Skip to content

ci: bump docker/login-action from 3 to 4#2

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/docker/login-action-4
Closed

ci: bump docker/login-action from 3 to 4#2
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/docker/login-action-4

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Mar 28, 2026

Copy link
Copy Markdown
Contributor

Bumps docker/login-action from 3 to 4.

Release notes

Sourced from docker/login-action's releases.

v4.0.0

Full Changelog: docker/login-action@v3.7.0...v4.0.0

v3.7.0

Full Changelog: docker/login-action@v3.6.0...v3.7.0

v3.6.0

Full Changelog: docker/login-action@v3.5.0...v3.6.0

v3.5.0

Full Changelog: docker/login-action@v3.4.0...v3.5.0

v3.4.0

Full Changelog: docker/login-action@v3.3.0...v3.4.0

... (truncated)

Commits
  • b45d80f Merge pull request #929 from crazy-max/node24
  • 176cb9c node 24 as default runtime
  • cad8984 Merge pull request #920 from docker/dependabot/npm_and_yarn/aws-sdk-dependenc...
  • 92cbcb2 chore: update generated content
  • 5a2d6a7 build(deps): bump the aws-sdk-dependencies group with 2 updates
  • 44512b6 Merge pull request #928 from docker/dependabot/npm_and_yarn/docker/actions-to...
  • 28737a5 chore: update generated content
  • dac0793 build(deps): bump @​docker/actions-toolkit from 0.76.0 to 0.77.0
  • 62029f3 Merge pull request #919 from docker/dependabot/npm_and_yarn/actions/core-3.0.0
  • 08c8f06 chore: update generated content
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [docker/login-action](https://github.com/docker/login-action) from 3 to 4.
- [Release notes](https://github.com/docker/login-action/releases)
- [Commits](docker/login-action@v3...v4)

---
updated-dependencies:
- dependency-name: docker/login-action
  dependency-version: '4'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Mar 28, 2026
@EricAndrechek

Copy link
Copy Markdown
Member

Closing — superseded by the SHA-pinning work in #55.

This PR bumps docker/login-action@v3@v4 via tag. After #55 merges, docker/login-action will be SHA-pinned to v3.7.0. Dependabot will re-evaluate against the pinned format and, if it still wants to bump to v4, will open a fresh PR targeting the new pin format. That PR will be classified as a major bump and held for human review per .github/workflows/dependabot-automerge.yml.


— Posted by Claude Code on behalf of @EricAndrechek

@dependabot @github

dependabot Bot commented on behalf of github Apr 21, 2026

Copy link
Copy Markdown
Contributor Author

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

@dependabot dependabot Bot deleted the dependabot/github_actions/docker/login-action-4 branch April 21, 2026 17:00
EricAndrechek added a commit that referenced this pull request Apr 23, 2026
Medium-severity findings from Claude's re-review, plus three
unresolved Copilot threads tied to the same work.

1. board-state-sync.yml guard used \`exit 0\` on missing
   PROJECT_BOARD_TOKEN — which only exits the step shell, not the
   job. Subsequent steps would run with an empty GH_TOKEN and
   fail. Switched to the SKIP_BOARD=true env-var pattern used in
   project-orchestrator.yml (Claude Medium #1).

2. project-orchestrator.yml: when SKIP_BOARD is set, the pr-status
   step is skipped and its \`promote\` output is unset, which caused
   the Assign + request review step's \`promote == 'true'\`
   condition to silently fail — skipping reviewer assignment even
   though that operation uses GITHUB_TOKEN and doesn't need the
   board token. Extended the condition to also allow
   \`env.SKIP_BOARD == 'true'\` (Claude Medium #2).

3. dependabot-automerge.yml major-bump flow: reordered so the
   token guard + board-add + assign steps run before the comment,
   and the comment wording is now conditional on SKIP_BOARD —
   previously the comment claimed "Added to the Task Board" before
   the board-add even ran, and if the token was missing the claim
   was false (Claude Low #3 / Copilot R4 restated).

4. AGENTS.md §Review tooling reference table — three stale facts
   corrected to match the new implementation:
   - review-request channel IS used now (not "intentionally not")
   - re-eval trigger is workflow_run + bot COMMENTED reviews, not
     check_suite (documented the GITHUB_TOKEN suppression reason)
   - reviewer selection is single-pick parity-based, not "both
     admins"
   (Claude Low #4)

5. Copilot R4 remaining: board-state-sync comment referenced
   \`closingPullRequestsReferences\` on a line I hadn't fixed in an
   earlier round. Verified all references now align on
   \`closedByPullRequestsReferences\` (the actual field name).

Also added a SKIP_BOARD guard to every subsequent step in
board-state-sync.yml so the "not-configured" path produces a clean
no-op instead of a cascade of failing gh calls.
EricAndrechek added a commit that referenced this pull request Apr 28, 2026
Medium-severity findings from Claude's re-review, plus three
unresolved Copilot threads tied to the same work.

1. board-state-sync.yml guard used \`exit 0\` on missing
   PROJECT_BOARD_TOKEN — which only exits the step shell, not the
   job. Subsequent steps would run with an empty GH_TOKEN and
   fail. Switched to the SKIP_BOARD=true env-var pattern used in
   project-orchestrator.yml (Claude Medium #1).

2. project-orchestrator.yml: when SKIP_BOARD is set, the pr-status
   step is skipped and its \`promote\` output is unset, which caused
   the Assign + request review step's \`promote == 'true'\`
   condition to silently fail — skipping reviewer assignment even
   though that operation uses GITHUB_TOKEN and doesn't need the
   board token. Extended the condition to also allow
   \`env.SKIP_BOARD == 'true'\` (Claude Medium #2).

3. dependabot-automerge.yml major-bump flow: reordered so the
   token guard + board-add + assign steps run before the comment,
   and the comment wording is now conditional on SKIP_BOARD —
   previously the comment claimed "Added to the Task Board" before
   the board-add even ran, and if the token was missing the claim
   was false (Claude Low #3 / Copilot R4 restated).

4. AGENTS.md §Review tooling reference table — three stale facts
   corrected to match the new implementation:
   - review-request channel IS used now (not "intentionally not")
   - re-eval trigger is workflow_run + bot COMMENTED reviews, not
     check_suite (documented the GITHUB_TOKEN suppression reason)
   - reviewer selection is single-pick parity-based, not "both
     admins"
   (Claude Low #4)

5. Copilot R4 remaining: board-state-sync comment referenced
   \`closingPullRequestsReferences\` on a line I hadn't fixed in an
   earlier round. Verified all references now align on
   \`closedByPullRequestsReferences\` (the actual field name).

Also added a SKIP_BOARD guard to every subsequent step in
board-state-sync.yml so the "not-configured" path produces a clean
no-op instead of a cascade of failing gh calls.
EricAndrechek added a commit that referenced this pull request May 12, 2026
)

## Summary

Delete `project-orchestrator.yml` (and the two composite actions +
helper script it owned), fold the only behaviour worth keeping
(reviewer-assign on first open) into `housekeeping.yml`, and rely on
GitHub's native Projects-v2 workflows for everything else the
orchestrator was doing on the board.

**Net diff: −887 lines.** Workflow runs per non-Dependabot PR push go
from ~8 to ~5.

## Why now

The orchestrator was doing two conceptually separate jobs squeezed into
one workflow:
1. **Reviewer assignment** — pick the non-author admin, assign them,
request their review.
2. **Task Board state machine** — mirror PR state into project #7's
Status field, with "opposite semantics" between PR cards and
linked-issue cards.

For a 4-person team, #1 is genuinely useful as automation and #2 is
mostly bookkeeping that GitHub already provides natively (or that's a
one-click manual operation on the rare event it doesn't). Each PR push
was triggering 3-4 orchestrator runs through `workflow_run` chains, and
the workflow has been the largest single source of cross-trigger
complexity (GraphQL `statusCheckRollup` perms, integration-token `NONE`
for private members, etc. — every recent CI fix has touched it).

## What the native Project workflows already handle

Project #7 has these enabled (verified via `gh api graphql ... {
projectV2 { workflows } }`):

- **Auto-add to project** — new PRs / issues land on the board
automatically.
- **Item added to project** — sets the default Status when added
(configurable in the project UI; defaults to your project's setup).
- **Pull request merged** — sets Status = Done on merge.
- **Item closed** — sets Status when an issue is closed.
- **Pull request linked to issue** — auto-links via `Closes #N`
keywords.
- **Auto-close issue** — closes linked issues when PR merges.
- **Auto-add sub-issues to project**.

That covers placement, initial Status, and Done-on-merge. The
orchestrator's remaining custom behaviours are dropped (see "trade-offs"
below).

## Files

**Deleted:**
- `.github/workflows/project-orchestrator.yml` (546 lines)
- `.github/actions/board-upsert-status/` (composite, only orchestrator +
the now-trimmed dependabot-automerge step used it)
- `.github/actions/set-linked-issues-status/` (composite, only
orchestrator used it)
- `.github/scripts/board-fetch-item.sh` (helper, only the above used it)

**Kept:**
- `.github/actions/assign-and-request-review/` — still used by
`dependabot-automerge.yml` and now also `housekeeping.yml`.

**Modified:**
- `housekeeping.yml` — added a reviewer-assign step that fires on
`pull_request_target: opened` / `ready_for_review` (NOT on `synchronize`
— composite is idempotent but firing per-push would re-spam reviewers
after `dismiss_stale_reviews_on_push` clears a request following
CHANGES_REQUESTED). Picks the non-author admin by the same parity logic
the orchestrator used. `continue-on-error: true` so a flaky
review-request can't mask the title-lint required check's exit code.
`ready_for_review` added to the workflow's trigger types so the draft →
ready flip pings the reviewer.
- `dependabot-automerge.yml` — drop the board-upsert step (native
handles it), drop the `PROJECT_BOARD_TOKEN` guard (no longer needed in
this workflow), drop the `board-config.env` load (no consumers left),
and apply the marker-comment upsert pattern to the major-bump comment
(same fix as #114 — folded in here since they touch the same step).
- `.github/board-config.env` — drop `STATUS_*` (no consumers left) and
`ADMINS` (was only read by orchestrator; `housekeeping.yml` and
`admin-approval.yml` both inline it). Keep `PROJECT_OWNER` / `NUMBER` /
`ID` and `PRIORITY_*` for `triage.yml`.

## Trade-offs you're explicitly accepting

| Lost behaviour | Replacement |
|---|---|
| Reviewer pinged after CI + Claude go green | Reviewer pinged at open.
They can ignore the ping until checks settle. |
| Status promoted to Ready only on bot-clean | Status = whatever the
project's "Item added" workflow sets. |
| `changes_requested` moves PR card to "In review" | One click in the
project UI when it happens. |
| Linked issues auto-mirror PR state (opposite semantics) | Manual / not
mirrored. The PR list itself shows what needs review. |
| Auto-flip draft → ready on bot-clean | Author manually clicks "Mark
ready" (informative signal). |
| `re_requested` re-fires review request | Author manually clicks
"Re-request review" (the GitHub default). |

## Conflict with #114

#114 (the standalone dependabot major-bump comment upsert fix) and this
PR both edit the same step. Whichever lands first, the other needs a
trivial rebase. The upsert pattern in this PR matches #114 exactly, so
if #114 lands first the conflict resolution is "take theirs"; if this
lands first, #114 closes as already-incorporated.

## Test plan

- [ ] Open a fresh non-Dependabot PR: `housekeeping` runs, assigns the
non-author admin, requests their review. No orchestrator runs fire.
- [ ] Open a major-version Dependabot PR: both admins assigned, comment
posted with marker, no board-upsert step in the run log.
- [ ] Open a Dependabot patch / minor PR: auto-approve + auto-merge as
before.
- [ ] Open a draft, push commits, mark ready: reviewer pinged at the
ready_for_review event, not earlier.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant