Files
paperclip/.github/workflows/agent-runtime-images.yml
T
dependabot[bot] 0ec4f248af build(deps): bump docker/login-action from 3 to 4 (#8156)
## Thinking Path

> - Paperclip is the open source app people use to manage AI agents for
work
> - CI/CD pipelines use GitHub Actions to automate builds and
deployments of services
> - The `agent-runtime-images` workflow uses `docker/login-action` for
authenticating with Docker registries before pushing images
> - `docker/login-action` v3 is now superseded; v4 was released with
Node 24 as the default runtime and updated internal dependencies
(`@actions/core`, AWS SDK, `@docker/actions-toolkit`)
> - This pull request bumps `docker/login-action` from v3 to v4 in the
`agent-runtime-images.yml` workflow
> - The benefit is staying on a supported runtime version and receiving
upstream security and dependency updates

## Linked Issues or Issue Description

Automated dependency bump — no upstream issue. The underlying need is
routine dependency maintenance:

- **Change type:** Dependency version bump (GitHub Actions)
- **Scope:** Single workflow file, single-line version tag change
- **Motivation:** v4 modernizes the action runtime to Node 24 and
receives updated `@actions/core` (3.x) and AWS SDK dependencies with
security patches

## What Changed

- Bumps `docker/login-action` from `v3` → `v4` in
`.github/workflows/agent-runtime-images.yml`
- v4 switches to Node 24 as the default Actions runtime (requires runner
v2.327.1+; GitHub-hosted runners satisfy this automatically)
- No changes to the action's inputs, outputs, or behavior — the API is
fully backward-compatible

## Verification

- All CI checks pass (green) on this PR
- No input/output interface changes; the login step behavior is
identical
- GitHub-hosted runners automatically meet the Node 24 runtime
requirement (runner v2.327.1+)

## Risks

Low risk. This is a one-line version bump on a widely-used, officially
maintained Docker action. The v4 release has no breaking changes to
inputs or outputs. The only new requirement (Node 24 / runner v2.327.1+)
is satisfied by GitHub-hosted runners automatically.

## Model Used

None — automated Dependabot bump. PR description updated by Claude
Sonnet 4.6 (Anthropic, 200k context, tool use enabled) to satisfy the PR
template requirement.

## Checklist

- [x] I have included a thinking path that traces from project context
to this change
- [x] I have specified the model used (with version and capability
details)
- [x] I have checked ROADMAP.md and confirmed this PR does not duplicate
planned core work
- [x] I have searched GitHub for duplicate or related PRs and linked
them above
- [x] I have either (a) linked existing issues with `Fixes: #` / `Closes
#` / `Refs #` OR (b) described the issue in-PR following the relevant
issue template
- [x] I have run tests locally and they pass
- [x] I have added or updated tests where applicable
- [x] If this change affects the UI, I have included before/after
screenshots
- [x] I have updated relevant documentation to reflect my changes
- [x] I have considered and documented any risks above
- [x] All Paperclip CI gates are green
- [ ] Greptile is 5/5 with no open P2s, recommendations, or follow-ups
- [ ] I will address all Greptile and reviewer comments before
requesting merge

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-06-18 13:47:55 -07:00

99 lines
3.7 KiB
YAML

name: Agent runtime images
on:
push:
branches: [master]
paths:
- "docker/agent-runtime/**"
- "tools/agent-shim/**"
- ".github/workflows/agent-runtime-images.yml"
workflow_dispatch:
inputs:
version:
description: "Image version tag (e.g., v1.0.0 or dev-test)"
required: true
default: "dev"
permissions:
contents: read
packages: write
id-token: write # cosign keyless OIDC
env:
REGISTRY: ghcr.io/paperclipai
VERSION: ${{ github.event.inputs.version || format('git-{0}', github.sha) }}
jobs:
build-and-sign:
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Log into GHCR
uses: docker/login-action@v4
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Install cosign
uses: sigstore/cosign-installer@v3
- name: Build + push all deployed harness images (linux/amd64)
id: bake
run: |
# Scope: the five harnesses the kubernetes sandbox provider supports
# out of the box (opencode, pi, codex, gemini, claude). acpx/hermes
# have Dockerfiles in the bake group but are not published by default.
# Platforms come from the bake HCL (linux/amd64).
# Use --push rather than a "*.push" --set so the wildcard does not hit
# the bake group (which has no such key -> "unknown key" error).
docker buildx bake \
-f docker/agent-runtime/buildx-bake.hcl \
base opencode pi codex gemini claude \
--push \
--metadata-file=bake-metadata.json
# Extract digests for cosign signing
BASE_DIGEST=$(jq -r '."base"."containerimage.digest"' bake-metadata.json)
OPENCODE_DIGEST=$(jq -r '."opencode"."containerimage.digest"' bake-metadata.json)
PI_DIGEST=$(jq -r '."pi"."containerimage.digest"' bake-metadata.json)
CODEX_DIGEST=$(jq -r '."codex"."containerimage.digest"' bake-metadata.json)
GEMINI_DIGEST=$(jq -r '."gemini"."containerimage.digest"' bake-metadata.json)
CLAUDE_DIGEST=$(jq -r '."claude"."containerimage.digest"' bake-metadata.json)
echo "base_digest=$BASE_DIGEST" >> "$GITHUB_OUTPUT"
echo "opencode_digest=$OPENCODE_DIGEST" >> "$GITHUB_OUTPUT"
echo "pi_digest=$PI_DIGEST" >> "$GITHUB_OUTPUT"
echo "codex_digest=$CODEX_DIGEST" >> "$GITHUB_OUTPUT"
echo "gemini_digest=$GEMINI_DIGEST" >> "$GITHUB_OUTPUT"
echo "claude_digest=$CLAUDE_DIGEST" >> "$GITHUB_OUTPUT"
env:
VERSION: ${{ env.VERSION }}
REGISTRY: ${{ env.REGISTRY }}
- name: Cosign sign base
run: |
cosign sign --yes "${{ env.REGISTRY }}/agent-runtime-base@${{ steps.bake.outputs.base_digest }}"
- name: Cosign sign opencode
run: |
cosign sign --yes "${{ env.REGISTRY }}/agent-runtime-opencode@${{ steps.bake.outputs.opencode_digest }}"
- name: Cosign sign pi
run: |
cosign sign --yes "${{ env.REGISTRY }}/agent-runtime-pi@${{ steps.bake.outputs.pi_digest }}"
- name: Cosign sign codex
run: |
cosign sign --yes "${{ env.REGISTRY }}/agent-runtime-codex@${{ steps.bake.outputs.codex_digest }}"
- name: Cosign sign gemini
run: |
cosign sign --yes "${{ env.REGISTRY }}/agent-runtime-gemini@${{ steps.bake.outputs.gemini_digest }}"
- name: Cosign sign claude
run: |
cosign sign --yes "${{ env.REGISTRY }}/agent-runtime-claude@${{ steps.bake.outputs.claude_digest }}"