Update product-os/flowzone action to v22.8.25

[klutchell-renovate]

This PR contains the following updates:

Package	Type	Update	Change
product-os/flowzone	action	patch	v22.8.20 → v22.8.25

---

Release Notes

product-os/flowzone (product-os/flowzone)

v22.8.25

Compare Source

81f19bb (Add tests for documentation and release build for cargo targets, 2026-01-15)

v22.8.24

Compare Source

Update dependency docker/buildx to v0.32.0

Notable changes

• Tõnis Tiigi
• CrazyMax
• Sebastiaan van Stijn
• Jonathan A. Sternberg
• Akhil Manoj
• David Karlsson
• yzewei
• Imagetools now supports --metadata-file flag to capture properties like descriptor/digest values for the new image. #​3638
• Imagetools auth libraries have now been combined with the ones used in build commands, enabling previously missing support for scoped credentials and automatic fallbacks for Docker Hardened Image registries. #​3627
• Many commands now support --timeout flag to configure the timeout for waiting for responses from remote builders. #​3648
• Rego Policy now supports validating builds from remote sources (Git, HTTP) #​3661
• Rego Policies now include new builtins for validating signed Sigstore bundle attestations of HTTP source artifacts. Attestations can also be automatically fetched from Github API #​3657
• Rego policies can now use input.image.provenance to write rules validating specific provenance attestation fields. Materials of provenance can be accessed as policy secondary inputs. Requires BuildKit v0.28+ #​3652 #​3662
• Builds failing due to policy violations now have better error messages with the failing step clearly marked and the last policy logs shown with the error. #​3656
• Fix possible passing of incorrect Git auth token for Bake builds when multiple remotes with different hosts exist. #​3648
• Fixed policy filesystem reference lifecycle handling to avoid stale policy filesystem state during builds. #​3674
• Normalized default policy filename resolution from environment configuration for more consistent behavior. #​3675
• Named contexts used in different projects now get unique "shared keys" (previously based on context name) to avoid overwriting destinations of other projects, with reduced performance. This feature requires Dockerfile 1.22+ #​3618
• Fix local subdir named context copied with wrong parent directory for remote Bake builds #​3678
• Bake builds now capture the original URL information of named contexts sent as inputs in request metadata #​3682 #​3462
• Additional metrics associated with DAP debugger have been added #​3633
• DAP file explorer now gets a more accurate state of the file system via updated BuildKit API #​3450
• DAP file explorer source names have been improved #​3631
• Improve the output of -q used with --call #​3655
• github.com/aws/aws-sdk-go-v2 v1.39.6 -> v1.41.1
• github.com/aws/aws-sdk-go-v2/config v1.31.20 -> v1.32.7
• github.com/aws/aws-sdk-go-v2/credentials v1.18.24 -> v1.19.7
• github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.13 -> v1.18.17
• github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.13 -> v1.4.17
• github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.13 -> v2.7.17
• github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.3 -> v1.13.4
• github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.13 -> v1.13.17
• github.com/aws/aws-sdk-go-v2/service/signin v1.0.5 new
• github.com/aws/aws-sdk-go-v2/service/sso v1.30.3 -> v1.30.9
• github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.7 -> v1.35.13
• github.com/aws/aws-sdk-go-v2/service/sts v1.40.2 -> v1.41.6
• github.com/aws/smithy-go v1.23.2 -> v1.24.0
• github.com/cloudflare/circl v1.6.1 -> v1.6.3
• github.com/docker/cli v29.1.5 -> v29.2.1
• github.com/go-openapi/errors v0.22.4 -> v0.22.6
• github.com/go-openapi/jsonpointer v0.22.1 -> v0.22.4
• github.com/go-openapi/jsonreference v0.21.3 -> v0.21.4
• github.com/go-openapi/spec v0.22.1 -> v0.22.3
• github.com/go-openapi/swag v0.25.3 -> v0.25.4
• github.com/go-openapi/swag/cmdutils v0.25.3 -> v0.25.4
• github.com/go-openapi/swag/conv v0.25.3 -> v0.25.4
• github.com/go-openapi/swag/fileutils v0.25.3 -> v0.25.4
• github.com/go-openapi/swag/jsonname v0.25.3 -> v0.25.4
• github.com/go-openapi/swag/jsonutils v0.25.3 -> v0.25.4
• github.com/go-openapi/swag/loading v0.25.3 -> v0.25.4
• github.com/go-openapi/swag/mangling v0.25.3 -> v0.25.4
• github.com/go-openapi/swag/netutils v0.25.3 -> v0.25.4
• github.com/go-openapi/swag/stringutils v0.25.3 -> v0.25.4
• github.com/go-openapi/swag/typeutils v0.25.3 -> v0.25.4
• github.com/go-openapi/swag/yamlutils v0.25.3 -> v0.25.4
• github.com/go-viper/mapstructure/v2 v2.4.0 -> v2.5.0
• github.com/golang/snappy v1.0.0 new
• github.com/google/go-containerregistry v0.20.6 -> v0.20.7
• github.com/in-toto/in-toto-golang v0.9.0 -> v0.10.0
• github.com/klauspost/compress v1.18.2 -> v1.18.4
• github.com/moby/buildkit v0.27.0 -> v0.28.0
• github.com/moby/moby/api v1.52.0 -> v1.53.0
• github.com/moby/moby/client v0.2.1 -> v0.2.2
• github.com/moby/policy-helpers 9fcc1a9 -> 824747b
• github.com/package-url/packageurl-go v0.1.1 new
• github.com/pelletier/go-toml/v2 v2.2.4 new
• github.com/secure-systems-lab/go-securesystemslib v0.9.1 -> v0.10.0
• github.com/sigstore/rekor v1.4.3 -> v1.5.0
• github.com/sigstore/sigstore v1.10.0 -> v1.10.4
• github.com/sigstore/sigstore-go b5fe07a -> v1.1.4
• github.com/sigstore/timestamp-authority/v2 v2.0.2 -> v2.0.3
• github.com/theupdateframework/go-tuf/v2 v2.3.0 -> v2.4.1
• google.golang.org/genproto/googleapis/api f26f940 -> ff82c1b
• google.golang.org/genproto/googleapis/rpc f26f940 -> 0a764e5
• google.golang.org/grpc v1.76.0 -> v1.78.0

docker/buildx (docker/buildx)

v0.32.0

Compare Source

buildx 0.32.0

Welcome to the v0.32.0 release of buildx!

Please try out the release binaries and report any issues at
https://github.com/docker/buildx/issues.

Contributors

• Tõnis Tiigi
• CrazyMax
• Sebastiaan van Stijn
• Jonathan A. Sternberg
• Akhil Manoj
• David Karlsson
• yzewei

Notable Changes

• Imagetools now supports --metadata-file flag to capture properties like descriptor/digest values for the new image. #​3638
• Imagetools auth libraries have now been combined with the ones used in build commands, enabling previously missing support for scoped credentials and automatic fallbacks for Docker Hardened Image registries. #​3627
• Many commands now support --timeout flag to configure the timeout for waiting for responses from remote builders. #​3648
• Rego Policy now supports validating builds from remote sources (Git, HTTP) #​3661
• Rego Policies now include new builtins for validating signed Sigstore bundle attestations of HTTP source artifacts. Attestations can also be automatically fetched from Github API #​3657
• Rego policies can now use input.image.provenance to write rules validating specific provenance attestation fields. Materials of provenance can be accessed as policy secondary inputs. Requires BuildKit v0.28+ #​3652 #​3662
• Builds failing due to policy violations now have better error messages with the failing step clearly marked and the last policy logs shown with the error. #​3656
• Fix possible passing of incorrect Git auth token for Bake builds when multiple remotes with different hosts exist. #​3648
• Fixed policy filesystem reference lifecycle handling to avoid stale policy filesystem state during builds. #​3674
• Normalized default policy filename resolution from environment configuration for more consistent behavior. #​3675
• Named contexts used in different projects now get unique "shared keys" (previously based on context name) to avoid overwriting destinations of other projects, with reduced performance. This feature requires Dockerfile 1.22+ #​3618
• Fix local subdir named context copied with wrong parent directory for remote Bake builds #​3678
• Bake builds now capture the original URL information of named contexts sent as inputs in request metadata #​3682 #​3462
• Additional metrics associated with DAP debugger have been added #​3633
• DAP file explorer now gets a more accurate state of the file system via updated BuildKit API #​3450
• DAP file explorer source names have been improved #​3631
• Improve the output of -q used with --call #​3655

Dependency Changes

• github.com/aws/aws-sdk-go-v2 v1.39.6 -> v1.41.1
• github.com/aws/aws-sdk-go-v2/config v1.31.20 -> v1.32.7
• github.com/aws/aws-sdk-go-v2/credentials v1.18.24 -> v1.19.7
• github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.13 -> v1.18.17
• github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.13 -> v1.4.17
• github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.13 -> v2.7.17
• github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.3 -> v1.13.4
• github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.13 -> v1.13.17
• github.com/aws/aws-sdk-go-v2/service/signin v1.0.5 new
• github.com/aws/aws-sdk-go-v2/service/sso v1.30.3 -> v1.30.9
• github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.7 -> v1.35.13
• github.com/aws/aws-sdk-go-v2/service/sts v1.40.2 -> v1.41.6
• github.com/aws/smithy-go v1.23.2 -> v1.24.0
• github.com/cloudflare/circl v1.6.1 -> v1.6.3
• github.com/docker/cli v29.1.5 -> v29.2.1
• github.com/go-openapi/errors v0.22.4 -> v0.22.6
• github.com/go-openapi/jsonpointer v0.22.1 -> v0.22.4
• github.com/go-openapi/jsonreference v0.21.3 -> v0.21.4
• github.com/go-openapi/spec v0.22.1 -> v0.22.3
• github.com/go-openapi/swag v0.25.3 -> v0.25.4
• github.com/go-openapi/swag/cmdutils v0.25.3 -> v0.25.4
• github.com/go-openapi/swag/conv v0.25.3 -> v0.25.4
• github.com/go-openapi/swag/fileutils v0.25.3 -> v0.25.4
• github.com/go-openapi/swag/jsonname v0.25.3 -> v0.25.4
• github.com/go-openapi/swag/jsonutils v0.25.3 -> v0.25.4
• github.com/go-openapi/swag/loading v0.25.3 -> v0.25.4
• github.com/go-openapi/swag/mangling v0.25.3 -> v0.25.4
• github.com/go-openapi/swag/netutils v0.25.3 -> v0.25.4
• github.com/go-openapi/swag/stringutils v0.25.3 -> v0.25.4
• github.com/go-openapi/swag/typeutils v0.25.3 -> v0.25.4
• github.com/go-openapi/swag/yamlutils v0.25.3 -> v0.25.4
• github.com/go-viper/mapstructure/v2 v2.4.0 -> v2.5.0
• github.com/golang/snappy v1.0.0 new
• github.com/google/go-containerregistry v0.20.6 -> v0.20.7
• github.com/in-toto/in-toto-golang v0.9.0 -> v0.10.0
• github.com/klauspost/compress v1.18.2 -> v1.18.4
• github.com/moby/buildkit v0.27.0 -> v0.28.0
• github.com/moby/moby/api v1.52.0 -> v1.53.0
• github.com/moby/moby/client v0.2.1 -> v0.2.2
• github.com/moby/policy-helpers 9fcc1a9 -> 824747b
• github.com/package-url/packageurl-go v0.1.1 new
• github.com/pelletier/go-toml/v2 v2.2.4 new
• github.com/secure-systems-lab/go-securesystemslib v0.9.1 -> v0.10.0
• github.com/sigstore/rekor v1.4.3 -> v1.5.0
• github.com/sigstore/sigstore v1.10.0 -> v1.10.4
• github.com/sigstore/sigstore-go b5fe07a -> v1.1.4
• github.com/sigstore/timestamp-authority/v2 v2.0.2 -> v2.0.3
• github.com/theupdateframework/go-tuf/v2 v2.3.0 -> v2.4.1
• google.golang.org/genproto/googleapis/api f26f940 -> ff82c1b
• google.golang.org/genproto/googleapis/rpc f26f940 -> 0a764e5
• google.golang.org/grpc v1.76.0 -> v1.78.0

Previous release can be found at v0.31.1

List of commits

b356b58 (Update dependency docker/buildx to v0.32.0, 2026-03-04)

v22.8.23

Compare Source

Update actions/setup-node action to v6.3.0

Notable changes

• Support parsing devEngines field by @​​susnux in #​1283
• Fix npm audit issues by @​​gowridurgad in #​1491
• Replace uuid with crypto.randomUUID() by @​​trivikr in #​1378
• Upgrade minimatch from 3.1.2 to 3.1.5 by @​​dependabot in #​1498
• Remove hardcoded bearer for mirror-url @​​marco-ippolito in #​1467
• Scope test lockfiles by package manager and update cache tests by @​​gowridurgad in #​1495
• @​​susnux made their first contribution in #​1283

actions/setup-node (actions/setup-node)

v6.3.0

Compare Source

What's Changed

Enhancements:

• Support parsing devEngines field by @​​susnux in #​1283

When using node-version-file: package.json, setup-node now prefers devEngines.runtime over engines.node.

Dependency updates:

• Fix npm audit issues by @​​gowridurgad in #​1491
• Replace uuid with crypto.randomUUID() by @​​trivikr in #​1378
• Upgrade minimatch from 3.1.2 to 3.1.5 by @​​dependabot in #​1498

Bug fixes:

• Remove hardcoded bearer for mirror-url @​​marco-ippolito in #​1467
• Scope test lockfiles by package manager and update cache tests by @​​gowridurgad in #​1495

New Contributors

• @​​susnux made their first contribution in #​1283

Full Changelog: actions/setup-node@v6...v6.3.0

List of commits

304a7ea (Update actions/setup-node action to v6.3.0, 2026-03-04)

v22.8.22

Compare Source

Update GitHub Artifact Actions to v7 (major)

Notable changes

• Add proxy integration test by @​​Link- in #​754
• Upgrade the module to ESM and bump dependencies by @​​danwkennedy in #​762
• Support direct file uploads by @​​danwkennedy in #​764
• @​​Link- made their first contribution in #​754

actions/upload-artifact (actions/upload-artifact)

v7.0.0

Compare Source

v7 What's new

Direct Uploads

Adds support for uploading single files directly (unzipped). Callers can set the new archive parameter to false to skip zipping the file during upload. Right now, we only support single files. The action will fail if the glob passed resolves to multiple files. The name parameter is also ignored with this setting. Instead, the name of the artifact will be the name of the uploaded file.

ESM

To support new versions of the @actions/* packages, we've upgraded the package to ESM.

What's Changed

• Add proxy integration test by @​​Link- in #​754
• Upgrade the module to ESM and bump dependencies by @​​danwkennedy in #​762
• Support direct file uploads by @​​danwkennedy in #​764

New Contributors

• @​​Link- made their first contribution in #​754

Full Changelog: actions/upload-artifact@v6...v7.0.0

List of commits

dda4fdc (Update GitHub Artifact Actions to v7, 2026-03-02)

v22.8.21

Compare Source

Update actions/download-artifact action to v8

Notable changes

• Don't attempt to un-zip non-zipped downloads by @​​danwkennedy in #​460
• Add a setting to specify what to do on hash mismatch and default it to error by @​​danwkennedy in #​461

actions/download-artifact (actions/download-artifact)

v8.0.0

Compare Source

v8 - What's new

Direct downloads

To support direct uploads in actions/upload-artifact, the action will no longer attempt to unzip all downloaded files. Instead, the action checks the Content-Type header ahead of unzipping and skips non-zipped files. Callers wishing to download a zipped file as-is can also set the new skip-decompress parameter to false.

Enforced checks (breaking)

A previous release introduced digest checks on the download. If a download hash didn't match the expected hash from the server, the action would log a warning. Callers can now configure the behavior on mismatch with the digest-mismatch parameter. To be secure by default, we are now defaulting the behavior to error which will fail the workflow run.

ESM

To support new versions of the @​​actions/* packages, we've upgraded the package to ESM.

What's Changed

• Don't attempt to un-zip non-zipped downloads by @​​danwkennedy in #​460
• Add a setting to specify what to do on hash mismatch and default it to error by @​​danwkennedy in #​461

Full Changelog: actions/download-artifact@v7...v8.0.0

List of commits

4b3e3dc (Update actions/download-artifact action to v8, 2026-02-26)

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) in timezone America/New_York, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.