(skywalking-graalvm-distro) branch feature/post-vote-script updated: Pin third-party GitHub Actions to approved SHAs

Mon, 23 Mar 2026 02:32:30 -0700 

This is an automated email from the ASF dual-hosted git repository.

wusheng pushed a commit to branch feature/post-vote-script
in repository https://gitbox.apache.org/repos/asf/skywalking-graalvm-distro.git


The following commit(s) were added to refs/heads/feature/post-vote-script by 
this push:
     new ea2b536  Pin third-party GitHub Actions to approved SHAs
ea2b536 is described below

commit ea2b5369e96b14aa07d2df27afde37070f308ca6
Author: Wu Sheng <[email protected]>
AuthorDate: Mon Mar 23 17:32:12 2026 +0800

    Pin third-party GitHub Actions to approved SHAs
    
    Apache enforces an allow list for third-party actions
    (apache/infrastructure-actions approved_patterns.yml).
    Pin all four blocked actions by commit hash:
    - graalvm/setup-graalvm@v1
    - docker/setup-buildx-action@v3
    - docker/login-action@v3
    - docker/build-push-action@v6
---
 .github/workflows/ci.yml | 49 ++++++++++++++++++++++++++++++++++--------------
 1 file changed, 35 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index c8392bd..7fbbe7a 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -49,9 +49,11 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
 
       - name: Check license headers
-        uses: apache/skywalking-eyes/header@main
+        uses: 
apache/skywalking-eyes/header@5b7ee1731d036b5aac68f8bd3fc9e6f98ada082e
 
   # ── Shared: init skywalking submodule and cache .m2/repository ──
   init-skywalking:
@@ -68,6 +70,7 @@ jobs:
         with:
           ref: ${{ github.event.inputs.commit || github.ref }}
           submodules: recursive
+          persist-credentials: false
 
       - name: Resolve build metadata
         id: meta
@@ -87,7 +90,7 @@ jobs:
           fi
 
       - name: Set up GraalVM JDK 25
-        uses: graalvm/setup-graalvm@v1
+        uses: graalvm/setup-graalvm@eec48106e0bf45f2976c2ff0c3e22395cced8243  
# v1
         with:
           java-version: '25'
           distribution: 'graalvm'
@@ -118,9 +121,10 @@ jobs:
         uses: actions/checkout@v5
         with:
           submodules: recursive
+          persist-credentials: false
 
       - name: Set up GraalVM JDK 25
-        uses: graalvm/setup-graalvm@v1
+        uses: graalvm/setup-graalvm@eec48106e0bf45f2976c2ff0c3e22395cced8243  
# v1
         with:
           java-version: '25'
           distribution: 'graalvm'
@@ -172,9 +176,10 @@ jobs:
         with:
           ref: ${{ github.event.inputs.commit || github.ref }}
           submodules: recursive
+          persist-credentials: false
 
       - name: Set up GraalVM JDK 25
-        uses: graalvm/setup-graalvm@v1
+        uses: graalvm/setup-graalvm@eec48106e0bf45f2976c2ff0c3e22395cced8243  
# v1
         with:
           java-version: '25'
           distribution: 'graalvm'
@@ -194,11 +199,11 @@ jobs:
 
       - name: Set up Docker Buildx
         if: github.event_name != 'pull_request'
-        uses: docker/setup-buildx-action@v3
+        uses: 
docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f  # v3
 
       - name: Log in to GHCR
         if: github.event_name != 'pull_request'
-        uses: docker/login-action@v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9  # 
v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
@@ -206,7 +211,7 @@ jobs:
 
       - name: Log in to Docker Hub (release only)
         if: github.event_name != 'pull_request' && 
needs.init-skywalking.outputs.is-release == 'true'
-        uses: docker/login-action@v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9  # 
v3
         with:
           username: ${{ secrets.DOCKERHUB_USER }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -214,7 +219,7 @@ jobs:
       - name: Build and push by digest (GHCR)
         if: github.event_name != 'pull_request'
         id: build-ghcr
-        uses: docker/build-push-action@v6
+        uses: 
docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8  # v6
         with:
           context: .
           file: docker/Dockerfile.native
@@ -226,7 +231,7 @@ jobs:
       - name: Build and push by digest (Docker Hub, release only)
         if: github.event_name != 'pull_request' && 
needs.init-skywalking.outputs.is-release == 'true'
         id: build-dockerhub
-        uses: docker/build-push-action@v6
+        uses: 
docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8  # v6
         with:
           context: .
           file: docker/Dockerfile.native
@@ -370,6 +375,12 @@ jobs:
             case: aws-eks
           - name: AWS API Gateway
             case: aws-api-gateway
+          - name: Kafka Transport
+            case: kafka-transport
+          - name: Cilium
+            case: cilium
+          - name: Rover
+            case: rover
           - name: Self Observability
             case: so11y
           - name: MQE
@@ -379,6 +390,7 @@ jobs:
         uses: actions/checkout@v5
         with:
           submodules: recursive
+          persist-credentials: false
 
       - name: Download Docker image
         uses: actions/download-artifact@v5
@@ -390,14 +402,14 @@ jobs:
         run: docker load -i /tmp/skywalking-oap-native.tar
 
       - name: Set up JDK 17 (test service build)
-        if: 
contains(fromJSON('["baseline","mqe","aws-dynamodb","aws-s3","aws-eks","aws-api-gateway"]'),
 matrix.test.case)
+        if: 
contains(fromJSON('["baseline","mqe","kafka-transport","aws-dynamodb","aws-s3","aws-eks","aws-api-gateway"]'),
 matrix.test.case)
         uses: actions/setup-java@v4
         with:
           java-version: '17'
           distribution: 'temurin'
 
       - name: Restore Maven cache (test service build)
-        if: 
contains(fromJSON('["baseline","mqe","aws-dynamodb","aws-s3","aws-eks","aws-api-gateway"]'),
 matrix.test.case)
+        if: 
contains(fromJSON('["baseline","mqe","kafka-transport","aws-dynamodb","aws-s3","aws-eks","aws-api-gateway"]'),
 matrix.test.case)
         uses: actions/cache/restore@v5
         with:
           path: ~/.m2/repository
@@ -420,6 +432,14 @@ jobs:
             -pl e2e-mock-baseline-server -am \
             package -DskipTests -Dmaven.javadoc.skip
 
+      - name: Build e2e-service-provider jar (kafka-transport only)
+        if: matrix.test.case == 'kafka-transport'
+        run: |
+          cd skywalking && ./mvnw -B -q \
+            -f test/e2e-v2/java-test-service/pom.xml \
+            -pl e2e-service-provider -am \
+            package -DskipTests -Dmaven.javadoc.skip
+
       - name: Run E2E test
         uses: 
apache/skywalking-infra-e2e@8c21e43e241a32a54bdf8eeceb9099eb27e5e9b4
         with:
@@ -450,10 +470,10 @@ jobs:
           merge-multiple: true
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: 
docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f  # v3
 
       - name: Log in to GHCR
-        uses: docker/login-action@v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9  # 
v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
@@ -461,7 +481,7 @@ jobs:
 
       - name: Log in to Docker Hub (release only)
         if: needs.init-skywalking.outputs.is-release == 'true'
-        uses: docker/login-action@v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9  # 
v3
         with:
           username: ${{ secrets.DOCKERHUB_USER }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -505,6 +525,7 @@ jobs:
           ref: ${{ github.event.inputs.commit || github.ref }}
           submodules: true
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Generate version metadata
         run: |

Reply via email to