Bump docker/setup-buildx-action from 1 to 2

[dependabot]

Bumps docker/setup-buildx-action from 1 to 2.

Release notes

Sourced from docker/setup-buildx-action's releases.

v2.0.0

• Node 16 as default runtime by @​crazy-max (#131)
  • This requires a minimum Actions Runner version of v2.285.0, which is by default available in GHES 3.4 or later.

Full Changelog: docker/setup-buildx-action@v1.7.0...v2.0.0

v1.7.0

• Standalone mode by @​crazy-max in (#119)
• Update dev dependencies and workflow by @​crazy-max (#114 #130)
• Bump tmpl from 1.0.4 to 1.0.5 (#108)
• Bump ansi-regex from 5.0.0 to 5.0.1 (#109)
• Bump @​actions/core from 1.5.0 to 1.6.0 (#110)
• Bump actions/checkout from 2 to 3 (#126)
• Bump @​actions/tool-cache from 1.7.1 to 1.7.2 (#128)
• Bump @​actions/exec from 1.1.0 to 1.1.1 (#129)
• Bump minimist from 1.2.5 to 1.2.6 (#132)
• Bump codecov/codecov-action from 2 to 3 (#133)
• Bump semver from 7.3.5 to 7.3.7 (#136)

v1.6.0

• Add config-inline input (#106)
• Bump @​actions/core from 1.4.0 to 1.5.0 (#104)
• Bump codecov/codecov-action from 1 to 2 (#101)

v1.5.1

• Explicit version spec for caching (#100)

v1.5.0

• Allow building buildx from source (#99)

v1.4.1

• Fix docker: invalid reference format (#97)

v1.4.0

• Update dev deps (#95)
• Use built-in getExecOutput (#94)
• Use core.getBooleanInput (#93)
• Bump @​actions/exec from 1.0.4 to 1.1.0 (#85)
• Bump y18n from 4.0.0 to 4.0.3 (#91)
• Bump hosted-git-info from 2.8.8 to 2.8.9 (#89)
• Bump ws from 7.3.1 to 7.5.0 (#90)
• Bump @​actions/tool-cache from 1.6.1 to 1.7.1 (#82 #86)
• Bump @​actions/core from 1.2.7 to 1.4.0 (#80 #87)

v1.3.0

• Display BuildKit version (#72)

v1.2.0

• Remove os limitation (#71)
• Add test job for config input (#68)

... (truncated)

Commits

• dc7b971 Merge pull request #131 from crazy-max/node16
• f55bc08 Merge pull request #141 from crazy-max/fix-test
• aa877a9 ci: fix standalone test
• 130c56f Node 16 as default runtime
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

wanna experiment with updating SHA

[chevdor]

Using the SHA does not make it very easy for a reader to know what version is used. I see the comment but that means relying on it being correct. Sure you want to do that ?

[TriplEight]

Yes, there are several security concerns to it. I.e. $someone can tag a malicious version or te-tag one with an approved tag. Many repos of github itself are updating dependencies with dependabot updating them on trusted versions with SHA. The inconvenience is that a human has to update the comment for readability.

[chevdor]

Would that not be a better alternative to define an ENV/secret called DOCKER_SETUP-BUILDX-ACTION=<sha> # v2.
That could even be defined globally on the repo so the CI team can bump all approved versions from a single place without digging into each GH workflow ?

[chevdor]

An event better alternative would be to fork those actions and you set a latest or safe tag. That makes it simple to check that all our actions are set to paritytech/<name> and you can maintain all in one single place controlled by us and properly tested and security audited. That would be less obfuscated than a random hash and a comment.