chore(deps): update docker/build-push-action action to v7.1.0

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
docker/build-push-action	action	minor	v7.0.0 → v7.1.0

---

Release Notes

docker/build-push-action (docker/build-push-action)

v7.1.0

Compare Source

• Git context query format support by @​crazy-max in #​1505
• Bump @​docker/actions-toolkit from 0.79.0 to 0.87.0 by @​crazy-max in #​1505
• Bump brace-expansion from 1.1.12 to 1.1.13 in #​1500
• Bump fast-xml-parser from 5.4.2 to 5.5.7 in #​1489
• Bump flatted from 3.3.3 to 3.4.2 in #​1491
• Bump glob from 10.3.12 to 10.5.0 in #​1490
• Bump handlebars from 4.7.8 to 4.7.9 in #​1497
• Bump lodash from 4.17.23 to 4.18.1 in #​1510
• Bump picomatch from 4.0.3 to 4.0.4 in #​1496
• Bump undici from 6.23.0 to 6.24.1 in #​1486
• Bump vite from 7.3.1 to 7.3.2 in #​1509

Full Changelog: docker/build-push-action@v7.0.0...v7.1.0

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday through Friday (* 0-4,22-23 * * 1-5)
  • Only on Sunday and Saturday (* * * * 0,6)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Renovate PR Review Results

⚖️ Safety Assessment: ✅ Safe

🔍 Release Content Analysis

New Features

• Git context query format support — allows passing URL query parameters when using a remote Git URL as the build context. This is purely additive; the current usage passes context: . (local directory), so this feature has no effect here.

Dependency / Security Updates

• handlebars 4.7.8 → 4.7.9 — handlebars has a history of XSS/prototype-pollution CVEs; the patch bump likely addresses a security issue.
• undici 6.23.0 → 6.24.1 — undici HTTP client; patch releases frequently address security concerns (SSRF, header injection).
• fast-xml-parser 5.4.2 → 5.5.7 — XML parser; minor bumps often contain ReDoS or injection hardening.
• brace-expansion 1.1.12 → 1.1.13 — ReDoS fix (well-known pattern for this library).
• flatted, glob, picomatch, vite, lodash, @docker/actions-toolkit — routine maintenance bumps, no known CVEs.

No Breaking Changes — no input/output schema changes, no removed inputs, no changed defaults between v7.0.0 and v7.1.0.

🎯 Impact Scope Investigation

Usage in this codebase

• Single usage in .github/workflows/release-please.yml (line 126), inside the docker-release job.
• Active inputs: context: ., push: true, platforms: linux/amd64,linux/arm64, tags, labels, build-args, cache-from/cache-to (GitHub Actions cache).
• None of the changed inputs or new features (Git context query format) are exercised by this configuration, so runtime behavior is unchanged.

Commit-pin hygiene

• The PR correctly updates the pinned SHA from d08e5c354a6adb9ed34480a06d141179aa583294 (v7.0.0) to bcafcacb16a39f128d818304e6c9c0c18556b85f (v7.1.0), maintaining the repository's security-conscious SHA-pinning practice.

Impact on other dependencies

• None. The action change is isolated to the CI workflow; it does not affect the Go module graph or any production code.

💡 Recommended Actions

• No code or configuration changes are required beyond what is already in this PR.
• Merge as-is. The update is backward-compatible, brings in several security-oriented dependency bumps, and leaves the current build/push configuration completely unaffected.

🔗 Reference Links

• v7.1.0 release notes
• Full diff v7.0.0…v7.1.0
• docker/build-push-action#1505 — Git context query format

Generated by koki-develop/claude-renovate-review