ci: bump docker/login-action from 3 to 4#2
Conversation
Bumps [docker/login-action](https://github.com/docker/login-action) from 3 to 4. - [Release notes](https://github.com/docker/login-action/releases) - [Commits](docker/login-action@v3...v4) --- updated-dependencies: - dependency-name: docker/login-action dependency-version: '4' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
|
Closing — superseded by the SHA-pinning work in #55. This PR bumps — Posted by Claude Code on behalf of @EricAndrechek |
|
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting If you change your mind, just re-open this PR and I'll resolve any conflicts on it. |
Medium-severity findings from Claude's re-review, plus three unresolved Copilot threads tied to the same work. 1. board-state-sync.yml guard used \`exit 0\` on missing PROJECT_BOARD_TOKEN — which only exits the step shell, not the job. Subsequent steps would run with an empty GH_TOKEN and fail. Switched to the SKIP_BOARD=true env-var pattern used in project-orchestrator.yml (Claude Medium #1). 2. project-orchestrator.yml: when SKIP_BOARD is set, the pr-status step is skipped and its \`promote\` output is unset, which caused the Assign + request review step's \`promote == 'true'\` condition to silently fail — skipping reviewer assignment even though that operation uses GITHUB_TOKEN and doesn't need the board token. Extended the condition to also allow \`env.SKIP_BOARD == 'true'\` (Claude Medium #2). 3. dependabot-automerge.yml major-bump flow: reordered so the token guard + board-add + assign steps run before the comment, and the comment wording is now conditional on SKIP_BOARD — previously the comment claimed "Added to the Task Board" before the board-add even ran, and if the token was missing the claim was false (Claude Low #3 / Copilot R4 restated). 4. AGENTS.md §Review tooling reference table — three stale facts corrected to match the new implementation: - review-request channel IS used now (not "intentionally not") - re-eval trigger is workflow_run + bot COMMENTED reviews, not check_suite (documented the GITHUB_TOKEN suppression reason) - reviewer selection is single-pick parity-based, not "both admins" (Claude Low #4) 5. Copilot R4 remaining: board-state-sync comment referenced \`closingPullRequestsReferences\` on a line I hadn't fixed in an earlier round. Verified all references now align on \`closedByPullRequestsReferences\` (the actual field name). Also added a SKIP_BOARD guard to every subsequent step in board-state-sync.yml so the "not-configured" path produces a clean no-op instead of a cascade of failing gh calls.
Medium-severity findings from Claude's re-review, plus three unresolved Copilot threads tied to the same work. 1. board-state-sync.yml guard used \`exit 0\` on missing PROJECT_BOARD_TOKEN — which only exits the step shell, not the job. Subsequent steps would run with an empty GH_TOKEN and fail. Switched to the SKIP_BOARD=true env-var pattern used in project-orchestrator.yml (Claude Medium #1). 2. project-orchestrator.yml: when SKIP_BOARD is set, the pr-status step is skipped and its \`promote\` output is unset, which caused the Assign + request review step's \`promote == 'true'\` condition to silently fail — skipping reviewer assignment even though that operation uses GITHUB_TOKEN and doesn't need the board token. Extended the condition to also allow \`env.SKIP_BOARD == 'true'\` (Claude Medium #2). 3. dependabot-automerge.yml major-bump flow: reordered so the token guard + board-add + assign steps run before the comment, and the comment wording is now conditional on SKIP_BOARD — previously the comment claimed "Added to the Task Board" before the board-add even ran, and if the token was missing the claim was false (Claude Low #3 / Copilot R4 restated). 4. AGENTS.md §Review tooling reference table — three stale facts corrected to match the new implementation: - review-request channel IS used now (not "intentionally not") - re-eval trigger is workflow_run + bot COMMENTED reviews, not check_suite (documented the GITHUB_TOKEN suppression reason) - reviewer selection is single-pick parity-based, not "both admins" (Claude Low #4) 5. Copilot R4 remaining: board-state-sync comment referenced \`closingPullRequestsReferences\` on a line I hadn't fixed in an earlier round. Verified all references now align on \`closedByPullRequestsReferences\` (the actual field name). Also added a SKIP_BOARD guard to every subsequent step in board-state-sync.yml so the "not-configured" path produces a clean no-op instead of a cascade of failing gh calls.
) ## Summary Delete `project-orchestrator.yml` (and the two composite actions + helper script it owned), fold the only behaviour worth keeping (reviewer-assign on first open) into `housekeeping.yml`, and rely on GitHub's native Projects-v2 workflows for everything else the orchestrator was doing on the board. **Net diff: −887 lines.** Workflow runs per non-Dependabot PR push go from ~8 to ~5. ## Why now The orchestrator was doing two conceptually separate jobs squeezed into one workflow: 1. **Reviewer assignment** — pick the non-author admin, assign them, request their review. 2. **Task Board state machine** — mirror PR state into project #7's Status field, with "opposite semantics" between PR cards and linked-issue cards. For a 4-person team, #1 is genuinely useful as automation and #2 is mostly bookkeeping that GitHub already provides natively (or that's a one-click manual operation on the rare event it doesn't). Each PR push was triggering 3-4 orchestrator runs through `workflow_run` chains, and the workflow has been the largest single source of cross-trigger complexity (GraphQL `statusCheckRollup` perms, integration-token `NONE` for private members, etc. — every recent CI fix has touched it). ## What the native Project workflows already handle Project #7 has these enabled (verified via `gh api graphql ... { projectV2 { workflows } }`): - **Auto-add to project** — new PRs / issues land on the board automatically. - **Item added to project** — sets the default Status when added (configurable in the project UI; defaults to your project's setup). - **Pull request merged** — sets Status = Done on merge. - **Item closed** — sets Status when an issue is closed. - **Pull request linked to issue** — auto-links via `Closes #N` keywords. - **Auto-close issue** — closes linked issues when PR merges. - **Auto-add sub-issues to project**. That covers placement, initial Status, and Done-on-merge. The orchestrator's remaining custom behaviours are dropped (see "trade-offs" below). ## Files **Deleted:** - `.github/workflows/project-orchestrator.yml` (546 lines) - `.github/actions/board-upsert-status/` (composite, only orchestrator + the now-trimmed dependabot-automerge step used it) - `.github/actions/set-linked-issues-status/` (composite, only orchestrator used it) - `.github/scripts/board-fetch-item.sh` (helper, only the above used it) **Kept:** - `.github/actions/assign-and-request-review/` — still used by `dependabot-automerge.yml` and now also `housekeeping.yml`. **Modified:** - `housekeeping.yml` — added a reviewer-assign step that fires on `pull_request_target: opened` / `ready_for_review` (NOT on `synchronize` — composite is idempotent but firing per-push would re-spam reviewers after `dismiss_stale_reviews_on_push` clears a request following CHANGES_REQUESTED). Picks the non-author admin by the same parity logic the orchestrator used. `continue-on-error: true` so a flaky review-request can't mask the title-lint required check's exit code. `ready_for_review` added to the workflow's trigger types so the draft → ready flip pings the reviewer. - `dependabot-automerge.yml` — drop the board-upsert step (native handles it), drop the `PROJECT_BOARD_TOKEN` guard (no longer needed in this workflow), drop the `board-config.env` load (no consumers left), and apply the marker-comment upsert pattern to the major-bump comment (same fix as #114 — folded in here since they touch the same step). - `.github/board-config.env` — drop `STATUS_*` (no consumers left) and `ADMINS` (was only read by orchestrator; `housekeeping.yml` and `admin-approval.yml` both inline it). Keep `PROJECT_OWNER` / `NUMBER` / `ID` and `PRIORITY_*` for `triage.yml`. ## Trade-offs you're explicitly accepting | Lost behaviour | Replacement | |---|---| | Reviewer pinged after CI + Claude go green | Reviewer pinged at open. They can ignore the ping until checks settle. | | Status promoted to Ready only on bot-clean | Status = whatever the project's "Item added" workflow sets. | | `changes_requested` moves PR card to "In review" | One click in the project UI when it happens. | | Linked issues auto-mirror PR state (opposite semantics) | Manual / not mirrored. The PR list itself shows what needs review. | | Auto-flip draft → ready on bot-clean | Author manually clicks "Mark ready" (informative signal). | | `re_requested` re-fires review request | Author manually clicks "Re-request review" (the GitHub default). | ## Conflict with #114 #114 (the standalone dependabot major-bump comment upsert fix) and this PR both edit the same step. Whichever lands first, the other needs a trivial rebase. The upsert pattern in this PR matches #114 exactly, so if #114 lands first the conflict resolution is "take theirs"; if this lands first, #114 closes as already-incorporated. ## Test plan - [ ] Open a fresh non-Dependabot PR: `housekeeping` runs, assigns the non-author admin, requests their review. No orchestrator runs fire. - [ ] Open a major-version Dependabot PR: both admins assigned, comment posted with marker, no board-upsert step in the run log. - [ ] Open a Dependabot patch / minor PR: auto-approve + auto-merge as before. - [ ] Open a draft, push commits, mark ready: reviewer pinged at the ready_for_review event, not earlier. 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Bumps docker/login-action from 3 to 4.
Release notes
Sourced from docker/login-action's releases.
... (truncated)
Commits
b45d80fMerge pull request #929 from crazy-max/node24176cb9cnode 24 as default runtimecad8984Merge pull request #920 from docker/dependabot/npm_and_yarn/aws-sdk-dependenc...92cbcb2chore: update generated content5a2d6a7build(deps): bump the aws-sdk-dependencies group with 2 updates44512b6Merge pull request #928 from docker/dependabot/npm_and_yarn/docker/actions-to...28737a5chore: update generated contentdac0793build(deps): bump@docker/actions-toolkitfrom 0.76.0 to 0.77.062029f3Merge pull request #919 from docker/dependabot/npm_and_yarn/actions/core-3.0.008c8f06chore: update generated contentDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)