build(deps): bump the crazy-max-dot-github group across 1 directory with 3 updates

Bumps the crazy-max-dot-github group with 3 updates in the / directory: [crazy-max/.github/.github/actions/install-k3s](https://github.com/crazy-max/.github), [crazy-max/.github/.github/workflows/pr-assign-author.yml](https://github.com/crazy-max/.github) and [crazy-max/.github/.github/workflows/zizmor.yml](https://github.com/crazy-max/.github). Updates `crazy-max/.github/.github/actions/install-k3s` from 1.8.0 to 1.10.1 - [Release notes](https://github.com/crazy-max/.github/releases) - [Commits](9ba6e6f945...46267a6e61) Updates `crazy-max/.github/.github/workflows/pr-assign-author.yml` from 1.8.0 to 1.10.1 - [Release notes](https://github.com/crazy-max/.github/releases) - [Commits](9ba6e6f945...46267a6e61) Updates `crazy-max/.github/.github/workflows/zizmor.yml` from 1.8.0 to 1.10.1 - [Release notes](https://github.com/crazy-max/.github/releases) - [Commits](9ba6e6f945...46267a6e61) --- updated-dependencies: - dependency-name: crazy-max/.github/.github/actions/install-k3s dependency-version: 1.10.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: crazy-max-dot-github - dependency-name: crazy-max/.github/.github/workflows/pr-assign-author.yml dependency-version: 1.10.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: crazy-max-dot-github - dependency-name: crazy-max/.github/.github/workflows/zizmor.yml dependency-version: 1.10.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: crazy-max-dot-github ... Signed-off-by: dependabot[bot] <support@github.com>
Merge pull request #568 from docker/sec-cli/npm-ci-20260612-184913
2026-06-27 15:05:08 +08:00 · 2026-06-26 04:42:16 +00:00 · 2026-06-12 14:10:56 -05:00 · 2026-06-12 18:49:15 +00:00
9 changed files with 161 additions and 173 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -488,7 +488,7 @@ jobs:
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Install k3s
-        uses: crazy-max/.github/.github/actions/install-k3s@9ba6e6f9450baf3b1237f8035c1fdc45932510bd # v1.8.0
+        uses: crazy-max/.github/.github/actions/install-k3s@46267a6e61cd56aac2fc79943df180152f4c89d6 # v1.10.1
      -
        name: Set up Docker Buildx
        id: buildx
--- a/.github/workflows/pr-assign-author.yml
+++ b/.github/workflows/pr-assign-author.yml
@@ -11,7 +11,7 @@ on:

 jobs:
  run:
-    uses: crazy-max/.github/.github/workflows/pr-assign-author.yml@9ba6e6f9450baf3b1237f8035c1fdc45932510bd # v1.8.0
+    uses: crazy-max/.github/.github/workflows/pr-assign-author.yml@46267a6e61cd56aac2fc79943df180152f4c89d6 # v1.10.1
    permissions:
      contents: read
      pull-requests: write
--- a/.github/workflows/zizmor.yml
+++ b/.github/workflows/zizmor.yml
@@ -19,7 +19,7 @@ on:

 jobs:
  zizmor:
-    uses: crazy-max/.github/.github/workflows/zizmor.yml@9ba6e6f9450baf3b1237f8035c1fdc45932510bd # v1.8.0
+    uses: crazy-max/.github/.github/workflows/zizmor.yml@46267a6e61cd56aac2fc79943df180152f4c89d6 # v1.10.1
    permissions:
      contents: read
      security-events: write
--- a/dev.Dockerfile
+++ b/dev.Dockerfile
@@ -17,7 +17,7 @@ FROM base AS deps
 RUN --mount=type=bind,target=.,rw \
  --mount=type=cache,target=/src/.yarn/cache \
  --mount=type=cache,target=/src/node_modules \
-  yarn install && mkdir /vendor && cp yarn.lock /vendor
+  yarn install --immutable && mkdir /vendor && cp yarn.lock /vendor

 FROM scratch AS vendor-update
 COPY --from=deps /vendor /
--- a/dist/index.cjs
+++ b/dist/index.cjs
--- a/dist/index.cjs.map
+++ b/dist/index.cjs.map
--- a/dist/licenses.txt
+++ b/dist/licenses.txt
@@ -1792,12 +1792,11 @@ SOFTWARE.

 -----------

-The following npm packages may be included in this product:
+The following npm package may be included in this product:

 - js-yaml@4.1.1
- - js-yaml@4.2.0

-These packages each contain the following license:
+This package contains the following license:

 (The MIT License)

--- a/package.json
+++ b/package.json
@@ -25,7 +25,7 @@
  "dependencies": {
    "@actions/core": "^3.0.1",
    "@docker/actions-toolkit": "^0.91.0",
-    "js-yaml": "^4.2.0"
+    "js-yaml": "^4.1.1"
  },
  "devDependencies": {
    "@eslint/js": "^9.39.3",
--- a/yarn.lock
+++ b/yarn.lock
@@ -2843,7 +2843,7 @@ __metadata:
    eslint-plugin-prettier: "npm:^5.5.5"
    generate-license-file: "npm:^4.1.1"
    globals: "npm:^17.3.0"
-    js-yaml: "npm:^4.2.0"
+    js-yaml: "npm:^4.1.1"
    prettier: "npm:^3.8.1"
    typescript: "npm:^5.9.3"
    vitest: "npm:^4.0.18"
@@ -4000,17 +4000,6 @@ __metadata:
  languageName: node
  linkType: hard

-"js-yaml@npm:^4.2.0":
-  version: 4.2.0
-  resolution: "js-yaml@npm:4.2.0"
-  dependencies:
-    argparse: "npm:^2.0.1"
-  bin:
-    js-yaml: bin/js-yaml.js
-  checksum: 10/51de2067a2b44b07ba5206132e56005f8b568ff279bb4d2f645068958c56fa4827d40a6841c983234671fa0a134bf094d0b0717873c2a3d319185297af145a6d
-  languageName: node
-  linkType: hard
-
 "jsbn@npm:1.1.0":
  version: 1.1.0
  resolution: "jsbn@npm:1.1.0"
Author	SHA1	Message	Date
dependabot[bot]	142404afb1	build(deps): bump the crazy-max-dot-github group across 1 directory with 3 updates Bumps the crazy-max-dot-github group with 3 updates in the / directory: [crazy-max/.github/.github/actions/install-k3s](https://github.com/crazy-max/.github), [crazy-max/.github/.github/workflows/pr-assign-author.yml](https://github.com/crazy-max/.github) and [crazy-max/.github/.github/workflows/zizmor.yml](https://github.com/crazy-max/.github). Updates `crazy-max/.github/.github/actions/install-k3s` from 1.8.0 to 1.10.1 - [Release notes](https://github.com/crazy-max/.github/releases) - [Commits](`9ba6e6f945...46267a6e61`) Updates `crazy-max/.github/.github/workflows/pr-assign-author.yml` from 1.8.0 to 1.10.1 - [Release notes](https://github.com/crazy-max/.github/releases) - [Commits](`9ba6e6f945...46267a6e61`) Updates `crazy-max/.github/.github/workflows/zizmor.yml` from 1.8.0 to 1.10.1 - [Release notes](https://github.com/crazy-max/.github/releases) - [Commits](`9ba6e6f945...46267a6e61`) --- updated-dependencies: - dependency-name: crazy-max/.github/.github/actions/install-k3s dependency-version: 1.10.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: crazy-max-dot-github - dependency-name: crazy-max/.github/.github/workflows/pr-assign-author.yml dependency-version: 1.10.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: crazy-max-dot-github - dependency-name: crazy-max/.github/.github/workflows/zizmor.yml dependency-version: 1.10.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: crazy-max-dot-github ... Signed-off-by: dependabot[bot] <support@github.com>	2026-06-26 04:42:16 +00:00
temenuzhka-thede	c887d9748d	Merge pull request #568 from docker/sec-cli/npm-ci-20260612-184913 Some checks failed zizmor / zizmor (push) Failing after 1s Details validate / prepare (push) Successful in 48s Details codeql / analyze (push) Failing after 1m28s Details test / test (push) Successful in 2m12s Details validate / validate (push) Successful in 1m51s Details ci / main (cloud:v0.11.2-desktop.2) (push) Failing after 21s Details ci / windows-error (push) Waiting to run Details ci / main () (push) Successful in 24s Details ci / main (v0.4.1) (push) Successful in 22s Details ci / main (cloud:latest) (push) Successful in 34s Details ci / main (latest) (push) Successful in 32s Details ci / multi (push) Successful in 34s Details ci / main (lab:latest) (push) Successful in 42s Details ci / use (false) (push) Successful in 21s Details ci / use (true) (push) Successful in 29s Details ci / docker-driver (push) Successful in 19s Details ci / error (push) Failing after 56s Details ci / driver (image=moby/buildkit:latest) (push) Successful in 26s Details ci / endpoint (push) Failing after 22s Details ci / driver (image=moby/buildkit:master network=host ) (push) Successful in 36s Details ci / debug (push) Successful in 57s Details ci / with-qemu (, all) (push) Successful in 30s Details ci / buildkitd-config-inline (push) Successful in 42s Details ci / with-qemu (v0.9.1, arm64,riscv64,arm) (push) Failing after 31s Details ci / with-qemu (v0.9.1, all) (push) Failing after 42s Details ci / with-qemu (, arm64,riscv64,arm) (push) Successful in 49s Details ci / build-ref (refs/pull/731/head) (push) Failing after 22s Details ci / build-ref (master) (push) Successful in 42s Details ci / buildkitd-config (push) Successful in 1m26s Details ci / standalone-cmd (push) Successful in 41s Details ci / platforms (push) Successful in 32s Details ci / docker-context (push) Successful in 24s Details ci / cleanup (false) (push) Successful in 21s Details ci / standalone-action (push) Successful in 50s Details ci / append (push) Successful in 49s Details ci / cleanup (true) (push) Successful in 29s Details ci / k3s (latest) (push) Failing after 27s Details ci / k3s (v0.11.0) (push) Failing after 18s Details ci / cache-binary (true) (push) Failing after 19s Details ci / cache-binary (false) (push) Failing after 26s Details ci / keep-state-error (push) Successful in 17s Details ci / k3s (v0.10.5) (push) Failing after 41s Details ci / keep-state (push) Successful in 32s Details ci / build-ref (cb185f095fd3d9444e0aa605d3789e9e05f2a1e7) (push) Failing after 3m22s Details ci / build-ref (refs/tags/v0.5.1) (push) Failing after 3m28s Details fix: replace npm install with npm ci (20260612-184913)	2026-06-12 14:10:56 -05:00
securityeng-bot[bot]	cfdae34ead	fix: use lockfile-aware install commands	2026-06-12 18:49:15 +00:00