[
https://issues.apache.org/jira/browse/TIKA-4758?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Tim Allison updated TIKA-4758:
------------------------------
Description:
Claude's summary:
*Description:*
Starting on 2026-06-15, the "Docker snapshot - tika-server and tika-grpc"
workflow (.github/workflows/docker-snapshot.yml) fails on every push to main
with conclusion startup_failure — the run never starts, so no job/step
executes and no snapshot Docker images are published.
- Last successful run: 2026-06-13 — run 27469654104 (commit 8a55b9c3f)
- First failing run: 2026-06-15 — run 27528574963 (commit f1b48f8ae)
- Still failing: run 28019661756 (commit 979136ba1)
{*}Root cause{*}: the apache enterprise GitHub Actions allowlist no longer
permits the docker/* actions used by these workflows. The startup error is:
{quote}The action
docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 is not
allowed in apache/tika because all actions must be from a repository owned by
your enterprise, created by GitHub, or match one of the patterns:
1Password/..., AdoptOpenJDK/install-jdk@{*}, DavidAnson/..., EnricoMi/...,
JamesIves/..., JetBrains/qodana-action@..., … (docker/ is not in the list){*}
{quote}
*This is not a code regression:*
- The workflow file is byte-identical between the last-success commit
(8a55b9c3f) and the first-failure commit (f1b48f8ae) — no .github/ change.
- The only commit in that window is an unrelated dependabot bump
(error_prone_annotations 2.49.0→2.50.0, #2890), which cannot affect workflow
startup.
- The push-triggered main jdk17 build workflow (uses only actions/) keeps
passing on the same commits; only the docker workflows (which add docker/)
fail, and they fail before any step runs.
*Affected actions (all SHA-pinned, all now disallowed):*
- docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8
- docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121
- docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd
Affected workflows: .github/workflows/docker-snapshot.yml,
.github/workflows/docker-release.yml
*Impact:* snapshot (and release) Docker images for apache/tika and
apache/tika-grpc have not been built/published since 2026-06-15.
*Proposed fix (one of):*
1. Replace the docker/* actions with the docker CLI in run: steps (docker
login, docker buildx create --use, docker buildx build --push). Buildx is
pre-installed on ubuntu-latest, and the multi-arch QEMU step already uses
docker run tonistiigi/binfmt (a container run, not an action — unaffected).
Self-service, no INFRA dependency.
2. Request ASF INFRA add the three docker/* action SHAs to the enterprise
allowlist.
was:
Claude's summary:
*Description:*
Starting on 2026-06-15, the "Docker snapshot - tika-server and tika-grpc"
workflow (.github/workflows/docker-snapshot.yml) fails on every push to main
with conclusion startup_failure — the run never starts, so no job/step
executes and no snapshot Docker images are published.
- Last successful run: 2026-06-13 — run 27469654104 (commit 8a55b9c3f)
- First failing run: 2026-06-15 — run 27528574963 (commit f1b48f8ae)
- Still failing: run 28019661756 (commit 979136ba1)
{*}Root cause{*}: the apache enterprise GitHub Actions allowlist no longer
permits the docker/* actions used by these workflows. The startup error is:
bq. The action
docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 is not
allowed in apache/tika because all actions must be from a repository owned by
your enterprise, created by GitHub, or match one of the patterns:
1Password/..., AdoptOpenJDK/install-jdk@*, DavidAnson/..., EnricoMi/...,
JamesIves/..., JetBrains/qodana-action@..., … (docker/ is not in the list)*
*This is not a code regression:*
- The workflow file is byte-identical between the last-success commit
(8a55b9c3f) and the first-failure commit (f1b48f8ae) — no .github/ change.
- The only commit in that window is an unrelated dependabot bump
(error_prone_annotations 2.49.0→2.50.0, #2890), which cannot affect workflow
startup.
- The push-triggered main jdk17 build workflow (uses only actions/*) keeps
passing on the same commits; only the docker workflows (which add docker/*)
fail, and they fail before any step runs.
*Affected actions (all SHA-pinned, all now disallowed):*
- docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8
- docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121
- docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd
Affected workflows: .github/workflows/docker-snapshot.yml,
.github/workflows/docker-release.yml
*Impact:* snapshot (and release) Docker images for apache/tika and
apache/tika-grpc have not been built/published since 2026-06-15.
*Proposed fix (one of):*
1. Replace the docker/* actions with the docker CLI in run: steps (docker
login, docker buildx create --use, docker buildx build --push). Buildx is
pre-installed on ubuntu-latest, and the multi-arch QEMU step already uses
docker run tonistiigi/binfmt (a container run, not an action — unaffected).
Self-service, no INFRA dependency.
2. Request ASF INFRA add the three docker/* action SHAs to the enterprise
allowlist.
> Docker snapshots failing
> ------------------------
>
> Key: TIKA-4758
> URL: https://issues.apache.org/jira/browse/TIKA-4758
> Project: Tika
> Issue Type: Task
> Reporter: Tim Allison
> Priority: Major
>
> Claude's summary:
> *Description:*
> Starting on 2026-06-15, the "Docker snapshot - tika-server and tika-grpc"
> workflow (.github/workflows/docker-snapshot.yml) fails on every push to main
> with conclusion startup_failure — the run never starts, so no job/step
> executes and no snapshot Docker images are published.
> - Last successful run: 2026-06-13 — run 27469654104 (commit 8a55b9c3f)
> - First failing run: 2026-06-15 — run 27528574963 (commit f1b48f8ae)
> - Still failing: run 28019661756 (commit 979136ba1)
> {*}Root cause{*}: the apache enterprise GitHub Actions allowlist no longer
> permits the docker/* actions used by these workflows. The startup error is:
> {quote}The action
> docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 is not
> allowed in apache/tika because all actions must be from a repository owned by
> your enterprise, created by GitHub, or match one of the patterns:
> 1Password/..., AdoptOpenJDK/install-jdk@{*}, DavidAnson/..., EnricoMi/...,
> JamesIves/..., JetBrains/qodana-action@..., … (docker/ is not in the list){*}
> {quote}
> *This is not a code regression:*
> - The workflow file is byte-identical between the last-success commit
> (8a55b9c3f) and the first-failure commit (f1b48f8ae) — no .github/ change.
> - The only commit in that window is an unrelated dependabot bump
> (error_prone_annotations 2.49.0→2.50.0, #2890), which cannot affect workflow
> startup.
> - The push-triggered main jdk17 build workflow (uses only actions/) keeps
> passing on the same commits; only the docker workflows (which add docker/)
> fail, and they fail before any step runs.
> *Affected actions (all SHA-pinned, all now disallowed):*
> - docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8
> - docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121
> - docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd
> Affected workflows: .github/workflows/docker-snapshot.yml,
> .github/workflows/docker-release.yml
> *Impact:* snapshot (and release) Docker images for apache/tika and
> apache/tika-grpc have not been built/published since 2026-06-15.
> *Proposed fix (one of):*
> 1. Replace the docker/* actions with the docker CLI in run: steps (docker
> login, docker buildx create --use, docker buildx build --push). Buildx is
> pre-installed on ubuntu-latest, and the multi-arch QEMU step already uses
> docker run tonistiigi/binfmt (a container run, not an action — unaffected).
> Self-service, no INFRA dependency.
> 2. Request ASF INFRA add the three docker/* action SHAs to the enterprise
> allowlist.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)