This is an automated email from the ASF dual-hosted git repository.
epugh pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/solr-mcp.git
The following commit(s) were added to refs/heads/main by this push:
new 1374ba3 ci: log in to GHCR inline in release-publish.yml to bypass
ASF Actions allow-list (#154)
1374ba3 is described below
commit 1374ba3715ae13472dd9455f9d4e6af637da8379
Author: Aditya Parikh <[email protected]>
AuthorDate: Fri Jun 19 12:16:30 2026 -0400
ci: log in to GHCR inline in release-publish.yml to bypass ASF Actions
allow-list (#154)
release-publish.yml authenticates to GHCR with docker/login-action, a
third-party action not on the Apache org's GitHub Actions allow-list.
Allow-list rejection is parse-time, so it fails the whole workflow at startup
(zero jobs) the moment a release runs. The v4.2.0 (650006c6) SHA-pin from #145
does not help — that SHA is not allow-listed, unlike graalvm (329c42c), which
is and is left as-is.
Replace both GHCR login steps with an inline 'docker login' using the
built-in GITHUB_TOKEN. The token is piped via stdin (never on the command line
or in logs) and the username is read from an env var, so no untrusted value is
interpolated into the run script. This removes the allow-list dependency.
Companion to #153, which removed the unused publish job from
build-and-publish.yml. release-publish.yml genuinely needs to publish, so it
keeps the login — just inline.
Signed-off-by: adityamparikh <[email protected]>
Co-authored-by: Claude Opus 4.8 (1M context) <[email protected]>
---
.github/workflows/release-publish.yml | 28 ++++++++++++++++++----------
1 file changed, 18 insertions(+), 10 deletions(-)
diff --git a/.github/workflows/release-publish.yml
b/.github/workflows/release-publish.yml
index 3f8015d..4c6c6c7 100644
--- a/.github/workflows/release-publish.yml
+++ b/.github/workflows/release-publish.yml
@@ -402,12 +402,16 @@ jobs:
run: |
sed -i "s/version = \".*\"/version = \"${RELEASE_VERSION}\"/"
build.gradle.kts
+ # Inline `docker login` rather than docker/login-action: that third-party
+ # action is not on the ASF GitHub Actions allow-list, which fails the
whole
+ # workflow at startup. The token is piped via stdin (never on the command
+ # line or in logs) and the username is read from an env var, so no
untrusted
+ # value is interpolated into the run script.
- name: Log in to GHCR
- uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee #
v4.2.0 (ASF-allow-listed, no expiry)
- with:
- registry: ghcr.io
- username: ${{ github.actor }}
- password: ${{ secrets.GITHUB_TOKEN }}
+ env:
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ GHCR_USER: ${{ github.actor }}
+ run: echo "$GITHUB_TOKEN" | docker login ghcr.io -u "$GHCR_USER"
--password-stdin
# Refuse to overwrite an already-published version tag. Moving tags
# (latest-*) are mutable and assembled later; per-version tags are not.
@@ -451,12 +455,16 @@ jobs:
contents: read
packages: write
steps:
+ # Inline `docker login` rather than docker/login-action: that third-party
+ # action is not on the ASF GitHub Actions allow-list, which fails the
whole
+ # workflow at startup. The token is piped via stdin (never on the command
+ # line or in logs) and the username is read from an env var, so no
untrusted
+ # value is interpolated into the run script.
- name: Log in to GHCR
- uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee #
v4.2.0 (ASF-allow-listed, no expiry)
- with:
- registry: ghcr.io
- username: ${{ github.actor }}
- password: ${{ secrets.GITHUB_TOKEN }}
+ env:
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ GHCR_USER: ${{ github.actor }}
+ run: echo "$GITHUB_TOKEN" | docker login ghcr.io -u "$GHCR_USER"
--password-stdin
- name: Create version manifest lists
env:
