chore(deps): update docker/metadata-action action to v6.1.0

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
docker/metadata-action	action	minor	v6.0.0 → v6.1.0

---

Release Notes

docker/metadata-action (docker/metadata-action)

v6.1.0

Compare Source

• Bump @​docker/actions-toolkit from 0.79.0 to 0.90.0 in #​613
• Bump brace-expansion from 1.1.12 to 5.0.6 in #​658 #​630
• Bump csv-parse from 6.1.0 to 6.2.1 in #​617
• Bump fast-xml-parser from 5.4.2 to 5.8.0 in #​620
• Bump flatted from 3.3.3 to 3.4.2 in #​623
• Bump glob from 10.3.15 to 10.5.0 in #​621
• Bump handlebars from 4.7.8 to 4.7.9 in #​629
• Bump lodash from 4.17.23 to 4.18.1 in #​639
• Bump moment-timezone from 0.6.0 to 0.6.1 in #​619
• Bump picomatch from 4.0.3 to 4.0.4 in #​626
• Bump postcss from 8.5.6 to 8.5.10 in #​649
• Bump tar from 6.2.1 to 7.5.15 in #​657
• Bump undici from 6.23.0 to 6.25.0 in #​614
• Bump vite from 7.3.1 to 7.3.2 in #​637

Full Changelog: docker/metadata-action@v6.0.0...v6.1.0

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday through Friday (* 0-4,22-23 * * 1-5)
  • Only on Sunday and Saturday (* * * * 0,6)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Renovate PR Review Results

⚖️ Safety Assessment: ✅ Safe

🔍 Release Content Analysis

• No breaking changes: This is a minor version bump (v6.0.0 → v6.1.0); the action's public API (inputs/outputs) is unchanged.
• Dependency security updates (the bulk of the release):
  • brace-expansion 1.1.12 → 5.0.6 — addresses a known ReDoS vulnerability
  • tar 6.2.1 → 7.5.15 — major bump; security-hardened archive handling
  • postcss 8.5.6 → 8.5.10 — security fix
  • handlebars 4.7.8 → 4.7.9 — security patch
  • lodash 4.17.23 → 4.18.1 — minor security/maintenance
  • undici, vite, flatted, glob, picomatch, csv-parse, fast-xml-parser, moment-timezone — routine maintenance bumps

🎯 Impact Scope Investigation

• Single usage location: .github/workflows/release-please.yml:115 — inside the Docker image publish job.
• Usage pattern: Generates Docker image metadata (tags and labels) using standard semver patterns and type=sha/type=raw. These inputs/outputs are unchanged in v6.1.0.
• Commit hash verification: The new pin 80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 is confirmed to match the v6.1.0 tag on GitHub. The old pin 030e881283bb7a6894de51c315a6bfe6a94e05cf matches v6.0.0. No hash mismatch or tampering detected.
• No transitive impact: This action is only invoked during release publish; no runtime or test code is affected.

💡 Recommended Actions

• No migration steps required.
• No code changes needed in the workflow — the with: block and downstream ${{ steps.meta.outputs.* }} references remain fully compatible.
• Merge as-is once CI passes.

🔗 Reference Links

• docker/metadata-action v6.1.0 release
• Diff v6.0.0...v6.1.0

Generated by koki-develop/claude-renovate-review