Update docker/build-push-action

[networkfusion]

Description

Update docker/build-push-action to V6

CI failures are due to CMSIS quota limit.

Motivation and Context

Keeps GH actions up-to-date

How Has This Been Tested?

CI

Screenshots

Types of changes

• Improvement (non-breaking change that improves a feature, code or algorithm)
• Bug fix (non-breaking change which fixes an issue with code or algorithm)
• New feature (non-breaking change which adds functionality to code)
• Breaking change (fix or feature that would cause existing functionality to change)
• Config and build (change in the configuration and build system, has no impact on code or features)
• Dev Containers (changes related with Dev Containers, has no impact on code or features)
• Dependencies/declarations (update dependencies or assembly declarations and changes associated, has no impact on code or features)
• Documentation (changes or updates in the documentation, has no impact on code or features)

Checklist

• My code follows the code style of this project (only if there are changes in source code).
• My changes require an update to the documentation (there are changes that require the docs website to be updated).
• I have updated the documentation accordingly (the changes require an update on the docs in this repo).
• I have read the CONTRIBUTING document.
• I have tested everything locally and all new and existing tests passed (only if there are changes in source code).

Summary by CodeRabbit

• Chores
  • Updated CI build-and-push action to a newer release for improved reliability and support.
  • Container publishes now include both a version-specific tag and a "latest" tag for easier image consumption; no user-facing features changed.

[coderabbitai]

Walkthrough

Updated multiple GitHub Actions workflows to use docker/build-push-action@v6 (from v5); the action now pushes two image tags (versioned and latest) while the rest of each workflow remains unchanged.

Changes

Cohort / File(s)	Change Summary
Devcontainer workflows .github/workflows/devcontainer-all.yaml, .github/workflows/devcontainer-azurertos.yaml, .github/workflows/devcontainer-chibios.yaml, .github/workflows/devcontainer-esp32.yml, .github/workflows/devcontainer-freertos-nxp.yaml, .github/workflows/devcontainer-ti.yaml	Replaced docker/build-push-action@v5 with docker/build-push-action@v6 and added tags input to push a versioned tag and latest; no other workflow logic or inputs changed.

Sequence Diagram(s)

sequenceDiagram
    autonumber
    participant GH as GitHub Actions
    participant BuildPush as docker/build-push-action@v6
    participant Registry as Container Registry

    GH->>BuildPush: invoke build (context, file, push)
    note right of BuildPush #DDEBF7: v6 receives\n`tags` input
    BuildPush->>Registry: push image :${GCR_VERSION}
    BuildPush->>Registry: push image :latest
    Registry-->>BuildPush: ack
    BuildPush-->>GH: step complete

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title "Update docker/build-push-action" succinctly and accurately summarizes the PR's primary change—upgrading the docker/build-push-action used in multiple devcontainer workflow files from v5 to v6—and is clear and specific enough for a reviewer scanning history to understand the main intent.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch update-docker-build-push-action

Tip

👮 Agentic pre-merge checks are now available in preview!

Pro plan users can now enable pre-merge checks in their settings to enforce checklists before merging PRs.

• Built-in checks – Quickly apply ready-made checks to enforce title conventions, require pull request descriptions that follow templates, validate linked issues for compliance, and more.
• Custom agentic checks – Define your own rules using CodeRabbit’s advanced agentic capabilities to enforce organization-specific policies and workflows. For example, you can instruct CodeRabbit’s agent to verify that API documentation is updated whenever API schema files are modified in a PR. Note: Upto 5 custom checks are currently allowed during the preview period. Pricing for this feature will be announced in a few weeks.

Please see the documentation for more information.

Example:

reviews:
  pre_merge_checks:
    custom_checks:
      - name: "Undocumented Breaking Changes"
        mode: "warning"
        instructions: |
          Pass/fail criteria: All breaking changes to public APIs, CLI flags, environment variables, configuration keys, database schemas, or HTTP/GraphQL endpoints must be documented in the "Breaking Change" section of the PR description and in CHANGELOG.md. Exclude purely internal or private changes (e.g., code not exported from package entry points or explicitly marked as internal).

Please share your feedback with us on this Discord post.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (6)

.github/workflows/devcontainer-all.yaml (1)

55-63: Confirm v6 input/output parity & pin digest for reproducibility

docker/build-push-action v6 removes some deprecated inputs and introduces new defaults (e.g., load: true auto-loads images). The current with: block (file, push, tags) is still supported, but please double-check the v6 release notes to ensure no silent behaviour changes affect this workflow.
For supply-chain stability, consider pinning to the major tag + digest, e.g. docker/build-push-action@v6@sha256:<digest>.

.github/workflows/devcontainer-ti.yaml (1)

55-63: Same v6 compatibility & digest pinning considerations

Replicate the v6 release-notes check and digest pinning suggestion here to maintain consistent, reproducible builds across all dev-container workflows.

.github/workflows/devcontainer-azurertos.yaml (1)

55-63: Validate behaviour change after upgrading to v6

Ensure push: true and tag handling behave exactly as before; v6 tweaks cache-related defaults that could impact build time or registry content. Pin to a digest for immutability if possible.

.github/workflows/devcontainer-esp32.yml (1)

55-63: Upgrade sanity-check and optional digest pin

Confirm no deprecated inputs (e.g., context, platforms) are implicitly relied upon. Consider locking the action to @v6@sha256:<digest> to avoid unexpected future changes.

.github/workflows/devcontainer-chibios.yaml (1)

55-63: Consistency check after bump to v6

Double-check the ChibiOS image still builds & pushes as expected with the new major version and apply digest pinning for deterministic CI runs.

.github/workflows/devcontainer-freertos-nxp.yaml (1)

55-57: Verify v6 migration settings (provenance, sbom, cache) before merging

docker/build-push-action@v6 introduces new defaults (provenance: true, sbom: true, different cache-from/to syntax).
If you don’t explicitly want provenance/SBOM generation or intend to keep the current cache behaviour, add the relevant inputs:

-    - name: Build and Push Docker Image
-      uses: docker/build-push-action@v6
+    - name: Build and Push Docker Image
+      uses: docker/build-push-action@v6
+      with:
+        provenance: false   # disable SLSA attestation if not required
+        sbom: false         # disable SBOM upload if not required
+        # cache-from / cache-to examples:
+        # cache-from: type=registry,ref=${{ env.CONTAINER_REPO }}/...:cache
+        # cache-to:   type=registry,ref=${{ env.CONTAINER_REPO }}/...:cache,mode=max

(Or keep them enabled deliberately—just make the choice explicit.)

Also consider pinning to a full semver tag or SHA for supply-chain safety, e.g. docker/[email protected].

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e8b977d and 1af8585.

📒 Files selected for processing (6)

• .github/workflows/devcontainer-all.yaml (1 hunks)
• .github/workflows/devcontainer-azurertos.yaml (1 hunks)
• .github/workflows/devcontainer-chibios.yaml (1 hunks)
• .github/workflows/devcontainer-esp32.yml (1 hunks)
• .github/workflows/devcontainer-freertos-nxp.yaml (1 hunks)
• .github/workflows/devcontainer-ti.yaml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (17)

• GitHub Check: nf-interpreter (Nightly build) (Check_Build_Options)
• GitHub Check: nf-interpreter (Check_Build_Options)
• GitHub Check: build-target (ESP32_C3, Debug, ESP32)
• GitHub Check: build-target (TI_CC1352R1_LAUNCHXL, Debug, All, 915)
• GitHub Check: build-target (TI_CC1352R1_LAUNCHXL, Debug, TI, 915)
• GitHub Check: build-target (NXP_MIMXRT1060_EVK, Debug, All)
• GitHub Check: build-target (NXP_MIMXRT1060_EVK, Debug, FreeRTOS-NXP)
• GitHub Check: build-target (ESP32_H2_THREAD, Debug, ESP32)
• GitHub Check: build-target (M5Core2, Debug, ESP32)
• GitHub Check: build-target (ESP32_S2_USB, Debug, ESP32)
• GitHub Check: build-target (ST_STM32F769I_DISCOVERY, Debug, ChibiOS)
• GitHub Check: build-target (ESP32_C6_THREAD, Debug, ESP32)
• GitHub Check: build-target (ST_STM32F769I_DISCOVERY, Debug, All)
• GitHub Check: build-target (ESP32_S3, Debug, ESP32)
• GitHub Check: build-target (ESP_WROVER_KIT, Debug, ESP32)
• GitHub Check: build-target (SL_STK3701A, Debug, All)
• GitHub Check: build-target (SL_STK3701A, Debug, AzureRTOS)

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (3)

.github/workflows/devcontainer-esp32.yml (1)

58-65: Optional: enable SBOM/provenance attestations with v6.

Adds supply‑chain metadata with minimal overhead.
Apply within this block:

       with:
         file: ${{ env.CONTAINER_SRC_FILE }}
         push: true # Will only build if this is not here
         tags: |
           ${{ env.CONTAINER_REPO }}/${{ github.repository_owner }}/${{ env.CONTAINER_NAME }}:${{ env.GCR_VERSION }}
           ${{ env.CONTAINER_REPO }}/${{ github.repository_owner }}/${{ env.CONTAINER_NAME }}:latest
+        sbom: true
+        provenance: true

Docs: SBOM/provenance on build-push-action@v6; v6 also emits a job summary by default. (docs.docker.com)

.github/workflows/devcontainer-azurertos.yaml (2)

58-65: Optional: add SBOM/provenance generation.

Strengthens image traceability; simple toggle with v6.

       with:
         file: ${{ env.CONTAINER_SRC_FILE }}
         push: true # Will only build if this is not here
         tags: |
           ${{ env.CONTAINER_REPO }}/${{ github.repository_owner }}/${{ env.CONTAINER_NAME }}:${{ env.GCR_VERSION }}
           ${{ env.CONTAINER_REPO }}/${{ github.repository_owner }}/${{ env.CONTAINER_NAME }}:latest
+        sbom: true
+        provenance: true

See guidance. (docs.docker.com)

---

58-65: Heads-up: v6 build record artifact.

Same note as the ESP32 workflow—ensure any actions/download-artifact steps don’t unintentionally fetch “*.dockerbuild” artifacts.

Use the audit script from the previous comment; it covers all workflows. (github.com)

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1af8585 and 051a2bd.

📒 Files selected for processing (6)

• .github/workflows/devcontainer-all.yaml (1 hunks)
• .github/workflows/devcontainer-azurertos.yaml (1 hunks)
• .github/workflows/devcontainer-chibios.yaml (1 hunks)
• .github/workflows/devcontainer-esp32.yml (1 hunks)
• .github/workflows/devcontainer-freertos-nxp.yaml (1 hunks)
• .github/workflows/devcontainer-ti.yaml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (4)

• .github/workflows/devcontainer-chibios.yaml
• .github/workflows/devcontainer-freertos-nxp.yaml
• .github/workflows/devcontainer-ti.yaml
• .github/workflows/devcontainer-all.yaml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (17)

• GitHub Check: nf-interpreter (Nightly build) (Check_Build_Options)
• GitHub Check: nf-interpreter (Check_Build_Options)
• GitHub Check: build-target (ESP32_C6_THREAD, Debug, ESP32)
• GitHub Check: build-target (NXP_MIMXRT1060_EVK, Debug, All)
• GitHub Check: build-target (SL_STK3701A, Debug, AzureRTOS)
• GitHub Check: build-target (ESP32_C3, Debug, ESP32)
• GitHub Check: build-target (NXP_MIMXRT1060_EVK, Debug, FreeRTOS-NXP)
• GitHub Check: build-target (TI_CC1352R1_LAUNCHXL, Debug, All, 915)
• GitHub Check: build-target (ESP32_H2_THREAD, Debug, ESP32)
• GitHub Check: build-target (TI_CC1352R1_LAUNCHXL, Debug, TI, 915)
• GitHub Check: build-target (ESP_WROVER_KIT, Debug, ESP32)
• GitHub Check: build-target (ST_STM32F769I_DISCOVERY, Debug, ChibiOS)
• GitHub Check: build-target (ESP32_S3, Debug, ESP32)
• GitHub Check: build-target (ST_STM32F769I_DISCOVERY, Debug, All)
• GitHub Check: build-target (ESP32_S2_USB, Debug, ESP32)
• GitHub Check: build-target (M5Core2, Debug, ESP32)
• GitHub Check: build-target (SL_STK3701A, Debug, All)

🔇 Additional comments (3)

.github/workflows/devcontainer-esp32.yml (2)

58-58: Upgrade to docker/build-push-action@v6 looks good.

Inputs used here (file, push, tags) are compatible with v6; no breaking changes for this step.
See: docker/build-push-action docs. (github.com)

---

58-65: Heads-up: docker/build-push-action@v6 uploads build-record artifacts — no action required now.

• v6 present in: .github/workflows/devcontainer-esp32.yml, .github/workflows/devcontainer-all.yaml, .github/workflows/devcontainer-azurertos.yaml, .github/workflows/devcontainer-chibios.yaml, .github/workflows/devcontainer-freertos-nxp.yaml, .github/workflows/devcontainer-ti.yaml
• No occurrences of actions/download-artifact were found in .github/workflows. To ignore build-record artifacts in any download-artifact steps use:
  with:
  pattern: "!*.dockerbuild"

.github/workflows/devcontainer-azurertos.yaml (1)

58-58: Upgrade to docker/build-push-action@v6 looks good.

Inputs here remain valid with v6; behavior is unchanged for build/push/tags.
Docs reference. (github.com)