build(deps): Bump docker/login-action from 4 to 4.1.0

[dependabot]

Bumps docker/login-action from 4 to 4.1.0.

Release notes

Sourced from docker/login-action's releases.

v4.1.0

• Fix scoped Docker Hub cleanup path when registry is omitted by @​crazy-max in docker/login-action#945
• Bump @​aws-sdk/client-ecr and @​aws-sdk/client-ecr-public to 3.1020.0 in docker/login-action#930
• Bump @​docker/actions-toolkit from 0.77.0 to 0.86.0 in docker/login-action#932 docker/login-action#936
• Bump brace-expansion from 1.1.12 to 1.1.13 in docker/login-action#952
• Bump fast-xml-parser from 5.3.4 to 5.3.6 in docker/login-action#942
• Bump flatted from 3.3.3 to 3.4.2 in docker/login-action#944
• Bump glob from 10.3.12 to 10.5.0 in docker/login-action#940
• Bump handlebars from 4.7.8 to 4.7.9 in docker/login-action#949
• Bump http-proxy-agent and https-proxy-agent to 8.0.0 in docker/login-action#937
• Bump lodash from 4.17.23 to 4.18.1 in docker/login-action#958
• Bump minimatch from 3.1.2 to 3.1.5 in docker/login-action#941
• Bump picomatch from 4.0.3 to 4.0.4 in docker/login-action#948
• Bump undici from 6.23.0 to 6.24.1 in docker/login-action#938

Full Changelog: docker/login-action@v4.0.0...v4.1.0

Commits

• 4907a6d Merge pull request #930 from docker/dependabot/npm_and_yarn/aws-sdk-dependenc...
• 1e233e6 chore: update generated content
• 6c24ead build(deps): bump the aws-sdk-dependencies group with 2 updates
• ee034d7 Merge pull request #958 from docker/dependabot/npm_and_yarn/lodash-4.18.1
• 1527209 Merge pull request #937 from docker/dependabot/npm_and_yarn/proxy-agent-depen...
• d39362a build(deps): bump lodash from 4.17.23 to 4.18.1
• a6f092b chore: update generated content
• 60953f0 build(deps): bump the proxy-agent-dependencies group with 2 updates
• 62c6885 Merge pull request #936 from docker/dependabot/npm_and_yarn/docker/actions-to...
• 102c0e6 chore: update generated content
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

---

Note

Low Risk
Single workflow action version pin with no logic or secret handling changes.

Overview
Pins docker/login-action from the floating v4 tag to v4.1.0 in the review-app package job (GHCR login before image build/push).

This is a patch-level dependency bump only; workflow steps and credentials are unchanged.

^{Reviewed by Cursor Bugbot for commit 49203c2. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

🤖 Cursor Dependency Analysis

Supply-Chain Malware Review

Reviewing how docker/login-action is used and what changed in the dependency update.
Verdict: benign

This is a routine minor bump of an official Docker GitHub Action with no supply-chain red flags.

Local PR change

• Only usage is in .github/workflows/deploy-review.yml: docker/login-action@v4 → @v4.1.0.
• Standard GHCR login (registry: ghcr.io, github.actor, github.token). No new secrets, inputs, or workflow logic.

Upstream v4.0.0 → v4.1.0

• Tagged release from docker/login-action (v4.1.0 = 4907a6d).
• App code change is a small bug fix in src/context.ts (scoped Docker Hub cleanup when registry is omitted).
• package.json keeps the same direct deps; only semver bumps (AWS SDK, @docker/actions-toolkit, proxy agents, lodash, etc.).
• No preinstall/postinstall/install lifecycle scripts.
• Source is readable TypeScript; docker login/logout via @docker/actions-toolkit is expected behavior.

Malware scanner (hard evidence)

Category	Result
Unicode / confusable / IOC	0
Heuristic	161 (codepoint_decoder in dist/index.cjs)
Status	warn (warn-only)

Scanner vs manual review: The warn status is noise, not compromise. The 161 hits are from minified bundled libs (undici, YAML/XML parsers, glob/minimatch, AWS SDK) using normal charCodeAt/fromCodePoint — not GlassWorm-style hidden payload assembly. The maintainer_drift hit (4->4.1.0) is a false positive for a GitHub Action, not an npm package.

Checklist

• Obfuscation / eval / exfiltration: none in source; minified dist/ is normal for this action.
• Invisible Unicode / Trojan Source: scanner clean (0).
• Unexpected deps / ghost version: none; valid minor release with published changelog.
• Suspicious consumer PR files: only the version pin changes (upstream CI changes are in the action repo, not this PR).

Recommendation: Safe to merge. After merge, confirm the package job in deploy-review.yml still logs into GHCR and pushes the image successfully.

Compatibility Analysis

I'll locate every docker/login-action usage and compare it to the v4.1.0 release changes.

Compatibility & adoption analysis — docker/login-action 4 → 4.1.0

1) Usage in this repo

Single call site in .github/workflows/deploy-review.yml, package job (runs only when check-secret-access is true):

      - name: Login to GitHub Container Registry
        uses: docker/login-action@v4.1.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ github.token }}

No other workflow references docker/login-action. The step sits before docker/build-push-action to push review images to GHCR.

2) Intersection with v4.1.0 changes

Change	Relevant to this repo?
#945 — scoped Docker Hub cleanup when registry omitted	No. Only scope + omitted/default registry. This workflow sets registry: ghcr.io and does not use scope.
AWS SDK / ECR bumps	No. ecr is unset (defaults to auto); ghcr.io is not ECR.
@docker/actions-toolkit 0.77 → 0.86	Indirect only. Bundled runtime; no workflow input changes.
Transitive security bumps (lodash, minimatch, glob, proxy agents, etc.)	No direct API impact. Internal to the action bundle.
action.yml inputs	Unchanged between v4.0.0 and v4.1.0.

Upstream source diff is limited to src/context.ts (the scoped Docker Hub fix). Login/logout behavior for explicit-registry GHCR auth is unchanged.

3) Risks / unknowns

• Low functional risk: Same major, patch release, unchanged public inputs, usage is the standard GHCR path.
• Validation gap: The package job is secret-gated, so CI on fork PRs may not exercise this step. Confirm on a PR with secrets access after merge.
• Malware scan: warn from maintainer-drift heuristic on version bump only; no IOC/unicode findings. Expected for an official Docker action tag update.
• Pinning: @v4 → @v4.1.0 is tighter pinning; still within the v4 line.

4) Recommendation

Merge.

This is a low-risk patch bump. The only behavioral fix targets a code path this repo does not use; transitive updates are security/maintenance. After merge, spot-check that the Deploy Review App on PR workflow’s package job completes login and push to GHCR on a PR with secrets access.

---

Malware Scan Summary

• Status: warn
• Warn only mode: true
• Changed upstream files scanned: 14
• Resolution strategy: tag_range
• Changed node/vendor paths: 0
• Changed lockfiles: 1
• Resolved upstream range: 650006c6eb7dba73a995cc03b0b2d7f5ca915bee..4907a6ddec9925e35a0a9e82d7399ccc52663121
• Resolved refs: from=650006c6eb7dba73a995cc03b0b2d7f5ca915bee to=4907a6ddec9925e35a0a9e82d7399ccc52663121
• Unicode findings (post-allowlist): 0
• Confusable findings (post-allowlist): 0
• IOC findings (post-allowlist): 0
• Heuristic findings (post-allowlist): 161

Top findings

• dist/index.cjs:2 codepoint_decoder :: ,d.message,d.stack);var p=new Error("tunneling socket could not be established, cause="+d.message);p.code="ECONNRESET",e.request.emit("error",p),n.removeSocket(s)}};vl.prototype.removeSocket=function(e){var r=this.sockets.indexOf(e);if(r!==-1){this.sockets.splice(r,1);var n=this.requests.shift();n&&this.createSocket(n,function(s){n.request.onSocket(s)})}};function AK(t,e){var r=this;vl.prototype.createSocket.call(r,t,function(n){var s=t.request.getHeader("host"),o=AO({},r.options,{socket:n,serv...[truncated]
• dist/index.cjs:3 codepoint_decoder :: )||t.includes("\r")||t.includes("\0"))===!1}function kUe(t,e){let{headersList:r}=e,n=(r.get("referrer-policy",!0)??"").split(","),s="";if(n.length>0)for(let o=n.length;o!==0;o--){let i=n[o-1].trim();if(EUe.has(i)){s=i;break}}s!==""&&(t.referrerPolicy=s)}function LUe(){return"allowed"}function OUe(){return"success"}function MUe(){return"success"}function FUe(t){let e=null;e=t.mode,t.headersList.set("sec-fetch-mode",e,!0)}function UUe(t){let e=t.origin;if(!(e==="client"||e===void 0)){if(t.respons...[truncated]
• dist/index.cjs:4 codepoint_decoder :: );function Q2e(t){for(let e=0;e<t.length;++e)if((t.charCodeAt(e)&-128)!==0)return!1;return!0}function D2e(t){let e=t.length;if(e<27||e>70)return!1;for(let r=0;r<e;++r){let n=t.charCodeAt(r);if(!(n>=48&&n<=57||n>=65&&n<=90||n>=97&&n<=122||n===39||n===45||n===95))return!1}return!0}function k2e(t,e){i0(e!=="failure"&&e.essence==="multipart/form-data");let r=e.parameters.get("boundary");if(r===void 0)return"failure";let n=Buffer.from(--${r},"utf8"),s=[],o={position:0};for(;t[o.position]===13&&t[o...[truncated]
• dist/index.cjs:45 codepoint_decoder :: .trim())}};vte.exports=YF});var G0=w((_1t,Lte)=>{"use strict";var Qte=Symbol.for("undici.globalDispatcher.1"),{InvalidArgumentError:Ize}=wt(),xze=vA();kte()===void 0&&Dte(new xze);function Dte(t){if(!t||typeof t.dispatch!="function")throw new Ize("Argument agent must implement Agent");Object.defineProperty(globalThis,Qte,{value:t,writable:!0,enumerable:!1,configurable:!1})}function kte(){return globalThis[Qte]}Lte.exports={setGlobalDispatcher:Dte,getGlobalDispatcher:kte}});var H0=w((D1t,Ote)=>{...[truncated]
• dist/index.cjs:46 codepoint_decoder :: ${o};break;case"retry":Sse(o)&&(r[s]=o);break;case"id":Bse(o)&&(r[s]=o);break;case"event":o.length>0&&(r[s]=o);break}}processEvent(e){e.retry&&Sse(e.retry)&&(this.state.reconnectionTime=parseInt(e.retry,10)),e.id&&Bse(e.id)&&(this.state.lastEventId=e.id),e.data!==void 0&&this.push({type:e.event||"message",options:{data:e.data,lastEventId:this.state.lastEventId,origin:this.state.origin}})}clearEvent(){this.event={data:void 0,event:void 0,id:void 0,retry:void 0}}};Rse.exports={EventSourceStream:k...[truncated]
• dist/index.cjs:47 codepoint_decoder :: %s,U,U,b,n);var O=b.type==="*"?MU:b.type==="?"?OU:"\\"+b.type;s=!0,n=n.slice(0,b.reStart)+O+"\\("+U}h(),o&&(n+="\\\\");var H=!1;switch(n.charAt(0)){case"[":case".":case"(":H=!0}for(var de=a.length-1;de>-1;de--){var De=a[de],Be=n.slice(0,De.reStart),ne=n.slice(De.reStart,De.reEnd-8),ge=n.slice(De.reEnd-8,De.reEnd),$=n.slice(De.reEnd);ge+=$;var se=Be.split("(").length-1,Ct=$;for(y=0;y<se;y++)Ct=Ct.replace(/\)[+*?]?/,"");$=Ct;var ot="";$===""&&e!==KS&&(ot="$");var vt=Be+ne+$+ot+ge;n=vt}if(n!=="...[truncated]
• dist/index.cjs:64 codepoint_decoder :: Polling status: ${Nfe.includes(u)?"Stopped":"Running"}),u==="succeeded"){let d=i(l,r);if(d!==void 0)return{response:await e(d).catch(Bfe({state:r,stateProxy:n,isOperationError:a})),status:u}}return{response:l,status:u}}async function _fe(t){let{poll:e,state:r,stateProxy:n,options:s,getOperationStatus:o,getResourceLocation:i,getOperationLocation:a,isOperationError:c,withOperationLocation:l,getPollingInterval:u,processResult:d,getError:p,updateState:m,setDelay:h,isDone:y,setErrorAsResult:I}=t,{o...[truncated]
• dist/index.cjs:74 codepoint_decoder :: +this.showPosition(),{text:"",token:null,line:this.yylineno})},lex:function(){var o=this.next();return typeof o<"u"?o:this.lex()},begin:function(o){this.conditionStack.push(o)},popState:function(){return this.conditionStack.pop()},_currentRules:function(){return this.conditions[this.conditionStack[this.conditionStack.length-1]].rules},topState:function(){return this.conditionStack[this.conditionStack.length-2]},pushState:function(o){this.begin(o)}};return n.options={},n.performAction=function(o...[truncated]
• dist/index.cjs:98 codepoint_decoder :: +a}catch{!n.logger||n.logger?.constructor?.name==="NoOpLogger"?console.warn(a):n.logger?.warn?.(a)}typeof i.$responseBodyText<"u"&&i.$response&&(i.$response.body=i.$responseBodyText);try{if(Zn.isInstance(o)){let{headers:c={}}=o,l=Object.entries(c);i.$metadata={httpStatusCode:o.statusCode,requestId:wY(/^x-[\w-]+-request-?id$/,l),extendedRequestId:wY(/^x-[\w-]+-id-2$/,l),cfId:wY(/^x-[\w-]+-cf-id$/,l)}}}catch{}}throw i}},wY=(t,e)=>(e.find(([r])=>r.match(t))||[void 0,void 0])[1]});var zo,Px=C(()=...[truncated]
• dist/index.cjs:109 codepoint_decoder :: If you are using React Native, this API is not yet supported, see: https://react-native.canny.io/feature-requests/p/fetch-streaming-body);return s.stream()};return Object.assign(t,{transformToByteArray:r,transformToString:async s=>{let o=await r();if(s==="base64")return c_(o);if(s==="hex")return Di(o);if(s===void 0||s==="utf8"||s==="utf-8")return NSe(o);if(typeof TextDecoder=="function")return new TextDecoder(s).decode(o);throw new Error("TextDecoder is not available, please make sure polyfill ...[truncated]
• dist/index.cjs:131 codepoint_decoder :: ||E==="\r"}function d(E,A){let g=A;for(;A<E.length;A++)if(E[A]=="?"||E[A]==" "){let R=E.substr(g,A-g);if(A>5&&R==="xml")return T("InvalidXml","XML declaration allowed only at the start of the document.",O(E,A));if(E[A]=="?"&&E[A+1]==">"){A++;break}continue}return A}function p(E,A){if(E.length>A+5&&E[A+1]==="-"&&E[A+2]==="-"){for(A+=3;A<E.length;A++)if(E[A]==="-"&&E[A+1]==="-"&&E[A+2]===">"){A+=2;break}}else if(E.length>A+8&&E[A+1]==="D"&&E[A+2]==="O"&&E[A+3]==="C"&&E[A+4]==="T"&&E[A+5]==="Y"&&E...[truncated]
• dist/index.cjs:132 codepoint_decoder :: );let A=new se("!xml"),g=A,R="";this.matcher.reset(),this.entityDecoder.reset(),this.entityExpansionCount=0,this.currentExpandedLength=0;let S=this.options,P=new Ct(S.processEntities),k=E.length;for(let v=0;v<k;v++)if(E[v]==="<"){let L=E.charCodeAt(v+1);if(L===47){let D=sA(E,">",v,"Closing Tag is not closed."),F=E.substring(v+2,D).trim();if(S.removeNSPrefix){let fe=F.indexOf(":");fe!==-1&&(F=F.substr(fe+1))}F=oO(S.transformTagName,F,"",S).tagName,g&&(R=this.saveTextToParentTag(R,g,this.readonly...[truncated]
• dist/index.cjs:135 codepoint_decoder :: ):(this.indentate=function(){return""},this.tagEndChar=">",this.newLine="")}function XMe(E,A,g,R){let S=this.extractAttributes(E);if(R.push(A,S),this.checkStopNode(R)){let k=this.buildRawContent(E),v=this.buildAttributesForStopNode(E);return R.pop(),this.buildObjectNode(k,A,v,g)}let P=this.j2x(E,g+1,R);return R.pop(),E[this.options.textNodeName]!==void 0&&Object.keys(E).length===1?this.buildTextValNode(E[this.options.textNodeName],A,P.attrStr,g,R):this.buildObjectNode(P.val,A,P.attrStr,g)}funct...[truncated]
• dist/index.cjs:159 codepoint_decoder :: ||t==="\r"}function npe(t,e){let r=e;for(;e<t.length;e++)if(t[e]=="?"||t[e]==" "){let n=t.substr(r,e-r);if(e>5&&n==="xml")return Dr("InvalidXml","XML declaration allowed only at the start of the document.",Cs(t,e));if(t[e]=="?"&&t[e+1]==">"){e++;break}else continue}return e}function spe(t,e){if(t.length>e+5&&t[e+1]==="-"&&t[e+2]==="-"){for(e+=3;e<t.length;e++)if(t[e]==="-"&&t[e+1]==="-"&&t[e+2]===">"){e+=2;break}}else if(t.length>e+8&&t[e+1]==="D"&&t[e+2]==="O"&&t[e+3]==="C"&&t[e+4]==="T"&&t[e+...[truncated]
• dist/index.cjs:160 codepoint_decoder :: );let e=new js("!xml"),r=e,n="";this.matcher.reset(),this.entityDecoder.reset(),this.entityExpansionCount=0,this.currentExpandedLength=0;let s=this.options,o=new XC(s.processEntities),i=t.length;for(let a=0;a<i;a++)if(t[a]==="<"){let l=t.charCodeAt(a+1);if(l===47){let u=vh(t,">",a,"Closing Tag is not closed."),d=t.substring(a+2,u).trim();if(s.removeNSPrefix){let m=d.indexOf(":");m!==-1&&(d=d.substr(m+1))}d=Bq(s.transformTagName,d,"",s).tagName,r&&(n=this.saveTextToParentTag(n,r,this.readonlyMat...[truncated]
• dist/index.cjs:163 codepoint_decoder :: ):(this.indentate=function(){return""},this.tagEndChar=">",this.newLine="")}function ftt(t,e){let r=t["?xml"];if(r&&typeof r=="object"){if(e.attributesGroupName&&r[e.attributesGroupName]){let s=r[e.attributesGroupName][e.attributeNamePrefix+"version"];if(s)return s}let n=r[e.attributeNamePrefix+"version"];if(n)return n}return"1.0"}function kq(t,e,r,n,s){return!r.sanitizeName||Nm(t,{xmlVersion:s})?t:r.sanitizeName(t,{isAttribute:e,matcher:n.readOnly()})}Ks.prototype.build=function(t){if(this.opt...[truncated]
• dist/index.cjs:189 codepoint_decoder :: `;return a.replace(/\n$/,"")}var Tat=Nat,Pat=["kind","multi","resolve","construct","instanceOf","predicate","represent","representName","defaultStyle","styleAliases"],vat=["scalar","sequence","mapping"];function _at(t){var e={};return t!==null&&Object.keys(t).forEach(function(r){t[r].forEach(function(n){e[String(n)]=r})}),e}function Qat(t,e){if(e=e||{},Object.keys(e).forEach(function(r){if(Pat.inde

[BrandtH22]

@dependabot rebase

[dependabot]

Looks like docker/login-action is up-to-date now, so this is no longer needed.