From 61612aac9ee045a808337e0a1ecd256ecf2fbf28 Mon Sep 17 00:00:00 2001
From: Ryan Inch <mythologylover75@gmail.com>
Date: Tue, 19 May 2026 00:00:03 -0400
Subject: [PATCH] Update custom-docker-build-push workflow with changes from
 hubs repo

What: incorporates the changes from https://github.com/Hubs-Foundation/hubs/pull/6578

Why: so that all the custom-docker-build-push workflows remain in sync.

Note: part of https://github.com/Hubs-Foundation/.github/issues/5
---
 .github/workflows/custom-docker-build-push.yml | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/custom-docker-build-push.yml b/.github/workflows/custom-docker-build-push.yml
index ee7a7259..9d8bd5cb 100644
--- a/.github/workflows/custom-docker-build-push.yml
+++ b/.github/workflows/custom-docker-build-push.yml
@@ -41,6 +41,8 @@ env:
   Use_Build_Cache: ${{ inputs.Use_Build_Cache }}
 # repo_name: This must be added in each job that needs it.
 
+permissions: {}
+
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -77,27 +79,28 @@ jobs:
 
       # Code
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           path: "./repo"
+          persist-credentials: false
 
       - name: Use Code_Path for multirepo
         if: ${{ env.Code_Path != ''}}
         run: |
           mkdir ./_repo
-          cp -rf ./repo/${{ env.Code_Path }}/* ./_repo
+          cp -rf ./repo/${Code_Path}/* ./_repo # shell variable is more secure than workflow variable
           rm -rf ./repo
           mv ./_repo ./repo
           ls ./repo
 
       # Docker
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
         with:
           install: true
 
       - name: Login to container registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
         with:
           registry: ${{ env.Registry_Base_URL }}
           username: ${{ env.Registry_Username }}
@@ -105,7 +108,7 @@ jobs:
 
       - name: Docker Build and Push (with cache)
         if: ${{ fromJSON(env.Use_Build_Cache) == true }}
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
         with:
           context: repo/
           file: repo/${{ env.Dockerfile }}
@@ -116,7 +119,7 @@ jobs:
 
       - name: Docker Build and Push (no cache)
         if: ${{ fromJSON(env.Use_Build_Cache) == false }}
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
         with:
           context: repo/
           file: repo/${{ env.Dockerfile }}