chore(deps): update docker/login-action digest to 650006c

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
docker/login-action (changelog)	action	digest	4907a6d → 650006c

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[yastman]

Findings

No blocking findings.

Notes

• Single-line digest swap in .github/workflows/publish-internal-images.yml:
  docker/login-action@4907a6d… # v4 → @650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.
• Verified upstream: GET https://api.github.com/repos/docker/login-action/git/refs/tags/v4 → object.sha = 650006c6eb7dba73a995cc03b0b2d7f5ca915bee. Pin is genuine, comment label # v4 truthful, commit signature verified=true.
• YAML still parses (yaml.safe_load clean).

Verification

• gh pr checks 2012 → Lint + Fast Tests SUCCESS.
• Renovate digest verified against GitHub git refs API.

Summary

• Review decision: clean.
• SDK-native check: not_applicable (action digest pin).
• Runtime blast radius: GHCR push job in publish-internal-images.yml; behaviour-equivalent within v4.

[yastman]

Analysis (via gh api repos/docker/login-action/...):

TL;DR: low-risk digest move that re-pins the v4 floating tag from an unidentified intermediate commit to the freshly-released v4.2.0 (published today, 2026-05-22 11:55 UTC). 59 commits between, all dependency bumps + CI infra; no functional/breaking changes to the action itself. Safe to merge.

Commit + tag mapping

Digest	Resolves to	Notes
4907a6d (old)	unspecified commit on v4 floating tag	predates v4.0.0 SHA b45d80f; falls within the post-v3.7.0 window
650006c (new)	v4.2.0 exactly	also the current master HEAD; v4 floating tag now points here

gh api repos/docker/login-action/git/ref/tags/v4 returns 650006c. gh api repos/docker/login-action/git/ref/tags/v4.2.0 returns the same. So the digest pin and v4.2.0 are identical.

What changed in 59 commits

Pure dependency / build-tooling work — no behavioural change to the action runtime:

• v4.0.0 (2026-03-04) — Node 24 default runtime + ESM migration. Already covered by the old digest (4907a6d is post-v4.0.0).
• v4.1.0 (2026-04-02) — fix scoped Docker Hub cleanup path when registry is omitted (PR docker/login-action#945) + dep bumps.
• v4.2.0 (2026-05-22) — only dep bumps, including security-relevant ones:
  • tar 6.2.1 → 7.5.15
  • brace-expansion 2.0.1 → 5.0.6
  • fast-xml-parser 5.3.6 → 5.8.0
  • http(s)-proxy-agent → 9.0.0
  • @actions/core 3.0.0 → 3.0.1
• One bundling change: replace ncc with esbuild (PR docker/login-action#978). Output filename in dist/ changes from index.js → index.cjs. Internal to the action — no surface impact for callers.

Where this is used in this repo

Single call site:

# .github/workflows/publish-internal-images.yml:68
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4

Used to authenticate before docker/build-push-action pushes images to GHCR. The login API surface (registry, username, password, ecr, logout) is unchanged across v4.0.0..v4.2.0 — verified against the v4.2.0 release notes which list only dep bumps.

Risk assessment

Vector	Status
Major-version breaking change	None — same v4 major.
Action API surface change	None — inputs/outputs unchanged in the v4.x line.
Behavioural change in registry: ghcr.io flow	None — only the registry: docker.io-empty path was patched in v4.1.0; we use a non-empty registry.
Supply-chain (digest pinning)	Preserved — still pinned by full SHA, just bumped to a newer commit on the same v4 line.
Renovate verify:dependency	This PR is the verification artefact for Dependency Dashboard #11.

Recommendation

Merge as-is. The bump:

• Is a pure dependency refresh (security-positive: tar, brace-expansion, fast-xml-parser).
• Aligns the digest pin with a tagged release (v4.2.0), which is easier to audit than an arbitrary intermediate commit.
• Touches one workflow line; no other repo files reference docker/login-action.

Closes one entry on the Renovate Dependency Dashboard tracking issue (#11).

— Audit performed with gh api repos/docker/login-action/... (commits, tags, releases). 59 commits inspected, 0 functional regressions found.