Skip to content

chore(deps): update dependency dash14/buildcage to v2.2.3#173

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/dash14-buildcage-2.x
Open

chore(deps): update dependency dash14/buildcage to v2.2.3#173
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/dash14-buildcage-2.x

Conversation

@renovate

@renovate renovate Bot commented Jul 18, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Type Update Change
dash14/buildcage patch v2.2.2v2.2.3
dash14/buildcage action patch v2.2.2v2.2.3

Release Notes

dash14/buildcage (dash14/buildcage)

v2.2.3

Compare Source

Breaking Changes
  • Rename the sandbox action to run (#​166)

    • dash14/buildcage/sandbox@... doesn't describe what the action does — it applies buildcage's network-isolation technology to run an arbitrary command, not "sandbox" it in some more general sense. The action is now dash14/buildcage/run, matching what a workflow author actually calls it for. No backward-compatible alias is kept.

    Before (v2.2.x):

    - uses: dash14/buildcage/sandbox@<sha>
      with:
        run: npm install

    After (v2.2.3):

    - uses: dash14/buildcage/run@<sha>
      with:
        run: npm install
Features
  • Generate a restrict-mode example in the run action's audit report (#​170)
    • The report action's audit-mode Job Summary already includes a ready-to-paste restrict-mode YAML example built from the audited hosts, saving a workflow author from hand-copying hostnames out of the table. The run action's own report renderer now generates the same kind of example — a run@<ref> step with proxy_mode: restrict and the discovered allowlist rules, plus the original run: command preserved so it stays copy-pasteable on its own
Bug Fixes
  • Handle read-only remount rejections on Docker-masked /proc mounts (#​167)
    • run-isolated.sh's read-only pass walks every mount under /proc/self/mountinfo and fails closed if a remount is rejected. Under Docker Desktop, /proc/scsi and /proc/interrupts are masked before the sandbox re-parents them under a fresh procfs, and the kernel then rejects an otherwise-harmless remount on them, breaking the mac dev loop without indicating any actual isolation gap. Mounts already reported read-only are now skipped, and remaining rejections get one retry re-bound onto themselves
  • Fix run's actionRef/actionRepo fallback for local-path invocations (#​171)
    • run/src/main.js fell through to an empty string instead of report/src/main.js's "v2"/"dash14/buildcage" defaults when invoked via uses: ./run, rendering a broken uses: /run@ in the generated audit-mode example
  • Fix a trailing blank line in the generated restrict-mode example's run: block (#​172)
    • GitHub Actions' run: | block scalar always keeps one trailing newline, which split() turned into a spurious empty line
  • Fix parseVertexAllowedLog to handle buildctl's multi-document JSON output (#​172)
    • A single JSON.parse() on the whole log text threw whenever buildctl debug logs --progress=rawjson flushed more than one newline-separated JSON document, silently dropping the explicit engine's Audited Hosts table and Communication details section
Improvements
  • Add a label input to the run action (#​172)
    • Aligns its Job Summary heading (## Outbound Traffic Report — <label> (mode)) and Audited/Blocked/Allowed Hosts sub-headings with the report action's, so multiple run steps in the same job can be told apart in the summary
Documentation
  • Add example-explicit.yml, an example workflow for the experimental explicit proxy engine (#​172)
  • Add example-run-audit.yml, an example workflow for the run action's audit mode (#​172)
CI / Maintenance
  • Split test.yml into test-unit.yml, test-integration.yml, and test-e2e.yml (#​157)
    • Each keeps its own path-filter job and labeled job names (unit: test, integration: test (...), e2e: test (...)), replacing the single all-tests-passed required check with one aggregator per tier
  • Split the run action's e2e tests by case and consolidate its integration tests (#​171)
    • writable:/privilege-drop/filesystem-default cases and direct concurrent proxy lifecycles don't depend on the action wrapper, so they've moved out of test-e2e.yml into real shell scripts under run/test/, run via a single make test_sandbox_integration target; a new test_sandbox_audit_mode e2e job covers the restrict-mode example added in #​170
  • Apply the latest Docker tag on release publish, not draft creation (#​169)
    • docker-publish.yml runs on tag push, which happens while creating the draft release, so latest was moving onto a new version before anyone reviewed or published it. Tagging latest is now handled by update-major-tag.yml, gated on release: published, alongside the existing major/minor floating tags
Refactoring
  • Move each action's Docker build context and test fixtures under its own directory (#​160)
    • setup/docker/, sandbox/docker/ (now run/docker/), setup/test/, sandbox/test/ were shared across actions despite belonging to only one of them, making ownership unclear as the actions diverged. Code actually shared across actions (image verification, Sigstore, rule/log parsing) was consolidated into a new core/
Dependencies
  • Bump self-referential dash14/buildcage action pin to v2.2.2 (#​130)
  • Bump github/codeql-action to v4.36.3 (#​158)
  • Bump docker/build-push-action to v7.3.0 (#​159)
  • Bump docker/login-action to v4.4.0 (#​161)
  • Bump docker/setup-buildx-action to v4.2.0 (#​162)
  • Bump docker/metadata-action to v6.2.0 (#​163)
  • Bump docker/setup-qemu-action to v4.2.0 (#​164)
  • Bump google.golang.org/grpc to v1.82.0 (#​165)

Full Changelog: v2.2.2...v2.2.3


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • Only on Saturday (* * * * 6)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants