chore(deps): update docker/build-push-action action to v7.2.0

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
docker/build-push-action	action	minor	v7.1.0 → v7.2.0

---

Release Notes

docker/build-push-action (docker/build-push-action)

v7.2.0

Compare Source

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday through Friday (* 0-4,22-23 * * 1-5)
  • Only on Sunday and Saturday (* * * * 0,6)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Renovate PR Review Results

⚖️ Safety Assessment: ✅ Safe

🔍 Release Content Analysis

Version Update: docker/build-push-action v7.1.0 → v7.2.0 (minor update)

Release Date: May 21, 2025

Major Changes:

• Dependency updates focused on security and stability
• @actions/core: 3.0.0 → 3.0.1
• @docker/actions-toolkit: 0.87.0 → 0.90.0
• tar: 6.2.1 → 7.5.15
• brace-expansion: 2.0.2 → 5.0.6
• fast-xml-parser: 5.5.7 → 5.8.0
• fast-xml-builder: 1.1.4 → 1.2.0
• postcss: 8.5.6 → 8.5.10

Breaking Changes: None identified

Security Fixes:

• The tar package update (6.2.1 → 7.5.15) includes multiple critical security fixes:
  • CVE-2026-23745 (HIGH): Path traversal vulnerability allowing arbitrary file overwrite, fixed in 7.5.3
  • CVE-2025-64118 (MEDIUM): Race condition causing uninitialized memory exposure, fixed in 7.5.2
  • Multiple earlier CVEs from 2021 (CVE-2021-32803, CVE-2021-37712) addressed in intermediate versions

This update brings significant security hardening through dependency updates, particularly addressing multiple high-severity vulnerabilities in the tar package.

🎯 Impact Scope Investigation

Usage Locations:

1. .github/workflows/ci.yml:84 - E2E test job for building Docker images with cache

   • Inputs used: context, load, tags, cache-from, cache-to

2. .github/workflows/release-please.yml:75 - Release publishing workflow

   • Inputs used: context, push, platforms, tags, labels, cache-from, cache-to

API Compatibility: All inputs used in the codebase remain valid and unchanged:

• ✅ context - Valid
• ✅ load - Valid
• ✅ tags - Valid
• ✅ cache-from - Valid
• ✅ cache-to - Valid
• ✅ push - Valid
• ✅ platforms - Valid
• ✅ labels - Valid

Dependency Impact: No downstream dependency conflicts expected. This is a GitHub Action update that:

• Does not affect the sandbox application code
• Does not modify Docker build behavior or outputs
• Maintains backward compatibility with all existing inputs
• Only changes internal dependency versions

Configuration Impact: None. No changes required to workflow files beyond version bump.

💡 Recommended Actions

Immediate Actions:

1. ✅ Merge this PR - The update is safe and brings important security fixes
2. No code changes required
3. No configuration modifications needed
4. No manual migration steps necessary

Verification Steps (automatically covered by CI):

• The CI workflow will run automatically and verify Docker build functionality
• E2E tests will validate the complete build pipeline
• Multi-platform builds (amd64/arm64) will be tested on the next release

Additional Context:

• This is a maintenance update focused on security hardening
• The previous version (v7.1.0, April 2025) introduced Git context query format support
• Current version (v7.2.0, May 2025) focuses on dependency security patches
• No behavioral changes expected in Docker build/push operations

🔗 Reference Links

• docker/build-push-action v7.2.0 Release
• CVE-2026-23745 - node-tar Path Traversal Vulnerability
• npm tar Security Advisories
• docker/build-push-action Documentation

Generated by koki-develop/claude-renovate-review