Copilot commented on code in PR #18010:
URL: https://github.com/apache/pinot/pull/18010#discussion_r3012609779
##########
.github/workflows/build-pinot-docker-image.yml:
##########
@@ -44,17 +44,25 @@ on:
jobs:
build-pinot-docker-image:
name: Build Pinot Docker Image
- runs-on: ubuntu-latest
+ runs-on: ${{ github.event.inputs.platform == 'linux/arm64' &&
'ubuntu-24.04-arm' || 'ubuntu-24.04' }}
steps:
+ - name: Validate target platform
+ env:
+ BUILD_PLATFORM: ${{ github.event.inputs.platform }}
+ run: |
+ case "${BUILD_PLATFORM}" in
+ linux/amd64|linux/arm64)
+ ;;
+ *)
+ echo "Unsupported platform: ${BUILD_PLATFORM}. Use linux/amd64 or
linux/arm64." >&2
+ exit 1
+ ;;
+ esac
- name: Login to DockerHub
- uses: docker/login-action@v4
+ uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 #
v4.0.0
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
Review Comment:
This workflow still uses `docker/login-action@v4`, which is a third-party
action outside the `apache/*`, `github/*`, and `actions/*` namespaces. The PR
description says these should be pinned to exact allowlisted commit SHAs;
please pin `docker/login-action` to a specific SHA (and include the version
comment) to match the stated ASF compliance goal.
##########
.github/workflows/build-superset-docker-image.yml:
##########
@@ -40,17 +40,25 @@ on:
jobs:
build-superset-pinot-docker-image:
name: Build Superset Pinot Docker Image
- runs-on: ubuntu-latest
+ runs-on: ${{ github.event.inputs.platform == 'linux/arm64' &&
'ubuntu-24.04-arm' || 'ubuntu-24.04' }}
steps:
+ - name: Validate target platform
+ env:
+ BUILD_PLATFORM: ${{ github.event.inputs.platform }}
+ run: |
+ case "${BUILD_PLATFORM}" in
+ linux/amd64|linux/arm64)
+ ;;
+ *)
+ echo "Unsupported platform: ${BUILD_PLATFORM}. Use linux/amd64 or
linux/arm64." >&2
+ exit 1
+ ;;
+ esac
- name: Login to DockerHub
- uses: docker/login-action@v4
+ uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 #
v4.0.0
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
Review Comment:
This workflow still uses `docker/login-action@v4`, which is a third-party
action outside the `apache/*`, `github/*`, and `actions/*` namespaces. Since
the PR’s goal is to pin third-party actions to allowlisted commit SHAs, this
should also be pinned to an exact SHA (with an inline version comment) for
compliance consistency.
##########
.github/workflows/build-pinot-base-docker-image.yml:
##########
@@ -38,17 +38,14 @@ jobs:
runner: ubuntu-24.04-arm
steps:
- name: Login to DockerHub
- uses: docker/login-action@v4
+ uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 #
v4.0.0
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
Review Comment:
This workflow still uses `docker/login-action@v4`, which is a third-party
action outside the `apache/*`, `github/*`, and `actions/*` namespaces. The PR
summary states these should be pinned to exact allowlisted commit SHAs; please
pin this action to a specific SHA to fully satisfy the ASF allowlist
requirement.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
