fix(deps): resolve docker/docker dependabot alerts (5 dismissed — no go-importable fix)

decisions/0001-docker-cve-risk-acceptance.md

@@ -0,0 +1,68 @@
+# 1. Accept risk: github.com/docker/docker daemon-side CVEs (no go-importable fix)
+
+Date: 2026-05-31
+Status: Accepted
+Context: 5 GitHub Dependabot alerts on `github.com/docker/docker`
+
+## Context
+
+Dependabot reports 5 alerts against `github.com/docker/docker v28.5.2+incompatible`,
+which this plugin carries as a **transitive indirect** dependency via
+`github.com/GoCodeAlone/workflow`. The ci-generator plugin does not import
+`docker/docker` directly; it is pulled in solely because the workflow engine's
+`module/pipeline_step_docker_build.go` and `module/pipeline_step_docker_push.go`
+use the Docker client API.
+
+The five distinct advisories:
+
+| GHSA | CVE | Severity | Summary | Patched |
+|------|-----|----------|---------|---------|
+| GHSA-x86f-5xw2-fm2r | CVE-2026-41567 | high | `PUT /containers/{id}/archive` can execute code on host | none (no go module) |
+| GHSA-rg2x-37c3-w2rh | CVE-2026-42306 | high | Race condition in `docker cp` allows bind mount redirection | none |
+| GHSA-vp62-88p7-qqf5 | CVE-2026-41568 | medium | Race condition in `docker cp` allows arbitrary empty file creation | none |
+| GHSA-x744-4wpc-v9h2 | CVE-2026-34040 | high | AuthZ plugin bypass on oversized request bodies | 29.3.1 |
+| GHSA-pxq6-2prw-chj9 | CVE-2026-33997 | medium | Off-by-one in plugin privilege validation | none |
+
+`github.com/docker/docker v28.5.2+incompatible` is the **latest version importable
+as a Go module** (`go list -m -versions` tops out at v28.5.2). Moby's v29.x line —
+which carries the 29.3.1 fix for GHSA-x744 — is not published as a `+incompatible`
+Go module and cannot be `go get`-ed. The other four advisories have no published
+fix on any go-importable version. There is no version bump available that resolves
+any of these alerts.
+
+`go mod why github.com/docker/docker` reports "main module does not need package
+github.com/docker/docker" — the ci-generator itself never calls into Docker.
+
+This analysis mirrors `github.com/GoCodeAlone/workflow` ADR 0015
+(decisions/0015-docker-cve-risk-acceptance.md), written 2026-05-29 after the same
+investigation.
+
+## Decision
+
+**Accept the risk and dismiss the 5 alerts as `tolerable_risk`.** No
+go-importable fix exists, and the vulnerabilities are not reachable from this
+plugin's code paths.
+
+## Risk assessment
+
+All five advisories are **moby daemon-side** vulnerabilities: they are exploited
+against a running Docker *daemon* (container archive extraction, `docker cp` races,
+AuthZ-plugin and privilege parsing in the engine). This plugin is a **CI config
+generator** — it generates YAML/config files for GitHub Actions, GitLab CI,
+Jenkins, and CircleCI. It never spawns a Docker daemon, never calls `docker cp`,
+and never invokes container archive or privilege-plugin code.
+
+The `docker/docker` client library is dragged in transitively by the workflow
+engine SDK; the vulnerable daemon-side code paths in `docker/docker` are not
+compiled into this plugin's execution paths in any meaningful way.
+
+The exposure belongs to whoever operates the Docker daemon. Operators must keep
+their engine patched (≥ 29.3.1) independently of this plugin's Go dependency
+graph.
+
+## Follow-up
+
+Revisit when moby publishes a go-importable module carrying the fixes (either a
+go-gettable v29.x `+incompatible` tag or a named `github.com/moby/moby` module
+version ≥ 29.3.1), then bump the `github.com/GoCodeAlone/workflow` dependency
+and let the alerts auto-resolve.