update cagent-action to latest (with better permissions)#13665
Merged
glours merged 3 commits intodocker:mainfrom Mar 25, 2026
Merged
Conversation
derekmisler
commented
Mar 24, 2026
Comment on lines
-11
to
-15
| # Serialize reviews per PR; do not cancel in-progress runs | ||
| # so no review is silently dropped mid-execution. | ||
| concurrency: | ||
| group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.issue.number }} | ||
| cancel-in-progress: false |
Contributor
Author
There was a problem hiding this comment.
This is already baked into the action.
derekmisler
commented
Mar 24, 2026
Comment on lines
-19
to
-33
| # Only run on the upstream repo (not forks) to prevent credential leaks. | ||
| # Skip draft PRs (ready_for_review will fire when promoted). | ||
| # Skip bot actors to avoid reviewing Dependabot and automation PRs. | ||
| # Require collaborator-level access for comment-triggered events. | ||
| # Only trigger on PR comments, not plain issue comments. | ||
| if: >- | ||
| github.repository == 'docker/compose' && | ||
| (github.event_name != 'pull_request_target' || github.event.pull_request.draft == false) && | ||
| (github.event_name == 'pull_request_target' || | ||
| (github.event_name == 'issue_comment' && | ||
| github.event.issue.pull_request && | ||
| contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)) || | ||
| (github.event_name == 'pull_request_review_comment' && | ||
| contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association))) && | ||
| !endsWith(github.actor, '[bot]') |
Contributor
Author
There was a problem hiding this comment.
This is also now included in the action.
Signed-off-by: Derek Misler <derek.misler@docker.com>
derekmisler
force-pushed
the
update-cagent-action-to-latest-with-better-permis
branch
from
4417b26 to
4b44171
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Updates the PR review automation workflow to use the latest docker/cagent-action reusable workflow and simplifies the workflow logic by relying on the action’s built-in filtering/serialization.
Changes:
- Bump
docker/cagent-actionreusable workflow pin to v1.3.1. - Switch auto-review trigger from
pull_request_targettopull_request, keeping/reviewviaissue_comment. - Add top-level
permissions: contents: readand scope job-level permissions explicitly; remove prior workflow-levelifgating andconcurrency.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: Derek Misler <derekmisler@gmail.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: Derek Misler <derekmisler@gmail.com>
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
glours
approved these changes
Mar 25, 2026
tmeijn
pushed a commit
to tmeijn/dotfiles
that referenced
this pull request
Apr 10, 2026
This MR contains the following updates: | Package | Update | Change | |---|---|---| | [docker/compose](https://github.com/docker/compose) | patch | `v5.1.1` → `v5.1.2` | MR created with the help of [el-capitano/tools/renovate-bot](https://gitlab.com/el-capitano/tools/renovate-bot). **Proposed changes to behavior should be submitted there as MRs.** --- ### Release Notes <details> <summary>docker/compose (docker/compose)</summary> ### [`v5.1.2`](https://github.com/docker/compose/releases/tag/v5.1.2) [Compare Source](docker/compose@v5.1.1...v5.1.2) #### What's Changed ##### 🐛 Fixes - Fix TTY timer rendering when duration length changes by [@​MaybeSam05](https://github.com/MaybeSam05) in [#​13634](docker/compose#13634) - Fix up attach filtering by [@​false200](https://github.com/false200) in [#​13664](docker/compose#13664) - Preserve ssh:// URL scheme when resolving Dockerfile path by [@​ssam18](https://github.com/ssam18) in [#​13669](docker/compose#13669) - Initialize and pass envFiles map in processExtends by [@​Mohamed-Moumni](https://github.com/Mohamed-Moumni) in [#​13678](docker/compose#13678) - Fix TestRunHook\_ConsoleSize on macOS by [@​thaJeztah](https://github.com/thaJeztah) in [#​13686](docker/compose#13686) - Restore post-connect fallback for multi-network stacks on API < 1.44 by [@​jotka](https://github.com/jotka) in [#​13629](docker/compose#13629) - Publish: return api.ErrCanceled when user declines interactive prompts by [@​ishwar170695](https://github.com/ishwar170695) in [#​13674](docker/compose#13674) - Return error on non-ErrNotExist stat failures in Tar.Sync() by [@​Lidang-Jiang](https://github.com/Lidang-Jiang) in [#​13684](docker/compose#13684) ##### 🔧 Internal - Refactor: thread context through publish sensitive data check by [@​ishwar170695](https://github.com/ishwar170695) in [#​13653](docker/compose#13653) - Add AI-powered MR review workflow via `docker/cagent-action` by [@​glours](https://github.com/glours) in [#​13659](docker/compose#13659) - Update `cagent-action` to latest (with better permissions) by [@​derekmisler](https://github.com/derekmisler) in [#​13665](docker/compose#13665) - Pin GitHub Actions to commit SHA, remove pr-review workflow by [@​glours](https://github.com/glours) in [#​13662](docker/compose#13662) - Exclude hook\_test.go from Windows builds and propagate ExecStart error in runWaitExec by [@​pawannn](https://github.com/pawannn) in [#​13683](docker/compose#13683) - Skip MR review workflow for Dependabot MRs by [@​glours](https://github.com/glours) in [#​13679](docker/compose#13679) - Use negotiated API version for network setup by [@​glours](https://github.com/glours) in [#​13690](docker/compose#13690) - Fix mixed assertion libraries in tests by [@​thaJeztah](https://github.com/thaJeztah) in [#​13689](docker/compose#13689) - Test: use random host port for dind TLS build test by [@​ricardobranco777](https://github.com/ricardobranco777) in [#​13630](docker/compose#13630) - Remove direct dependency on `docker/docker` by [@​glours](https://github.com/glours) in [#​13706](docker/compose#13706) ##### ⚙️ Dependencies - Bump github.com/containerd/platforms from `1.0.0-rc.2` to `1.0.0-rc.3` by [@​dependabot](https://github.com/dependabot)\[bot] in [#​13657](docker/compose#13657) - Bump golangci-lint to `v2.11.3` and configure CLAUDE to use it on change by [@​ndeloof](https://github.com/ndeloof) in [#​13656](docker/compose#13656) - Bump google.golang.org/grpc from `1.78.0` to `1.79.3` by [@​dependabot](https://github.com/dependabot)\[bot] in [#​13642](docker/compose#13642) - Bump github.com/moby/patternmatcher from `0.6.0` to `0.6.1` by [@​dependabot](https://github.com/dependabot)\[bot] in [#​13667](docker/compose#13667) - Bump go.opentelemetry.io/otel/sdk from `1.39.0` to `1.42.0` by [@​glours](https://github.com/glours) in [#​13663](docker/compose#13663) - Bump github.com/docker/cli from `29.2.1+incompatible` to `29.3.1+incompatible` by [@​dependabot](https://github.com/dependabot)\[bot] in [#​13670](docker/compose#13670) - Bump github.com/hashicorp/go-version from `1.8.0` to `1.9.0` by [@​dependabot](https://github.com/dependabot)\[bot] in [#​13692](docker/compose#13692) - Bump github.com/docker/buildx `v0.33.0`, buildkit `v0.29.0` by [@​thaJeztah](https://github.com/thaJeztah) in [#​13693](docker/compose#13693) - Bump google.golang.org/grpc from `1.79.3` to `1.80.0` by [@​dependabot](https://github.com/dependabot)\[bot] in [#​13697](docker/compose#13697) - Bump github.com/containerd/platforms from `1.0.0-rc.3` to `1.0.0-rc.4` by [@​dependabot](https://github.com/dependabot)\[bot] in [#​13696](docker/compose#13696) - Bump github.com/moby/moby/client `v0.4.0`, moby/api `v1.54.1` by [@​thaJeztah](https://github.com/thaJeztah) in [#​13708](docker/compose#13708) - Bump github.com/docker/cli `v29.4.0` by [@​thaJeztah](https://github.com/thaJeztah) in [#​13707](docker/compose#13707) - Bump compose-go to version `v2.10.2` by [@​glours](https://github.com/glours) in [#​13705](docker/compose#13705) - Bump to Go `1.25.9` by [@​thaJeztah](https://github.com/thaJeztah) in [#​13720](docker/compose#13720) #### New Contributors - [@​MaybeSam05](https://github.com/MaybeSam05) made their first contribution in [#​13634](docker/compose#13634) - [@​ishwar170695](https://github.com/ishwar170695) made their first contribution in [#​13653](docker/compose#13653) - [@​derekmisler](https://github.com/derekmisler) made their first contribution in [#​13665](docker/compose#13665) - [@​false200](https://github.com/false200) made their first contribution in [#​13664](docker/compose#13664) - [@​ssam18](https://github.com/ssam18) made their first contribution in [#​13669](docker/compose#13669) - [@​Mohamed-Moumni](https://github.com/Mohamed-Moumni) made their first contribution in [#​13678](docker/compose#13678) - [@​pawannn](https://github.com/pawannn) made their first contribution in [#​13683](docker/compose#13683) - [@​jotka](https://github.com/jotka) made their first contribution in [#​13629](docker/compose#13629) - [@​Lidang-Jiang](https://github.com/Lidang-Jiang) made their first contribution in [#​13684](docker/compose#13684) **Full Changelog**: <docker/compose@v5.1.1...v5.1.2> </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever MR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this MR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box --- This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMTAuOCIsInVwZGF0ZWRJblZlciI6IjQzLjExMC44IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJSZW5vdmF0ZSBCb3QiLCJhdXRvbWF0aW9uOmJvdC1hdXRob3JlZCIsImRlcGVuZGVuY3ktdHlwZTo6cGF0Y2giXX0=-->
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What I did
Upgrade
docker/cagent-actionfrom v1.2.13 to v1.3.1 and simplify the PR review workflow.Key changes:
dba0ca51…@v1.3.1, which handles filtering logic (draft PRs, bot actors, collaborator checks) internally — removing ~20 lines of hand-rolledifconditions from the workflow.pull_request_targettopull_request— the new action version manages fork PR security itself, sopull_request_targetis no longer needed. Fork PRs can still be reviewed via the/reviewcomment command.permissions: contents: readsoissue_comment-triggered runs can access secrets, and scope remaining permissions to thereviewjob to follow least-privilege.concurrencyblock — the updated action handles review serialization internally.Related issue
Closes: https://github.com/docker/gordon/issues/272
(not mandatory) A picture of a cute animal, if possible in relation to what you did
🤖🐙 (an AI octopus reviewing pull requests)