build(deps): bump docker/login-action from 3.6.0 to 4.1.0

[dependabot]

Bumps docker/login-action from 3.6.0 to 4.1.0.

Release notes

Sourced from docker/login-action's releases.

v4.1.0

• Fix scoped Docker Hub cleanup path when registry is omitted by @​crazy-max in docker/login-action#945
• Bump @​aws-sdk/client-ecr and @​aws-sdk/client-ecr-public to 3.1020.0 in docker/login-action#930
• Bump @​docker/actions-toolkit from 0.77.0 to 0.86.0 in docker/login-action#932 docker/login-action#936
• Bump brace-expansion from 1.1.12 to 1.1.13 in docker/login-action#952
• Bump fast-xml-parser from 5.3.4 to 5.3.6 in docker/login-action#942
• Bump flatted from 3.3.3 to 3.4.2 in docker/login-action#944
• Bump glob from 10.3.12 to 10.5.0 in docker/login-action#940
• Bump handlebars from 4.7.8 to 4.7.9 in docker/login-action#949
• Bump http-proxy-agent and https-proxy-agent to 8.0.0 in docker/login-action#937
• Bump lodash from 4.17.23 to 4.18.1 in docker/login-action#958
• Bump minimatch from 3.1.2 to 3.1.5 in docker/login-action#941
• Bump picomatch from 4.0.3 to 4.0.4 in docker/login-action#948
• Bump undici from 6.23.0 to 6.24.1 in docker/login-action#938

Full Changelog: docker/login-action@v4.0.0...v4.1.0

v4.0.0

• Node 24 as default runtime (requires Actions Runner v2.327.1 or later) by @​crazy-max in docker/login-action#929
• Switch to ESM and update config/test wiring by @​crazy-max in docker/login-action#927
• Bump @​actions/core from 1.11.1 to 3.0.0 in docker/login-action#919
• Bump @​aws-sdk/client-ecr from 3.890.0 to 3.1000.0 in docker/login-action#909 docker/login-action#920
• Bump @​aws-sdk/client-ecr-public from 3.890.0 to 3.1000.0 in docker/login-action#909 docker/login-action#920
• Bump @​docker/actions-toolkit from 0.63.0 to 0.77.0 in docker/login-action#910 docker/login-action#928
• Bump @​isaacs/brace-expansion from 5.0.0 to 5.0.1 in docker/login-action#921
• Bump js-yaml from 4.1.0 to 4.1.1 in docker/login-action#901

Full Changelog: docker/login-action@v3.7.0...v4.0.0

v3.7.0

• Add scope input to set scopes for the authentication token by @​crazy-max in docker/login-action#912
• Add support for AWS European Sovereign Cloud ECR by @​dphi in docker/login-action#914
• Ensure passwords are redacted with registry-auth input by @​crazy-max in docker/login-action#911
• build(deps): bump lodash from 4.17.21 to 4.17.23 in docker/login-action#915

Full Changelog: docker/login-action@v3.6.0...v3.7.0

Commits

• 4907a6d Merge pull request #930 from docker/dependabot/npm_and_yarn/aws-sdk-dependenc...
• 1e233e6 chore: update generated content
• 6c24ead build(deps): bump the aws-sdk-dependencies group with 2 updates
• ee034d7 Merge pull request #958 from docker/dependabot/npm_and_yarn/lodash-4.18.1
• 1527209 Merge pull request #937 from docker/dependabot/npm_and_yarn/proxy-agent-depen...
• d39362a build(deps): bump lodash from 4.17.23 to 4.18.1
• a6f092b chore: update generated content
• 60953f0 build(deps): bump the proxy-agent-dependencies group with 2 updates
• 62c6885 Merge pull request #936 from docker/dependabot/npm_and_yarn/docker/actions-to...
• 102c0e6 chore: update generated content
• Additional commits viewable in compare view

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed May 30, 2026, 9:55 AM ET / 13:55 UTC.

Summary
The branch updates the Live Media Runner Image workflow's GHCR login step from docker/login-action v3.6.0 to the v4.1.0 release SHA.

PR surface: Config 0. Total 0 across 1 file.

Reproducibility: not applicable. this is a workflow dependency upgrade rather than a reported runtime bug. The reviewed behavior is the one-line pinned action change in the live-media image workflow.

Review metrics: 2 noteworthy metrics.

• Action runtime changed: 1 action runtime moves node20 -> node24. docker/login-action v4.1.0 uses node24 and upstream v4.0 notes require a sufficiently new Actions runner, so this needs workflow-runner verification.
• Sibling GHCR login pins: 8 existing v4.1.0 SHA uses, 1 remaining v3.6.0 use. Current main already uses the target pin in docker-release and install-smoke, making this PR an alignment change for the remaining live-media workflow.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🌊 off-meta tidepool
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• Run or monitor the Live Media Runner Image workflow and confirm the v4.1.0 action logs into GHCR and pushes the image successfully.

Risk before merge

• [P1] docker/login-action v4 runs on node24, and upstream release notes require Actions Runner v2.327.1 or later; a Blacksmith runner mismatch would break the live-media image publish workflow.
• [P1] The workflow handles GHCR token login and image push, so normal static checks do not prove the operational path that this dependency upgrade changes.

Maintainer options:

1. Verify the workflow before merge (recommended)
   Run or observe the Live Media Runner Image workflow with the updated action and confirm GHCR login and image push both succeed on the Blacksmith runner.
2. Accept monitored rollout
   Maintainers may land the alignment change because sibling workflows already use the same pinned v4.1.0 SHA, then monitor the next workflow_dispatch or push-triggered image build.

Next step before merge

• No automated repair is needed; the remaining action is maintainer verification of the semver-major GitHub Action upgrade in the image publishing workflow.

Security
Cleared: The diff keeps the same workflow permissions and credential flow, and the new docker/login-action reference is pinned to the verified v4.1.0 release SHA.

Review details

Best possible solution:

Land the SHA-pinned update after confirming the Live Media Runner Image workflow succeeds on the current runner; if not, update runner support or keep the old pin until the runner path is ready.

Do we have a high-confidence way to reproduce the issue?

Not applicable; this is a workflow dependency upgrade rather than a reported runtime bug. The reviewed behavior is the one-line pinned action change in the live-media image workflow.

Is this the best way to solve the issue?

Yes, the patch is the narrowest maintainable update and the upstream v4 action keeps the inputs used by this workflow. The remaining question is operational proof that the node24 action runs successfully on the repository's Blacksmith workflow path.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 65fe2b7e911f.

Label changes

Label changes:

• add rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🌊 off-meta tidepool and patch quality is 🐚 platinum hermit.
• remove rating: 🦐 gold shrimp: Current PR rating is rating: 🐚 platinum hermit, so this older rating label is no longer current.

Label justifications:

• P3: This is low-risk dependency and workflow maintenance with limited blast radius, but it still needs maintainer workflow verification.
• merge-risk: 🚨 automation: A semver-major GitHub Action upgrade changes the runtime for a GHCR image publishing workflow, which green code tests do not fully prove.
• rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🌊 off-meta tidepool and patch quality is 🐚 platinum hermit.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Not applicable: Dependabot bot dependency PRs are exempt from contributor real-behavior proof, though maintainer workflow proof is still recommended before merge.

Evidence reviewed

PR surface:

Config 0. Total 0 across 1 file.

View PR surface stats

Area	Files	Added	Removed	Net
Source	0	0	0	0
Tests	0	0	0	0
Docs	0	0	0	0
Config	1	1	1	0
Generated	0	0	0	0
Other	0	0	0	0
Total	1	1	1	0

What I checked:

• Repository policy read: Root AGENTS.md was read in full and applied to the PR review, including dependency-contract proof and workflow/security review guidance. (AGENTS.md:1, 65fe2b7e911f)
• Current main workflow still uses v3.6.0 here: Current main has the live-media image workflow logging into GHCR with docker/login-action pinned to the v3.6.0 commit. (.github/workflows/live-media-runner-image.yml:32, 65fe2b7e911f)
• PR diff is a one-line pinned action upgrade: The PR changes only the Login to GHCR step from the v3.6.0 SHA to the v4.1.0 SHA. (.github/workflows/live-media-runner-image.yml:32, 5fcfba32b2eb)
• Upstream tag and action metadata checked: docker/login-action tag v4.1.0 resolves to 4907a6ddec9925e35a0a9e82d7399ccc52663121, and that action keeps the registry/username/password inputs while running on node24. (4907a6ddec99)
• Semver-major runtime requirement checked: Upstream v4.0.0 release notes state that docker/login-action v4 uses Node 24 and requires Actions Runner v2.327.1 or later.
• Sibling workflows already use this v4 SHA: Current main already uses the same pinned v4.1.0 SHA in docker-release and install-smoke GHCR login steps, while live-media remains the only old v3.6.0 login-action pin found under workflows. (.github/workflows/docker-release.yml:90, 65fe2b7e911f)

Likely related people:

• Ayaan Zaidi: Blame and file history show commit 8ba79d7 introduced the live-media runner image workflow and its current docker/login-action v3.6.0 pin. (role: introduced current workflow; confidence: high; commits: 8ba79d72b45e; files: .github/workflows/live-media-runner-image.yml, .github/images/live-media-runner/Dockerfile, docs/ci.md)
• Peter Steinberger: The latest release tag commit 27ae826 added sibling Docker release/install-smoke workflows that already use the same docker/login-action v4.1.0 SHA. (role: adjacent release workflow contributor; confidence: medium; commits: 27ae826f6525; files: .github/workflows/docker-release.yml, .github/workflows/install-smoke.yml, .github/workflows/live-media-runner-image.yml)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[clawsweeper]

ClawSweeper PR egg

✨ Hatched: 🥚 common Brave Lint Imp

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

Rarity: 🥚 common.
Trait: polishes edge cases.
Image traits: location workflow harbor; accessory CI status badge; palette coral, mint, and warm cream; mood celebratory; pose peeking out from the egg shell; shell starlit enamel shell; lighting golden review-room light; background small review tokens.
Share on X: post this hatch
Copy: My PR egg hatched a 🥚 common Brave Lint Imp in ClawSweeper.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.