chore(deps): update docker/build-push-action action to v7.2.0

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
docker/build-push-action	action	minor	v7.1.0 → v7.2.0

---

Release Notes

docker/build-push-action (docker/build-push-action)

v7.2.0

Compare Source

• Bump @​actions/core from 3.0.0 to 3.0.1 in #​1525
• Bump @​docker/actions-toolkit from 0.87.0 to 0.90.0 in #​1517
• Bump brace-expansion from 2.0.2 to 5.0.6 in #​1534
• Bump fast-xml-builder from 1.1.4 to 1.2.0 in #​1529
• Bump fast-xml-parser from 5.5.7 to 5.8.0 in #​1521
• Bump postcss from 8.5.6 to 8.5.10 in #​1526
• Bump tar from 6.2.1 to 7.5.15 in #​1533

Full Changelog: docker/build-push-action@v7.1.0...v7.2.0

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday through Friday (* 0-4,22-23 * * 1-5)
  • Only on Sunday and Saturday (* * * * 0,6)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Renovate PR Review Results

⚖️ Safety Assessment: ✅ Safe

🔍 Release Content Analysis

Version Change: docker/build-push-action v7.1.0 → v7.2.0

Release Type: Minor version update with dependency maintenance

Key Changes:

• This release consists entirely of dependency updates with no breaking changes, no API modifications, and no behavioral changes
• All updated dependencies are internal to the action itself and do not affect the action's public interface

Dependency Updates:

1. @actions/core (3.0.0 → 3.0.1) - Patch update bumping undici dependency (HTTP client library)
2. @docker/actions-toolkit (0.87.0 → 0.90.0) - Minor toolkit update
3. brace-expansion (2.0.2 → 5.0.6) - Internal glob pattern library
4. fast-xml-builder (1.1.4 → 1.2.0) - XML serialization utility
5. fast-xml-parser (5.5.7 → 5.8.0) - XML parsing utility
6. postcss (8.5.6 → 8.5.10) - CSS processing library
7. tar (6.2.1 → 7.5.15) - Archive handling with security improvements

Security Improvements:

• The tar package upgrade includes important security fixes:
  • Sanitization of absolute linkpaths
  • Prevention of hardlink entries being written ahead of their targets
  • Fixes for symlink write race conditions
  • TOCTOU (time-of-check to time-of-use) behavior improvements
• The @actions/core patch includes an updated undici HTTP client

🎯 Impact Scope Investigation

Usage Locations Identified:

1. .github/workflows/ci.yml:84 - E2E test job using build-push-action
2. .github/workflows/release-please.yml:75 - Publish job using build-push-action

Current Usage Analysis:

CI Workflow (e2e-test job):

uses: docker/build-push-action@v7.2.0
with:
  context: .
  load: true
  tags: sandbox:latest
  cache-from: type=gha,scope=ci-${{ matrix.os }}
  cache-to: type=gha,scope=ci-${{ matrix.os }},mode=max

Release Workflow (publish job):

uses: docker/build-push-action@v7.2.0
with:
  context: .
  push: true
  platforms: linux/amd64,linux/arm64
  tags: ${{ steps.meta.outputs.tags }}
  labels: ${{ steps.meta.outputs.labels }}
  cache-from: type=gha,scope=release
  cache-to: type=gha,scope=release,mode=max

Compatibility Verification:

• All parameters used (context, load, push, tags, platforms, labels, cache-from, cache-to) remain fully supported in v7.2.0
• No parameter signature changes, deprecations, or removals between v7.1.0 and v7.2.0
• The action maintains complete backward compatibility

Impact on Dependencies:

• No impact on other GitHub Actions used in the workflows
• Works seamlessly with existing docker/setup-buildx-action@v4.0.0
• Compatible with docker/metadata-action@v6.0.0 and other Docker ecosystem actions

Configuration Files:

• No changes required to .github/workflows/ci.yml
• No changes required to .github/workflows/release-please.yml
• No changes required to any Docker-related configuration files

💡 Recommended Actions

Immediate Actions:

1. ✅ Merge this PR immediately - This is a safe, backward-compatible update
2. ✅ No code changes required - All existing workflow configurations remain valid
3. ✅ No migration work needed - The update is transparent to users

Verification Steps (Post-Merge):

1. Monitor the next E2E test run to confirm Docker build caching continues to work correctly
2. Verify the next release publish completes successfully with multi-platform builds
3. Check GitHub Actions job summaries to ensure build reports are generated properly

Benefits of Merging:

• Improved security posture through dependency updates (especially tar and undici fixes)
• Continued compatibility with the Docker Build ecosystem
• Keeps the action up-to-date with latest maintenance releases

🔗 Reference Links

• Release Notes v7.2.0
• Full Changelog v7.1.0...v7.2.0
• Action Documentation
• PR #1525 - @actions/core update
• PR #1533 - tar security fixes

Generated by koki-develop/claude-renovate-review