docker
diff --git a/‎.github/SECURITY.md‎
Lines changed: 1 addition & 1 deletion b/‎.github/SECURITY.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/ci.yml‎
Lines changed: 26 additions & 26 deletions b/‎.github/workflows/ci.yml‎
Lines changed: 26 additions & 26 deletions
diff --git a/‎.github/workflows/docs-upstream.yml‎
Lines changed: 3 additions & 3 deletions b/‎.github/workflows/docs-upstream.yml‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎.github/workflows/merge.yml‎
Lines changed: 29 additions & 59 deletions b/‎.github/workflows/merge.yml‎
Lines changed: 29 additions & 59 deletions
diff --git a/‎.github/workflows/pr-review.yml‎
Lines changed: 3 additions & 2 deletions b/‎.github/workflows/pr-review.yml‎
Lines changed: 3 additions & 2 deletions
@@ -37,7 +37,7 @@ offer a paid security bounty program at this time.
 
 ## Supported Versions
 
-This project docs not provide long-term supported versions, and only the current
+This project does not provide long-term supported versions, and only the current
 release and `main` branch are actively maintained. Docker Compose v1, and the
 corresponding [v1 branch](https://github.com/docker/compose/tree/v1) reached
 EOL and are no longer supported. 
 
@@ -35,17 +35,17 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
       -
         name: Run
         run: |
           make ${{ matrix.target }}
 
   binary:
-    uses: docker/github-builder/.github/workflows/[email protected]
+    uses: docker/github-builder/.github/workflows/bake.yml@70313223e2665c3211b454b3fea6534624e78d64 # v1.4.0
     permissions:
       contents: read # same as global permission
       id-token: write # for signing attestation(s) with GitHub OIDC Token
@@ -67,7 +67,7 @@ jobs:
     steps:
       -
         name: Download artifacts
-        uses: actions/download-artifact@v7
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
         with:
           path: /tmp/compose-output
           name: ${{ needs.binary.outputs.artifact-name }}
@@ -103,15 +103,15 @@ jobs:
           done
       -
         name: Upload artifacts
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
         with:
           name: release
           path: ./bin/release/*
           if-no-files-found: error
 
   bin-image-test:
     if: github.event_name == 'pull_request'
-    uses: docker/github-builder/.github/workflows/[email protected]
+    uses: docker/github-builder/.github/workflows/bake.yml@70313223e2665c3211b454b3fea6534624e78d64 # v1.4.0
     with:
       runner: amd64
       target: image-cross
@@ -132,25 +132,25 @@ jobs:
     steps:
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
       -
         name: Test
-        uses: docker/bake-action@v6
+        uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7
         with:
           targets: test
           set: |
             *.cache-from=type=gha,scope=test
             *.cache-to=type=gha,scope=test
       -
         name: Gather coverage data
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
         with:
           name: coverage-data-unit
           path: bin/coverage/unit/
           if-no-files-found: error
       - 
         name: Unit Test Summary
-        uses: test-summary/action@v2
+        uses: test-summary/action@31493c76ec9e7aa675f1585d3ed6f1da69269a86 # v2.4
         with:
           paths: bin/coverage/unit/report.xml       
         if: always()
@@ -185,7 +185,7 @@ jobs:
           echo "MODE_ENGINE_PAIR=${mode}-${engine}" >> $GITHUB_ENV
 
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Install Docker ${{ matrix.engine }}
         run: |
@@ -199,15 +199,15 @@ jobs:
         run: docker --version
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
 
       - name: Set up Docker Model
         run: |
           sudo apt-get install docker-model-plugin
           docker model version
 
       - name: Set up Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
         with:
           go-version-file: '.go-version'
           check-latest: true
@@ -217,7 +217,7 @@ jobs:
         run: make example-provider
 
       - name: Build
-        uses: docker/bake-action@v6
+        uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7
         with:
           source: .
           targets: binary-with-coverage
@@ -230,7 +230,7 @@ jobs:
 
       - name: Setup tmate session
         if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.debug_enabled }}
-        uses: mxschmitt/action-tmate@8b4e4ac71822ed7e0ad5fb3d1c33483e9e8fb270 # v3.11
+        uses: mxschmitt/action-tmate@c0afd6f790e3a5564914980036ebf83216678101 # v3.23
         with:
           limit-access-to-actor: true
           github-token: ${{ secrets.GITHUB_TOKEN }}
@@ -244,7 +244,7 @@ jobs:
 
       - name: Gather coverage data
         if: ${{ matrix.mode == 'plugin' }}
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
         with:
           name: coverage-data-e2e-${{ env.MODE_ENGINE_PAIR }}
           path: bin/coverage/e2e/
@@ -258,7 +258,7 @@ jobs:
           make e2e-compose-standalone
 
       - name: e2e Test Summary
-        uses: test-summary/action@v2
+        uses: test-summary/action@31493c76ec9e7aa675f1585d3ed6f1da69269a86 # v2.4
         with:
           paths: /tmp/report/report.xml       
         if: always()
@@ -271,20 +271,20 @@ jobs:
     steps:
       # codecov won't process the report without the source code available
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       - name: Set up Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
         with:
           go-version-file: '.go-version'
           check-latest: true
       - name: Download unit test coverage
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
         with:
           name: coverage-data-unit
           path: coverage/unit
           merge-multiple: true
       - name: Download E2E test coverage
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
         with:
           pattern: coverage-data-e2e-*
           path: coverage/e2e
@@ -293,13 +293,13 @@ jobs:
         run: |
           go tool covdata textfmt -i=./coverage/unit,./coverage/e2e -o ./coverage.txt
       - name: Store coverage report in GitHub Actions
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
         with:
           name: go-covdata-txt
           path: ./coverage.txt
           if-no-files-found: error
       - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@1af58845a975a7985b0beb0cbe6fbbb71a41dbad # v5.5.3
         with:
           files: ./coverage.txt
 
@@ -312,10 +312,10 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       -
         name: Download artifacts
-        uses: actions/download-artifact@v7
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
         with:
           path: ./bin/release
           name: release
@@ -330,7 +330,7 @@ jobs:
       -
         name: GitHub Release
         if: startsWith(github.ref, 'refs/tags/v')
-        uses: ncipollo/release-action@58ae73b360456532aafd58ee170c045abbeaee37 # v1.10.0
+        uses: ncipollo/release-action@339a81892b84b4eeb0f6e744e4574d79d0d9b8dd # v1.21.0
         with:
           artifacts: ./bin/release/*
           generateReleaseNotes: true
 
@@ -34,17 +34,17 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       -
         name: Upload reference YAML docs
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
         with:
           name: docs-yaml
           path: docs/reference
           retention-days: 1
 
   validate:
-    uses: docker/docs/.github/workflows/validate-upstream.yml@main
+    uses: docker/docs/.github/workflows/validate-upstream.yml@464a44a6e72b37cf1755968477e242a5e5f6ef7d # main 2026-03-24
     needs:
       - docs-yaml
     with:
 
@@ -18,62 +18,6 @@ env:
   REPO_SLUG: "docker/compose-bin"
 
 jobs:
-  e2e:
-    name: Build and test
-    runs-on: ${{ matrix.os }}
-    timeout-minutes: 15
-    strategy:
-      fail-fast: false
-      matrix:
-        os: [desktop-windows, desktop-macos, desktop-m1]
-        # mode: [plugin, standalone]
-        mode: [plugin]
-    env:
-      GO111MODULE: "on"
-    steps:
-      - uses: actions/checkout@v4
-
-      - uses: actions/setup-go@v6
-        with:
-          go-version-file: '.go-version'
-          cache: true
-          check-latest: true
-
-      - name: List Docker resources on machine
-        run: |
-          docker ps --all
-          docker volume ls
-          docker network ls
-          docker image ls
-      - name: Remove Docker resources on machine
-        continue-on-error: true
-        run: |
-          docker kill $(docker ps -q)
-          docker rm -f $(docker ps -aq)
-          docker volume rm -f $(docker volume ls -q)
-          docker ps --all
-
-      - name: Unit tests
-        run: make test
-
-      - name: Build binaries
-        run: |
-          make
-      - name: Check arch of go compose binary
-        run: |
-          file ./bin/build/docker-compose
-        if: ${{ !contains(matrix.os, 'desktop-windows') }}
-      -
-        name: Test plugin mode
-        if: ${{ matrix.mode == 'plugin' }}
-        run: |
-          make e2e-compose
-      -
-        name: Test standalone mode
-        if: ${{ matrix.mode == 'standalone' }}
-        run: |
-          make e2e-compose-standalone
-
   bin-image-prepare:
     runs-on: ubuntu-24.04
     outputs:
@@ -83,7 +27,7 @@ jobs:
       - run: echo "Exposing env vars for reusable workflow"
 
   bin-image:
-    uses: docker/github-builder/.github/workflows/[email protected]
+    uses: docker/github-builder/.github/workflows/bake.yml@70313223e2665c3211b454b3fea6534624e78d64 # v1.4.0
     needs:
       - bin-image-prepare
     permissions:
@@ -110,14 +54,40 @@ jobs:
           username: ${{ secrets.DOCKERPUBLICBOT_USERNAME }}
           password: ${{ secrets.DOCKERPUBLICBOT_WRITE_PAT }}
 
+  module-image:
+    uses: docker/github-builder/.github/workflows/bake.yml@70313223e2665c3211b454b3fea6534624e78d64 # v1.4.0
+    permissions:
+      contents: read # same as global permission
+      id-token: write # for signing attestation(s) with GitHub OIDC Token
+    with:
+      runner: amd64
+      target: image-module-cross
+      cache: true
+      cache-scope: module-image
+      output: image
+      push: ${{ startsWith(github.ref, 'refs/tags/v') }}
+      sbom: true
+      set-meta-labels: true
+      meta-images: |
+        docker/compose-desktop-module
+      meta-tags: |
+        type=ref,event=branch
+        type=ref,event=tag
+      meta-bake-target: meta-helper
+    secrets:
+      registry-auths: |
+        - registry: docker.io
+          username: ${{ secrets.DOCKERPUBLICBOT_USERNAME }}
+          password: ${{ secrets.DOCKERPUBLICBOT_WRITE_PAT }}
+
   desktop-edge-test:
     runs-on: ubuntu-latest
     needs: bin-image
     steps:
       -
         name: Generate Token
         id: generate_token
-        uses: actions/create-github-app-token@v1
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3
         with:
           app-id: ${{ vars.DOCKERDESKTOP_APP_ID }}
           private-key: ${{ secrets.DOCKERDESKTOP_APP_PRIVATEKEY }}
@@ -126,7 +96,7 @@ jobs:
             ${{ secrets.DOCKERDESKTOP_REPO }}
       -
         name: Trigger Docker Desktop e2e with edge version
-        uses: actions/github-script@v7
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
         with:
           github-token: ${{ steps.generate_token.outputs.token }}
           script: |
 
@@ -1,12 +1,13 @@
 name: PR Review
-
 on:
   pull_request:
     types: [opened, ready_for_review]
   issue_comment:
     types: [created]
-  pull_request_review_comment:
+  pull_request_review_comment: # Captures feedback on review comments for learning
     types: [created]
+  pull_request:                # Triggers auto-review on PR open (same-repo branches only; fork PRs use /review)
+    types: [ready_for_review, opened]
 
 jobs:
   review: