connect-timeout 5 --proxy http://127.0.0.1:3128 -v --insecure --head https://www.google.com
      -
        name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Set proxy config
        run: |
@@ -1155,7 +1232,7 @@ jobs:
          echo '{"proxies":{"default":{"httpProxy":"http://127.0.0.1:3128","httpsProxy":"http://127.0.0.1:3128"}}}' > ~/.docker/config.json
      -
        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
        with:
          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
          driver-opts: |
@@ -1173,7 +1250,7 @@ jobs:
    runs-on: ubuntu-latest
    services:
      squid-proxy:
-        image: ubuntu/squid:latest
+        image: ubuntu/squid:latest@sha256:6a097f68bae708cedbabd6188d68c7e2e7a38cedd05a176e1cc0ba29e3bbe029
        ports:
          - 3128:3128
    steps:
@@ -1184,10 +1261,10 @@ jobs:
          curl --retry 5 --retry-all-errors --retry-delay 0 --connect-timeout 5 --proxy http://127.0.0.1:3128 -v --insecure --head https://www.google.com
      -
        name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
        with:
          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
          driver-opts: |
@@ -1209,17 +1286,17 @@ jobs:
      DOCKER_IMAGE: localhost:5000/name/app
    services:
      registry:
-        image: registry:2
+        image: registry:2.8.3@sha256:a3d8aaa63ed8681a604f1dea0aa03f100d5895b6a58ace528858a7b332415373
        ports:
          - 5000:5000
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Docker meta
        id: meta
-        uses: docker/metadata-action@v6
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
        with:
          images: ${{ env.DOCKER_IMAGE }}
          tags: |
@@ -1232,7 +1309,7 @@ jobs:
            type=sha
      -
        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
        with:
          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
          driver-opts: |
@@ -1259,19 +1336,19 @@ jobs:
    runs-on: ubuntu-latest
    services:
      registry:
-        image: registry:2
+        image: registry:2.8.3@sha256:a3d8aaa63ed8681a604f1dea0aa03f100d5895b6a58ace528858a7b332415373
        ports:
          - 5000:5000
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Set up QEMU
-        uses: docker/setup-qemu-action@v4
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
      -
        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
        with:
          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
          driver-opts: |
@@ -1308,19 +1385,19 @@ jobs:
    runs-on: ubuntu-latest
    services:
      registry:
-        image: registry:2
+        image: registry:2.8.3@sha256:a3d8aaa63ed8681a604f1dea0aa03f100d5895b6a58ace528858a7b332415373
        ports:
          - 5000:5000
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Set up QEMU
-        uses: docker/setup-qemu-action@v4
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
      -
        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
        with:
          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
          driver-opts: |
@@ -1350,12 +1427,12 @@ jobs:
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          path: action
      -
        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
        with:
          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
          driver-opts: |
@@ -1373,12 +1450,12 @@ jobs:
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          path: action
      -
        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
        with:
          version: v0.12.1
          driver-opts: |
@@ -1394,12 +1471,12 @@ jobs:
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          path: action
      -
        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
        with:
          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
          driver-opts: |
@@ -1423,12 +1500,12 @@ jobs:
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          path: action
      -
        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
        with:
          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
          driver-opts: |
@@ -1453,10 +1530,10 @@ jobs:
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
        with:
          version: ${{ matrix.buildx-version }}
          driver-opts: |
@@ -1473,10 +1550,10 @@ jobs:
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
        with:
          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
          driver-opts: |
@@ -1495,10 +1572,10 @@ jobs:
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
        with:
          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
          driver-opts: |
@@ -1525,12 +1602,12 @@ jobs:
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          path: action
      -
        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
        with:
          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
          driver-opts: |
@@ -1,5 +1,8 @@
 name: codeql

+permissions:
+  contents: read
+
 on:
  push:
    branches:
@@ -7,21 +10,19 @@ on:
      - 'releases/v*'
  pull_request:

-permissions:
-  actions: read
-  contents: read
-  security-events: write
-
 env:
  NODE_VERSION: "24"

 jobs:
  analyze:
    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Enable corepack
        run: |
@@ -29,17 +30,17 @@ jobs:
          yarn --version
      -
        name: Set up Node
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version: ${{ env.NODE_VERSION }}
      -
        name: Initialize CodeQL
-        uses: github/codeql-action/init@v4
+        uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
        with:
          languages: javascript-typescript
          build-mode: none
      -
        name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v4
+        uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
        with:
          category: "/language:javascript-typescript"
@@ -1,5 +1,8 @@
 name: e2e

+permissions:
+  contents: read
+
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
@@ -24,77 +27,71 @@ jobs:
          -
            name: Distribution
            id: distribution
+            auth: none
            type: local
          -
            name: Docker Hub
            registry: ''
            slug: ghactionstest/ghactionstest
-            username_secret: DOCKERHUB_USERNAME
-            password_secret: DOCKERHUB_TOKEN
+            auth: dockerhub
            type: remote
          -
            name: GitHub
            registry: ghcr.io
            slug: ghcr.io/docker-ghactiontest/test
-            username_secret: GHCR_USERNAME
-            password_secret: GHCR_PAT
+            auth: ghcr
            type: remote
          -
            name: GitLab
            registry: registry.gitlab.com
            slug: registry.gitlab.com/test1716/test
-            username_secret: GITLAB_USERNAME
-            password_secret: GITLAB_TOKEN
+            auth: gitlab
            type: remote
          -
            name: AWS ECR
            registry: 175142243308.dkr.ecr.us-east-2.amazonaws.com
            slug: 175142243308.dkr.ecr.us-east-2.amazonaws.com/sandbox/test-docker-action
-            username_secret: AWS_ACCESS_KEY_ID
-            password_secret: AWS_SECRET_ACCESS_KEY
+            auth: aws
            type: remote
          -
            name: AWS ECR Public
            registry: public.ecr.aws
            slug: public.ecr.aws/q3b5f1u4/test-docker-action
-            username_secret: AWS_ACCESS_KEY_ID
-            password_secret: AWS_SECRET_ACCESS_KEY
+            auth: aws
            type: remote
          -
            name: Google Artifact Registry
            registry: us-east4-docker.pkg.dev
            slug: us-east4-docker.pkg.dev/sandbox-298914/docker-official-github-actions/test-docker-action
-            username_secret: GAR_USERNAME
-            password_secret: GAR_JSON_KEY
+            auth: gar
            type: remote
          -
            name: Azure Container Registry
            registry: officialgithubactions.azurecr.io
            slug: officialgithubactions.azurecr.io/test-docker-action
-            username_secret: AZURE_CLIENT_ID
-            password_secret: AZURE_CLIENT_SECRET
+            auth: acr
            type: remote
          -
            name: Quay
            registry: quay.io
            slug: quay.io/docker_build_team/ghactiontest
-            username_secret: QUAY_USERNAME
-            password_secret: QUAY_TOKEN
+            auth: quay
            type: remote
          -
            name: Artifactory
            registry: infradock.jfrog.io
            slug: infradock.jfrog.io/test-ghaction/build-push-action
-            username_secret: ARTIFACTORY_USERNAME
-            password_secret: ARTIFACTORY_TOKEN
+            auth: artifactory
            type: remote
          -
            name: Harbor
            id: harbor
+            auth: none
            type: local
          -
            name: Nexus
            id: nexus
+            auth: none
            type: local
    with:
      id: ${{ matrix.id }}
@@ -102,6 +99,29 @@ jobs:
      name: ${{ matrix.name }}
      registry: ${{ matrix.registry }}
      slug: ${{ matrix.slug }}
-      username_secret: ${{ matrix.username_secret }}
-      password_secret: ${{ matrix.password_secret }}
-    secrets: inherit
+    secrets:
+      # Pass only the two secrets needed by each matrix entry.
+      registry_username: >-
+        ${{
+          matrix.auth == 'dockerhub' && secrets.DOCKERHUB_USERNAME ||
+          matrix.auth == 'ghcr' && secrets.GHCR_USERNAME ||
+          matrix.auth == 'gitlab' && secrets.GITLAB_USERNAME ||
+          matrix.auth == 'aws' && secrets.AWS_ACCESS_KEY_ID ||
+          matrix.auth == 'gar' && secrets.GAR_USERNAME ||
+          matrix.auth == 'acr' && secrets.AZURE_CLIENT_ID ||
+          matrix.auth == 'quay' && secrets.QUAY_USERNAME ||
+          matrix.auth == 'artifactory' && secrets.ARTIFACTORY_USERNAME ||
+          ''
+        }}
+      registry_password: >-
+        ${{
+          matrix.auth == 'dockerhub' && secrets.DOCKERHUB_TOKEN ||
+          matrix.auth == 'ghcr' && secrets.GHCR_PAT ||
+          matrix.auth == 'gitlab' && secrets.GITLAB_TOKEN ||
+          matrix.auth == 'aws' && secrets.AWS_SECRET_ACCESS_KEY ||
+          matrix.auth == 'gar' && secrets.GAR_JSON_KEY ||
+          matrix.auth == 'acr' && secrets.AZURE_CLIENT_SECRET ||
+          matrix.auth == 'quay' && secrets.QUAY_TOKEN ||
+          matrix.auth == 'artifactory' && secrets.ARTIFACTORY_TOKEN ||
+          ''
+        }}
@@ -4,14 +4,14 @@ permissions:
  contents: read

 on:
-  pull_request_target:
+  pull_request_target: # zizmor: ignore[dangerous-triggers] safe to use without checkout
    types:
      - opened
      - reopened

 jobs:
  run:
-    uses: crazy-max/.github/.github/workflows/pr-assign-author.yml@20ef82212dc54bab5749f5e05576ca6d3c8a5773 # v1.1.0
+    uses: crazy-max/.github/.github/workflows/pr-assign-author.yml@4a17dbaa9ce13920fc5bb8824eb89c16301e5ab2 # v1.7.0
    permissions:
      contents: read
      pull-requests: write
@@ -1,5 +1,12 @@
 name: publish

+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 on:
  release:
    types:
@@ -15,7 +22,7 @@ jobs:
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Publish
-        uses: actions/publish-immutable-action@v0.0.4
+        uses: actions/publish-immutable-action@4bc8754ffc40f27910afb20287dbbbb675a4e978 # v0.0.4
@@ -1,5 +1,8 @@
 name: test

+permissions:
+  contents: read
+
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
@@ -17,16 +20,16 @@ jobs:
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Test
-        uses: docker/bake-action@v7
+        uses: docker/bake-action@a66e1c87e2eca0503c343edf1d208c716d54b8a8 # v7.1.0
        with:
          source: .
          targets: test
      -
        name: Upload coverage
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0
        with:
          files: ./coverage/clover.xml
          token: ${{ secrets.CODECOV_TOKEN }}
@@ -1,5 +1,12 @@
 name: update-dist

+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 on:
  pull_request:
    types:
@@ -8,27 +15,27 @@ on:

 jobs:
  update-dist:
-    if: github.actor == 'dependabot[bot]'
+    if: github.actor == 'dependabot[bot]' && github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == github.event.pull_request.head.repo.full_name
    runs-on: ubuntu-latest
    steps:
      -
        name: GitHub auth token from GitHub App
        id: docker-read-app
-        uses: actions/create-github-app-token@v3
+        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
        with:
          app-id: ${{ secrets.GHACTIONS_REPO_WRITE_APP_ID }}
          private-key: ${{ secrets.GHACTIONS_REPO_WRITE_APP_PRIVATE_KEY }}
          owner: docker
      -
        name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          ref: ${{ github.event.pull_request.head.ref }}
          fetch-depth: 0
-          token: ${{ steps.docker-read-app.outputs.token || github.token }}
+          token: ${{ steps.docker-read-app.outputs.token }}
      -
        name: Build
-        uses: docker/bake-action@v7
+        uses: docker/bake-action@a66e1c87e2eca0503c343edf1d208c716d54b8a8 # v7.1.0
        with:
          source: .
          targets: build
@@ -1,5 +1,8 @@
 name: validate

+permissions:
+  contents: read
+
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
@@ -19,11 +22,11 @@ jobs:
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Generate matrix
        id: generate
-        uses: docker/bake-action/subaction/matrix@v7
+        uses: docker/bake-action/subaction/matrix@a66e1c87e2eca0503c343edf1d208c716d54b8a8 # v7.1.0
        with:
          target: validate

@@ -38,6 +41,6 @@ jobs:
    steps:
      -
        name: Validate
-        uses: docker/bake-action@v7
+        uses: docker/bake-action@a66e1c87e2eca0503c343edf1d208c716d54b8a8 # v7.1.0
        with:
          targets: ${{ matrix.target }}
@@ -0,0 +1,29 @@
+name: zizmor
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - 'master'
+      - 'releases/v*'
+    tags:
+      - 'v*'
+  pull_request:
+
+jobs:
+  zizmor:
+    uses: crazy-max/.github/.github/workflows/zizmor.yml@4a17dbaa9ce13920fc5bb8824eb89c16301e5ab2 # v1.7.0
+    permissions:
+      contents: read
+      security-events: write
+    with:
+      min-severity: medium
+      min-confidence: medium
+      persona: pedantic
@@ -12,8 +12,6 @@ import {Toolkit} from '@docker/actions-toolkit/lib/toolkit.js';

 import {BuilderInfo} from '@docker/actions-toolkit/lib/types/buildx/builder.js';

-import * as context from '../src/context.js';
-
 const tmpDir = fs.mkdtempSync(path.join(process.env.TEMP || os.tmpdir(), 'context-'));
 const tmpName = path.join(tmpDir, '.tmpname-vi');
 const fixturesDir = path.join(__dirname, 'fixtures');
@@ -52,6 +50,53 @@ vi.spyOn(Builder.prototype, 'inspect').mockImplementation(async (): Promise<Buil
  };
 });

+describe('getInputs', () => {
+  const originalEnv = process.env;
+
+  beforeEach(() => {
+    process.env = Object.keys(process.env).reduce((object, key) => {
+      if (!key.startsWith('INPUT_')) {
+        object[key] = process.env[key];
+      }
+      return object;
+    }, {});
+  });
+
+  afterEach(() => {
+    process.env = originalEnv;
+  });
+
+  function setRequiredBooleanInputs(): void {
+    setInput('load', 'false');
+    setInput('no-cache', 'false');
+    setInput('push', 'false');
+    setInput('pull', 'false');
+  }
+
+  test('uses Build git context when context input is empty', async () => {
+    const gitContext = 'https://github.com/docker/build-push-action.git?ref=refs/heads/master';
+    const gitContextSpy = vi.spyOn(Build.prototype, 'gitContext').mockResolvedValue(gitContext);
+    setRequiredBooleanInputs();
+    const context = await loadContextModule();
+    const inputs = await context.getInputs();
+    expect(inputs.context).toBe(gitContext);
+    expect(gitContextSpy).toHaveBeenCalledTimes(1);
+    gitContextSpy.mockRestore();
+  });
+
+  test('renders defaultContext templates from Build git context', async () => {
+    const gitContext = 'https://github.com/docker/build-push-action.git#refs/heads/master';
+    const gitContextSpy = vi.spyOn(Build.prototype, 'gitContext').mockResolvedValue(gitContext);
+    setRequiredBooleanInputs();
+    setInput('context', '{{defaultContext}}:subdir');
+    const context = await loadContextModule();
+    const inputs = await context.getInputs();
+    expect(inputs.context).toBe(`${gitContext}:subdir`);
+    expect(gitContextSpy).toHaveBeenCalledTimes(1);
+    gitContextSpy.mockRestore();
+  });
+});
+
 describe('getArgs', () => {
  const originalEnv = process.env;
  beforeEach(() => {
@@ -344,7 +389,7 @@ ccc`],
        'build',
        '--file', './test/Dockerfile',
        '--iidfile', imageIDFilePath,
-        '--secret', `id=MY_SECRET,src=${tmpName}`,
+        '--secret', `id=MY_SECRET,src=${path.join(fixturesDir, 'secret.txt')}`,
        '--builder', 'builder-git-context-2',
        '--network', 'host',
        '--push',
@@ -888,6 +933,46 @@ ANOTHER_SECRET=ANOTHER_SECRET_ENV`]
        ['GITHUB_SERVER_URL', 'https://github.cds.internal.unity3d.com'],
      ])
    ],
+    [
+      37,
+      '0.29.0',
+      new Map<string, string>([
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false'],
+      ]),
+      [
+        'build',
+        '--iidfile', imageIDFilePath,
+        '--attest', `type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
+        '--metadata-file', metadataJson,
+        'https://github.com/docker/build-push-action.git?ref=refs/heads/master'
+      ],
+      new Map<string, string>([
+        ['BUILDX_SEND_GIT_QUERY_AS_INPUT', 'true']
+      ])
+    ],
+    [
+      38,
+      '0.28.0',
+      new Map<string, string>([
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false'],
+      ]),
+      [
+        'build',
+        '--iidfile', imageIDFilePath,
+        '--attest', `type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
+        '--metadata-file', metadataJson,
+        'https://github.com/docker/build-push-action.git#refs/heads/master'
+      ],
+      new Map<string, string>([
+        ['BUILDX_SEND_GIT_QUERY_AS_INPUT', 'true']
+      ])
+    ],
  ])(
    '[%d] given %o with %o as inputs, returns %o',
    async (num: number, buildxVersion: string, inputs: Map<string, string>, expected: Array<string>, envs: Map<string, string> | undefined) => {
@@ -903,6 +988,7 @@ ANOTHER_SECRET=ANOTHER_SECRET_ENV`]
      vi.spyOn(Buildx.prototype, 'version').mockImplementation(async (): Promise<string> => {
        return buildxVersion;
      });
+      const context = await loadContextModule();
      const inp = await context.getInputs();
      const res = await context.getArgs(inp, toolkit);
      expect(res).toEqual(expected);
@@ -918,3 +1004,8 @@ function getInputName(name: string): string {
 function setInput(name: string, value: string): void {
  process.env[getInputName(name)] = value;
 }
+
+async function loadContextModule(): Promise<typeof import('../src/context.js')> {
+  vi.resetModules();
+  return await import('../src/context.js');
+}
@@ -23,9 +23,9 @@
  "license": "Apache-2.0",
  "packageManager": "yarn@4.9.2",
  "dependencies": {
-    "@actions/core": "^3.0.0",
-    "@docker/actions-toolkit": "0.79.0",
-    "handlebars": "^4.7.7"
+    "@actions/core": "^3.0.1",
+    "@docker/actions-toolkit": "0.87.0",
+    "handlebars": "^4.7.9"
  },
  "devDependencies": {
    "@eslint/js": "^9.39.3",
@@ -2,11 +2,17 @@ import * as core from '@actions/core';
 import * as handlebars from 'handlebars';

 import {Build} from '@docker/actions-toolkit/lib/buildx/build.js';
-import {Context} from '@docker/actions-toolkit/lib/context.js';
 import {GitHub} from '@docker/actions-toolkit/lib/github/github.js';
 import {Toolkit} from '@docker/actions-toolkit/lib/toolkit.js';
 import {Util} from '@docker/actions-toolkit/lib/util.js';

+let defaultContextPromise: Promise<string> | undefined;
+
+async function getDefaultContext(): Promise<string> {
+  defaultContextPromise ??= new Build().gitContext();
+  return await defaultContextPromise;
+}
+
 export interface Inputs {
  'add-hosts': string[];
  allow: string[];
@@ -44,6 +50,7 @@ export interface Inputs {
 }

 export async function getInputs(): Promise<Inputs> {
+  const defaultContext = await getDefaultContext();
  return {
    'add-hosts': Util.getInputList('add-hosts'),
    allow: Util.getInputList('allow'),
@@ -56,7 +63,7 @@ export async function getInputs(): Promise<Inputs> {
    'cache-to': Util.getInputList('cache-to', {ignoreComma: true}),
    call: core.getInput('call'),
    'cgroup-parent': core.getInput('cgroup-parent'),
-    context: core.getInput('context') || Context.gitContext(),
+    context: handlebars.compile(core.getInput('context'))({defaultContext}) || defaultContext,
    file: core.getInput('file'),
    labels: Util.getInputList('labels', {ignoreComma: true}),
    load: core.getBooleanInput('load'),
@@ -82,18 +89,17 @@ export async function getInputs(): Promise<Inputs> {
 }

 export async function getArgs(inputs: Inputs, toolkit: Toolkit): Promise<Array<string>> {
-  const context = handlebars.compile(inputs.context)({
-    defaultContext: Context.gitContext()
-  });
  // prettier-ignore
  return [
-    ...await getBuildArgs(inputs, context, toolkit),
+    ...await getBuildArgs(inputs, inputs.context, toolkit),
    ...await getCommonArgs(inputs, toolkit),
-    context
+    inputs.context
  ];
 }

 async function getBuildArgs(inputs: Inputs, context: string, toolkit: Toolkit): Promise<Array<string>> {
+  const defaultContext = await getDefaultContext();
+
  const args: Array<string> = ['build'];
  await Util.asyncForEach(inputs['add-hosts'], async addHost => {
    args.push('--add-host', addHost);
@@ -116,7 +122,7 @@ async function getBuildArgs(inputs: Inputs, context: string, toolkit: Toolkit):
      args.push(
        '--build-context',
        handlebars.compile(buildContext)({
-          defaultContext: Context.gitContext()
+          defaultContext: defaultContext
        })
      );
    });
@@ -182,7 +188,7 @@ async function getBuildArgs(inputs: Inputs, context: string, toolkit: Toolkit):
      core.warning(err.message);
    }
  });
-  if (inputs['github-token'] && !Build.hasGitAuthTokenSecret(inputs.secrets) && context.startsWith(Context.gitContext())) {
+  if (inputs['github-token'] && !Build.hasGitAuthTokenSecret(inputs.secrets) && context.startsWith(defaultContext)) {
    args.push('--secret', Build.resolveSecretString(`GIT_AUTH_TOKEN.${new URL(GitHub.serverURL).host.trimEnd()}=${inputs['github-token']}`));
  }
  if (inputs['shm-size']) {
@@ -0,0 +1 @@
+foo
@@ -12,9 +12,9 @@ __metadata:
  languageName: node
  linkType: hard

-"@actions/artifact@npm:^6.2.0":
-  version: 6.2.0
-  resolution: "@actions/artifact@npm:6.2.0"
+"@actions/artifact@npm:^6.2.1":
+  version: 6.2.1
+  resolution: "@actions/artifact@npm:6.2.1"
  dependencies:
    "@actions/core": "npm:^3.0.0"
    "@actions/github": "npm:^9.0.0"
@@ -30,7 +30,7 @@ __metadata:
    archiver: "npm:^7.0.1"
    jwt-decode: "npm:^4.0.0"
    unzip-stream: "npm:^0.3.1"
-  checksum: 10/fa931b1222c0e08bca85d3cb18c2cd5ae912cce3f09ab3acd4ec3486e864337d65177089a14aef124d9696b9dd5309b273a9251e230172c79c2444af2c43443e
+  checksum: 10/1fad9b079ee2ab07f964b93bf7b4fc594d115199219baed74ac3bf2a8675e0b7ea57252eccbcdaaaa8fc8375742d23585cbd054f3b2d029c091817e0f257ce93
  languageName: node
  linkType: hard

@@ -61,6 +61,16 @@ __metadata:
  languageName: node
  linkType: hard

+"@actions/core@npm:^3.0.1":
+  version: 3.0.1
+  resolution: "@actions/core@npm:3.0.1"
+  dependencies:
+    "@actions/exec": "npm:^3.0.0"
+    "@actions/http-client": "npm:^4.0.0"
+  checksum: 10/e1295f6b81299cc5655ea571e7b3eea02889fdc479e71c783ad9ca48432c613f52a1fd01fecc973a64488b053083ea925a0d23ac7af0bcd8462afc4f4371918b
+  languageName: node
+  linkType: hard
+
 "@actions/exec@npm:^3.0.0":
  version: 3.0.0
  resolution: "@actions/exec@npm:3.0.0"
@@ -367,11 +377,11 @@ __metadata:
  languageName: node
  linkType: hard

-"@docker/actions-toolkit@npm:0.79.0":
-  version: 0.79.0
-  resolution: "@docker/actions-toolkit@npm:0.79.0"
+"@docker/actions-toolkit@npm:0.87.0":
+  version: 0.87.0
+  resolution: "@docker/actions-toolkit@npm:0.87.0"
  dependencies:
-    "@actions/artifact": "npm:^6.2.0"
+    "@actions/artifact": "npm:^6.2.1"
    "@actions/cache": "npm:^6.0.0"
    "@actions/core": "npm:^3.0.0"
    "@actions/exec": "npm:^3.0.0"
@@ -380,20 +390,20 @@ __metadata:
    "@actions/io": "npm:^3.0.2"
    "@actions/tool-cache": "npm:^4.0.0"
    "@sigstore/bundle": "npm:^4.0.0"
-    "@sigstore/sign": "npm:^4.1.0"
-    "@sigstore/tuf": "npm:^4.0.1"
+    "@sigstore/sign": "npm:^4.1.1"
+    "@sigstore/tuf": "npm:^4.0.2"
    "@sigstore/verify": "npm:^3.1.0"
    async-retry: "npm:^1.3.3"
-    csv-parse: "npm:^6.1.0"
+    csv-parse: "npm:^6.2.1"
    gunzip-maybe: "npm:^1.4.2"
-    handlebars: "npm:^4.7.8"
+    handlebars: "npm:^4.7.9"
    he: "npm:^1.2.0"
    js-yaml: "npm:^4.1.1"
    jwt-decode: "npm:^4.0.0"
    semver: "npm:^7.7.4"
    tar-stream: "npm:^3.1.7"
    tmp: "npm:^0.2.5"
-  checksum: 10/d64849ba49b2b59e2e93237a70be03fd7c43b1f7f01bac3f7557616ba5f59be785cb12a273bbb6a71c1e0d959f1bc6c673111b587c57bd2d6da105dcc500921a
+  checksum: 10/439d0763a394ecd0632cff10c6b88400f6f519612b9b2dedc032dc7e427e9628af59f1fc153c37b0c685a2bdef8bc2a901aa7c743080bc4ab312276e447dbf55
  languageName: node
  linkType: hard

@@ -676,6 +686,13 @@ __metadata:
  languageName: node
  linkType: hard

+"@gar/promise-retry@npm:^1.0.2":
+  version: 1.0.3
+  resolution: "@gar/promise-retry@npm:1.0.3"
+  checksum: 10/0d13ea3bb1025755e055648f6e290d2a7e0c87affaf552218f09f66b3fcd9ea9d5c9cc5fe2aa6e285e1530437768e40f9448fe9a86f4f3417b216dcf488d3d1a
+  languageName: node
+  linkType: hard
+
 "@humanfs/core@npm:^0.19.1":
  version: 0.19.1
  resolution: "@humanfs/core@npm:0.19.1"
@@ -796,6 +813,13 @@ __metadata:
  languageName: node
  linkType: hard

+"@npmcli/redact@npm:^4.0.0":
+  version: 4.0.0
+  resolution: "@npmcli/redact@npm:4.0.0"
+  checksum: 10/5d52df2b5267f4369c97a2b2f7c427e3d7aa4b6a83e7a1b522e196f6e9d50024c620bd0cb2052067c74d1aaa0c330d9bc04e1d335bfb46180e705bb33423e74c
+  languageName: node
+  linkType: hard
+
 "@octokit/auth-token@npm:^6.0.0":
  version: 6.0.0
  resolution: "@octokit/auth-token@npm:6.0.0"
@@ -1194,6 +1218,13 @@ __metadata:
  languageName: node
  linkType: hard

+"@sigstore/core@npm:^3.2.0":
+  version: 3.2.0
+  resolution: "@sigstore/core@npm:3.2.0"
+  checksum: 10/2425d20297d57a5f5a62f0e6c2f4280818015ea00b3defebdac63f13c7d01db988602c316c16e374ba091c3649dd9a22ae8c9ba3ac165f736b0503164c5da5f5
+  languageName: node
+  linkType: hard
+
 "@sigstore/protobuf-specs@npm:^0.5.0":
  version: 0.5.0
  resolution: "@sigstore/protobuf-specs@npm:0.5.0"
@@ -1201,27 +1232,27 @@ __metadata:
  languageName: node
  linkType: hard

-"@sigstore/sign@npm:^4.1.0":
-  version: 4.1.0
-  resolution: "@sigstore/sign@npm:4.1.0"
+"@sigstore/sign@npm:^4.1.1":
+  version: 4.1.1
+  resolution: "@sigstore/sign@npm:4.1.1"
  dependencies:
+    "@gar/promise-retry": "npm:^1.0.2"
    "@sigstore/bundle": "npm:^4.0.0"
-    "@sigstore/core": "npm:^3.1.0"
+    "@sigstore/core": "npm:^3.2.0"
    "@sigstore/protobuf-specs": "npm:^0.5.0"
-    make-fetch-happen: "npm:^15.0.3"
+    make-fetch-happen: "npm:^15.0.4"
    proc-log: "npm:^6.1.0"
-    promise-retry: "npm:^2.0.1"
-  checksum: 10/e5441d4cacf0f203f329e96bb7a3ca77682cfdf90d6448ad368344056fd8d55c01742e2b636545d55364490a87988f767f2b23168b2d9cc52ef3d8fe9e9496aa
+  checksum: 10/c9424813ed83ae26111dd3a190dbfd776901cfc245ebb9aa68e133a7ffcbf8fc053f01d999a451e44805a291921ba4d2dfe80e3fd41b20cd5becd26aae5f5e7c
  languageName: node
  linkType: hard

-"@sigstore/tuf@npm:^4.0.1":
-  version: 4.0.1
-  resolution: "@sigstore/tuf@npm:4.0.1"
+"@sigstore/tuf@npm:^4.0.2":
+  version: 4.0.2
+  resolution: "@sigstore/tuf@npm:4.0.2"
  dependencies:
    "@sigstore/protobuf-specs": "npm:^0.5.0"
    tuf-js: "npm:^4.1.0"
-  checksum: 10/1a9725aa95eba55badf24442fe8a71c6d68f8b7d17a6b2a5e4b5590117f0181881b3485cfa57ea375b7c3a38421dbffdfcbe86e6623d903e17e3a8359837e268
+  checksum: 10/14882b8e71be4185ec417744b97a47392a50da00aafd4207a46bb74b40aa019ebf22d928052fd2d31a8da0da1efe7ebebac5a70898b31a74239a1ada997be754
  languageName: node
  linkType: hard

@@ -1813,25 +1844,16 @@ __metadata:
  linkType: hard

 "brace-expansion@npm:^1.1.7":
-  version: 1.1.12
-  resolution: "brace-expansion@npm:1.1.12"
+  version: 1.1.13
+  resolution: "brace-expansion@npm:1.1.13"
  dependencies:
    balanced-match: "npm:^1.0.0"
    concat-map: "npm:0.0.1"
-  checksum: 10/12cb6d6310629e3048cadb003e1aca4d8c9bb5c67c3c321bafdd7e7a50155de081f78ea3e0ed92ecc75a9015e784f301efc8132383132f4f7904ad1ac529c562
+  checksum: 10/b5f4329fdbe9d2e25fa250c8f866ebd054ba946179426e99b86dcccddabdb1d481f0e40ee5430032e62a7d0a6c2837605ace6783d015aa1d65d85ca72154d936
  languageName: node
  linkType: hard

-"brace-expansion@npm:^2.0.1":
-  version: 2.0.1
-  resolution: "brace-expansion@npm:2.0.1"
-  dependencies:
-    balanced-match: "npm:^1.0.0"
-  checksum: 10/a61e7cd2e8a8505e9f0036b3b6108ba5e926b4b55089eeb5550cd04a471fe216c96d4fe7e4c7f995c728c554ae20ddfc4244cad10aef255e72b62930afd233d1
-  languageName: node
-  linkType: hard
-
-"brace-expansion@npm:^2.0.2":
+"brace-expansion@npm:^2.0.1, brace-expansion@npm:^2.0.2":
  version: 2.0.2
  resolution: "brace-expansion@npm:2.0.2"
  dependencies:
@@ -2048,10 +2070,10 @@ __metadata:
  languageName: node
  linkType: hard

-"csv-parse@npm:^6.1.0":
-  version: 6.1.0
-  resolution: "csv-parse@npm:6.1.0"
-  checksum: 10/607d92611435fdfb7631242644a2582bfb218fad8c6c6d6416db31647c2e63a3110f16c9837de6baaa3edf318212765cfc6e72d672d99690fd7f565d6c93d6f4
+"csv-parse@npm:^6.2.1":
+  version: 6.2.1
+  resolution: "csv-parse@npm:6.2.1"
+  checksum: 10/7fbde1225c6df6aaea01a202934e1f15ce16ed55e544ead0d066b0c4dc9ae1a2fc881b412889cbf115cd74cbf14ea17388b394e8a31e05cb412dd7dc6114bebd
  languageName: node
  linkType: hard

@@ -2102,8 +2124,8 @@ __metadata:
  version: 0.0.0-use.local
  resolution: "docker-build-push@workspace:."
  dependencies:
-    "@actions/core": "npm:^3.0.0"
-    "@docker/actions-toolkit": "npm:0.79.0"
+    "@actions/core": "npm:^3.0.1"
+    "@docker/actions-toolkit": "npm:0.87.0"
    "@eslint/js": "npm:^9.39.3"
    "@types/node": "npm:^24.11.0"
    "@typescript-eslint/eslint-plugin": "npm:^8.56.1"
@@ -2115,7 +2137,7 @@ __metadata:
    eslint-config-prettier: "npm:^10.1.8"
    eslint-plugin-prettier: "npm:^5.5.5"
    globals: "npm:^17.3.0"
-    handlebars: "npm:^4.7.7"
+    handlebars: "npm:^4.7.9"
    prettier: "npm:^3.8.1"
    typescript: "npm:^5.9.3"
    vitest: "npm:^4.0.18"
@@ -2720,9 +2742,9 @@ __metadata:
  languageName: node
  linkType: hard

-"handlebars@npm:^4.7.7, handlebars@npm:^4.7.8":
-  version: 4.7.8
-  resolution: "handlebars@npm:4.7.8"
+"handlebars@npm:^4.7.9":
+  version: 4.7.9
+  resolution: "handlebars@npm:4.7.9"
  dependencies:
    minimist: "npm:^1.2.5"
    neo-async: "npm:^2.6.2"
@@ -2734,7 +2756,7 @@ __metadata:
      optional: true
  bin:
    handlebars: bin/handlebars
-  checksum: 10/bd528f4dd150adf67f3f857118ef0fa43ff79a153b1d943fa0a770f2599e38b25a7a0dbac1a3611a4ec86970fd2325a81310fb788b5c892308c9f8743bd02e11
+  checksum: 10/e755433d652e8a15fc02f83d7478e652359e7a4d354c4328818853ed4f8a39d4a09e1d22dad3c7213c5240864a65b3c840970b8b181745575dd957dd258f2b8d
  languageName: node
  linkType: hard

@@ -3114,9 +3136,9 @@ __metadata:
  linkType: hard

 "lodash@npm:^4.17.15":
-  version: 4.17.23
-  resolution: "lodash@npm:4.17.23"
-  checksum: 10/82504c88250f58da7a5a4289f57a4f759c44946c005dd232821c7688b5fcfbf4a6268f6a6cdde4b792c91edd2f3b5398c1d2a0998274432cff76def48735e233
+  version: 4.18.1
+  resolution: "lodash@npm:4.18.1"
+  checksum: 10/306fea53dfd39dad1f03d45ba654a2405aebd35797b673077f401edb7df2543623dc44b9effbb98f69b32152295fff725a4cec99c684098947430600c6af0c3f
  languageName: node
  linkType: hard

@@ -3208,7 +3230,7 @@ __metadata:
  languageName: node
  linkType: hard

-"make-fetch-happen@npm:^15.0.1, make-fetch-happen@npm:^15.0.3":
+"make-fetch-happen@npm:^15.0.1":
  version: 15.0.4
  resolution: "make-fetch-happen@npm:15.0.4"
  dependencies:
@@ -3227,6 +3249,26 @@ __metadata:
  languageName: node
  linkType: hard

+"make-fetch-happen@npm:^15.0.4":
+  version: 15.0.5
+  resolution: "make-fetch-happen@npm:15.0.5"
+  dependencies:
+    "@gar/promise-retry": "npm:^1.0.0"
+    "@npmcli/agent": "npm:^4.0.0"
+    "@npmcli/redact": "npm:^4.0.0"
+    cacache: "npm:^20.0.1"
+    http-cache-semantics: "npm:^4.1.1"
+    minipass: "npm:^7.0.2"
+    minipass-fetch: "npm:^5.0.0"
+    minipass-flush: "npm:^1.0.5"
+    minipass-pipeline: "npm:^1.2.4"
+    negotiator: "npm:^1.0.0"
+    proc-log: "npm:^6.0.0"
+    ssri: "npm:^13.0.0"
+  checksum: 10/d2649effb06c00cb2b266057cb1c8c1e99cfc8d1378e7d9c26cc8f00be41bc63d59b77a5576ed28f8105acc57fb16220b64217f8d3a6a066a594c004aa163afa
+  languageName: node
+  linkType: hard
+
 "minimatch@npm:^10.1.1, minimatch@npm:^10.2.2":
  version: 10.2.4
  resolution: "minimatch@npm:10.2.4"
@@ -3671,9 +3713,9 @@ __metadata:
  linkType: hard

 "picomatch@npm:^4.0.3":
-  version: 4.0.3
-  resolution: "picomatch@npm:4.0.3"
-  checksum: 10/57b99055f40b16798f2802916d9c17e9744e620a0db136554af01d19598b96e45e2f00014c91d1b8b13874b80caa8c295b3d589a3f72373ec4aaf54baa5962d5
+  version: 4.0.4
+  resolution: "picomatch@npm:4.0.4"
+  checksum: 10/f6ef80a3590827ce20378ae110ac78209cc4f74d39236370f1780f957b7ee41c12acde0e4651b90f39983506fd2f5e449994716f516db2e9752924aff8de93ce
  languageName: node
  linkType: hard

@@ -4505,8 +4547,8 @@ __metadata:
  linkType: hard

 "vite@npm:^6.0.0 || ^7.0.0":
-  version: 7.3.1
-  resolution: "vite@npm:7.3.1"
+  version: 7.3.2
+  resolution: "vite@npm:7.3.2"
  dependencies:
    esbuild: "npm:^0.27.0"
    fdir: "npm:^6.5.0"
@@ -4555,7 +4597,7 @@ __metadata:
      optional: true
  bin:
    vite: bin/vite.js
-  checksum: 10/62e48ffa4283b688f0049005405a004447ad38ffc99a0efea4c3aa9b7eed739f7402b43f00668c0ee5a895b684dc953d62f0722d8a92c5b2f6c95f051bceb208
+  checksum: 10/c5f7a9a60011c41c836cedf31c8ee7624102aff9b6a7f3aab2ff47639721bba0916f81994c3a3ea6577a16c4f0dfee1e7dbd244e0da8edd5954e3c6d48daaaa2
  languageName: node
  linkType: hard
Author	SHA1	Message	Date
github-actions[bot]	5ef8a11250	chore: update generated content	2026-04-24 11:54:21 +00:00
dependabot[bot]	0eacd750ff	chore(deps): Bump @actions/core from 3.0.0 to 3.0.1 Bumps [@actions/core](https://github.com/actions/toolkit/tree/HEAD/packages/core) from 3.0.0 to 3.0.1. - [Changelog](https://github.com/actions/toolkit/blob/main/packages/core/RELEASES.md) - [Commits](https://github.com/actions/toolkit/commits/HEAD/packages/core) --- updated-dependencies: - dependency-name: "@actions/core" dependency-version: 3.0.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>	2026-04-24 11:53:12 +00:00
CrazyMax	e0fea16cbf	Merge pull request #1519 from docker/dependabot/github_actions/actions/setup-node-6.4.0 chore(deps): Bump actions/setup-node from 6.3.0 to 6.4.0	2026-04-24 09:48:12 +02:00
CrazyMax	f832d4c773	Merge pull request #1520 from docker/dependabot/github_actions/crazy-max-dot-github-6f136b1f9e chore(deps): Bump the crazy-max-dot-github group with 2 updates	2026-04-24 09:46:03 +02:00
dependabot[bot]	17a24e14ed	chore(deps): Bump the crazy-max-dot-github group with 2 updates Bumps the crazy-max-dot-github group with 2 updates: [crazy-max/.github/.github/workflows/pr-assign-author.yml](https://github.com/crazy-max/.github) and [crazy-max/.github/.github/workflows/zizmor.yml](https://github.com/crazy-max/.github). Updates `crazy-max/.github/.github/workflows/pr-assign-author.yml` from 1.6.0 to 1.7.0 - [Release notes](https://github.com/crazy-max/.github/releases) - [Commits](https://github.com/crazy-max/.github/compare/d89fe92d808a15e2b2ed5cdb62db7c172c31410d...4a17dbaa9ce13920fc5bb8824eb89c16301e5ab2) Updates `crazy-max/.github/.github/workflows/zizmor.yml` from 1.6.0 to 1.7.0 - [Release notes](https://github.com/crazy-max/.github/releases) - [Commits](https://github.com/crazy-max/.github/compare/d89fe92d808a15e2b2ed5cdb62db7c172c31410d...4a17dbaa9ce13920fc5bb8824eb89c16301e5ab2) --- updated-dependencies: - dependency-name: crazy-max/.github/.github/workflows/pr-assign-author.yml dependency-version: 1.7.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: crazy-max-dot-github - dependency-name: crazy-max/.github/.github/workflows/zizmor.yml dependency-version: 1.7.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: crazy-max-dot-github ... Signed-off-by: dependabot[bot] <support@github.com>	2026-04-22 11:52:24 +00:00
dependabot[bot]	ad938becb9	chore(deps): Bump actions/setup-node from 6.3.0 to 6.4.0 Bumps [actions/setup-node](https://github.com/actions/setup-node) from 6.3.0 to 6.4.0. - [Release notes](https://github.com/actions/setup-node/releases) - [Commits](https://github.com/actions/setup-node/compare/53b83947a5a98c8d113130e565377fae1a50d02f...48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e) --- updated-dependencies: - dependency-name: actions/setup-node dependency-version: 6.4.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>	2026-04-21 11:52:31 +00:00
Tõnis Tiigi	c269a24fa2	Merge pull request #1516 from crazy-max/fix-zizmor ci(zizmor): update rules	2026-04-15 14:25:13 -07:00
CrazyMax	64fda479ac	ci(zizmor): update rules Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>	2026-04-15 16:01:32 +02:00
CrazyMax	c1d0c0cc42	Merge pull request #1514 from docker/dependabot/github_actions/actions/create-github-app-token-3.1.1 chore(deps): Bump actions/create-github-app-token from 3.0.0 to 3.1.1	2026-04-15 14:48:56 +02:00
CrazyMax	d5c8665698	Merge pull request #1515 from docker/dependabot/github_actions/actions/cache-5.0.5 chore(deps): Bump actions/cache from 5.0.4 to 5.0.5	2026-04-15 14:48:40 +02:00
dependabot[bot]	e4086eff94	chore(deps): Bump actions/cache from 5.0.4 to 5.0.5 Bumps [actions/cache](https://github.com/actions/cache) from 5.0.4 to 5.0.5. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](https://github.com/actions/cache/compare/668228422ae6a00e4ad889ee87cd7109ec5666a7...27d5ce7f107fe9357f9df03efb73ab90386fccae) --- updated-dependencies: - dependency-name: actions/cache dependency-version: 5.0.5 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>	2026-04-15 11:54:10 +00:00
CrazyMax	e6ed27f63f	Merge pull request #1513 from docker/dependabot/github_actions/docker/bake-action-7.1.0 chore(deps): Bump docker/bake-action from 7.0.0 to 7.1.0	2026-04-14 10:54:30 +02:00
dependabot[bot]	dba6f6cfd6	chore(deps): Bump actions/create-github-app-token from 3.0.0 to 3.1.1 Bumps [actions/create-github-app-token](https://github.com/actions/create-github-app-token) from 3.0.0 to 3.1.1. - [Release notes](https://github.com/actions/create-github-app-token/releases) - [Commits](https://github.com/actions/create-github-app-token/compare/f8d387b68d61c58ab83c6c016672934102569859...1b10c78c7865c340bc4f6099eb2f838309f1e8c3) --- updated-dependencies: - dependency-name: actions/create-github-app-token dependency-version: 3.1.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>	2026-04-13 12:35:24 +00:00
dependabot[bot]	4fc600fc62	chore(deps): Bump docker/bake-action from 7.0.0 to 7.1.0 Bumps [docker/bake-action](https://github.com/docker/bake-action) from 7.0.0 to 7.1.0. - [Release notes](https://github.com/docker/bake-action/releases) - [Commits](https://github.com/docker/bake-action/compare/82490499d2e5613fcead7e128237ef0b0ea210f7...a66e1c87e2eca0503c343edf1d208c716d54b8a8) --- updated-dependencies: - dependency-name: docker/bake-action dependency-version: 7.1.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>	2026-04-13 12:34:56 +00:00
CrazyMax	bcafcacb16	Merge pull request #1509 from docker/dependabot/npm_and_yarn/vite-7.3.2 chore(deps): Bump vite from 7.3.1 to 7.3.2	2026-04-09 19:49:37 +02:00
CrazyMax	18e62f1158	Merge pull request #1510 from docker/dependabot/npm_and_yarn/lodash-4.18.1 chore(deps): Bump lodash from 4.17.23 to 4.18.1	2026-04-09 19:48:40 +02:00
github-actions[bot]	46580d2c9d	chore: update generated content	2026-04-09 17:44:17 +00:00
dependabot[bot]	3f80b252ca	chore(deps): Bump lodash from 4.17.23 to 4.18.1 Bumps [lodash](https://github.com/lodash/lodash) from 4.17.23 to 4.18.1. - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](https://github.com/lodash/lodash/compare/4.17.23...4.18.1) --- updated-dependencies: - dependency-name: lodash dependency-version: 4.18.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>	2026-04-09 17:43:05 +00:00
CrazyMax	efeec9557c	Merge pull request #1505 from crazy-max/refactor-git-context refactor: use new gitContext for build context resolution	2026-04-09 19:38:17 +02:00
CrazyMax	ddf04b08eb	Merge pull request #1511 from docker/dependabot/github_actions/crazy-max-dot-github-f0991e81fd chore(deps): Bump the crazy-max-dot-github group with 2 updates	2026-04-09 10:21:34 +02:00
dependabot[bot]	db08d97a08	chore(deps): Bump the crazy-max-dot-github group with 2 updates Bumps the crazy-max-dot-github group with 2 updates: [crazy-max/.github/.github/workflows/pr-assign-author.yml](https://github.com/crazy-max/.github) and [crazy-max/.github/.github/workflows/zizmor.yml](https://github.com/crazy-max/.github). Updates `crazy-max/.github/.github/workflows/pr-assign-author.yml` from 1.3.0 to 1.6.0 - [Release notes](https://github.com/crazy-max/.github/releases) - [Commits](https://github.com/crazy-max/.github/compare/bb328ea508cd6a89d0865555ddbeb148e5724aed...d89fe92d808a15e2b2ed5cdb62db7c172c31410d) Updates `crazy-max/.github/.github/workflows/zizmor.yml` from 1.3.0 to 1.6.0 - [Release notes](https://github.com/crazy-max/.github/releases) - [Commits](https://github.com/crazy-max/.github/compare/bb328ea508cd6a89d0865555ddbeb148e5724aed...d89fe92d808a15e2b2ed5cdb62db7c172c31410d) --- updated-dependencies: - dependency-name: crazy-max/.github/.github/workflows/pr-assign-author.yml dependency-version: 1.6.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: crazy-max-dot-github - dependency-name: crazy-max/.github/.github/workflows/zizmor.yml dependency-version: 1.6.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: crazy-max-dot-github ... Signed-off-by: dependabot[bot] <support@github.com>	2026-04-09 08:17:23 +00:00
CrazyMax	ef1fb9688f	Merge pull request #1508 from docker/dependabot/github_actions/docker/login-action-4.1.0 chore(deps): Bump docker/login-action from 4.0.0 to 4.1.0	2026-04-08 12:55:35 +02:00
CrazyMax	2d8f2a1a37	chore: update generated content Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>	2026-04-08 12:50:34 +02:00
CrazyMax	919ac7bd7d	fix test since secrets are not written to temp path anymore Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>	2026-04-08 12:49:36 +02:00
CrazyMax	c850e6994a	refactor: use new gitContext for build context resolution Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>	2026-04-08 12:49:35 +02:00
CrazyMax	56795cf70a	bump @docker/actions-toolkit from 0.79.0 to 0.87.0 Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>	2026-04-08 12:49:35 +02:00
dependabot[bot]	c991b20ccb	chore(deps): Bump vite from 7.3.1 to 7.3.2 Bumps [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) from 7.3.1 to 7.3.2. - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/v7.3.2/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v7.3.2/packages/vite) --- updated-dependencies: - dependency-name: vite dependency-version: 7.3.2 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>	2026-04-06 21:43:23 +00:00
dependabot[bot]	e2565a753f	chore(deps): Bump docker/login-action from 4.0.0 to 4.1.0 Bumps [docker/login-action](https://github.com/docker/login-action) from 4.0.0 to 4.1.0. - [Release notes](https://github.com/docker/login-action/releases) - [Commits](https://github.com/docker/login-action/compare/b45d80f862d83dbcd57f89517bcf500b2ab88fb2...4907a6ddec9925e35a0a9e82d7399ccc52663121) --- updated-dependencies: - dependency-name: docker/login-action dependency-version: 4.1.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>	2026-04-06 11:53:15 +00:00
CrazyMax	83bfd93ab4	Merge pull request #1496 from docker/dependabot/npm_and_yarn/picomatch-4.0.4 chore(deps): Bump picomatch from 4.0.3 to 4.0.4	2026-04-01 15:17:17 +02:00
CrazyMax	a7d4e2ac29	Merge pull request #1497 from docker/dependabot/npm_and_yarn/handlebars-4.7.9 chore(deps): Bump handlebars from 4.7.8 to 4.7.9	2026-04-01 15:17:00 +02:00
CrazyMax	00c4e32030	Merge pull request #1504 from crazy-max/fix-update-dist ci: stop update-dist reruns after generated dist pushes	2026-04-01 15:07:55 +02:00
github-actions[bot]	7144aa40aa	chore: update generated content	2026-04-01 11:04:06 +00:00
dependabot[bot]	00a2ffdccc	chore(deps): Bump handlebars from 4.7.8 to 4.7.9 Bumps [handlebars](https://github.com/handlebars-lang/handlebars.js) from 4.7.8 to 4.7.9. - [Release notes](https://github.com/handlebars-lang/handlebars.js/releases) - [Changelog](https://github.com/handlebars-lang/handlebars.js/blob/v4.7.9/release-notes.md) - [Commits](https://github.com/handlebars-lang/handlebars.js/compare/v4.7.8...v4.7.9) --- updated-dependencies: - dependency-name: handlebars dependency-version: 4.7.9 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>	2026-04-01 11:02:58 +00:00
CrazyMax	dab806366e	Merge pull request #1500 from docker/dependabot/npm_and_yarn/brace-expansion-1.1.13 chore(deps): Bump brace-expansion from 1.1.12 to 1.1.13	2026-04-01 13:00:46 +02:00
CrazyMax	a691600376	ci: stop update-dist reruns after generated dist pushes Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>	2026-04-01 12:59:41 +02:00
CrazyMax	c5117b60bc	Merge pull request #1503 from docker/dependabot/github_actions/codecov/codecov-action-6.0.0 chore(deps): Bump codecov/codecov-action from 5.5.4 to 6.0.0	2026-03-31 09:31:46 +02:00
dependabot[bot]	3e0f90700c	chore(deps): Bump codecov/codecov-action from 5.5.4 to 6.0.0 Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 5.5.4 to 6.0.0. - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/codecov/codecov-action/compare/75cd11691c0faa626561e295848008c8a7dddffe...57e3a136b779b570ffcdbf80b3bdc90e7fab3de2) --- updated-dependencies: - dependency-name: codecov/codecov-action dependency-version: 6.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>	2026-03-31 01:51:50 +00:00
Tõnis Tiigi	502612d464	Merge pull request #1501 from crazy-max/zizmor ci: zizmor workflow	2026-03-30 18:49:21 -07:00
CrazyMax	81e9d51607	fix zizmor findings Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>	2026-03-30 13:40:47 +02:00
CrazyMax	d61b4b1884	ci: zizmor workflow Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>	2026-03-30 12:10:46 +02:00
github-actions[bot]	19413e5c69	chore: update generated content	2026-03-27 14:22:21 +00:00
dependabot[bot]	2cd9929dbc	chore(deps): Bump brace-expansion from 1.1.12 to 1.1.13 Bumps [brace-expansion](https://github.com/juliangruber/brace-expansion) from 1.1.12 to 1.1.13. - [Release notes](https://github.com/juliangruber/brace-expansion/releases) - [Commits](https://github.com/juliangruber/brace-expansion/compare/v1.1.12...v1.1.13) --- updated-dependencies: - dependency-name: brace-expansion dependency-version: 1.1.13 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>	2026-03-27 14:21:11 +00:00
dependabot[bot]	5e0c3c443d	chore(deps): Bump picomatch from 4.0.3 to 4.0.4 Bumps [picomatch](https://github.com/micromatch/picomatch) from 4.0.3 to 4.0.4. - [Release notes](https://github.com/micromatch/picomatch/releases) - [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md) - [Commits](https://github.com/micromatch/picomatch/compare/4.0.3...4.0.4) --- updated-dependencies: - dependency-name: picomatch dependency-version: 4.0.4 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>	2026-03-26 07:52:14 +00:00