This is an automated email from the ASF dual-hosted git repository.
wu-sheng pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/skywalking-horizon-ui.git
The following commit(s) were added to refs/heads/main by this push:
new 419b83c ci: SHA-pin docker actions + repo guard for publish-image
419b83c is described below
commit 419b83c455fa1b1ddd46e6e4e16e6949de95025c
Author: Wu Sheng <[email protected]>
AuthorDate: Thu May 14 20:19:06 2026 +0800
ci: SHA-pin docker actions + repo guard for publish-image
The first run of publish-image landed with `startup_failure` and zero
scheduled jobs — Apache org policy mirrors `apache/skywalking`'s
publish-docker.yaml: third-party actions must be SHA-pinned. Refs
re-pinned to the same SHAs upstream uses, `actions/checkout@v6`
downgraded to `@v4` to match, and a `github.repository ==` guard
added so fork pushes don't try to publish.
---
.github/workflows/publish-image.yaml | 29 +++++++++++++++++------------
1 file changed, 17 insertions(+), 12 deletions(-)
diff --git a/.github/workflows/publish-image.yaml
b/.github/workflows/publish-image.yaml
index 37c0fc3..031ac1e 100644
--- a/.github/workflows/publish-image.yaml
+++ b/.github/workflows/publish-image.yaml
@@ -18,10 +18,14 @@
# - push to `main` (tagged with `main` + the full commit SHA)
# - any `v*` tag (tagged with the version + the full commit SHA)
#
-# The full commit SHA is the canonical, immutable identifier — moving tags
-# like `main` and `vX.Y.Z` are conveniences that *also* point at the same
-# SHA-pinned image. Operators should pull by SHA in production.
-name: Publish image
+# The full commit SHA is the canonical, immutable identifier — moving
+# tags like `main` and `vX.Y.Z` are conveniences that *also* point at
+# the same SHA-pinned image. Operators should pull by SHA in production.
+#
+# Third-party actions are SHA-pinned per ASF infra policy (mirrors the
+# `apache/skywalking` publish-docker.yaml). `if: github.repository ==`
+# also matches that pattern — fork pushes don't run the publish job.
+name: publish-image
on:
push:
@@ -44,22 +48,23 @@ env:
jobs:
build-and-push:
- name: Build + push (${{ github.ref_type }} ${{ github.ref_name }})
+ if: github.repository == 'apache/skywalking-horizon-ui'
+ name: Build + push
runs-on: ubuntu-latest
timeout-minutes: 30
steps:
- - uses: actions/checkout@v6
+ - uses: actions/checkout@v4
with:
persist-credentials: false
- name: Set up QEMU
- uses: docker/setup-qemu-action@v3
+ uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392
- name: Set up Docker Buildx
- uses: docker/setup-buildx-action@v3
+ uses:
docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f
- name: Log in to GHCR
- uses: docker/login-action@v3
+ uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
@@ -67,10 +72,10 @@ jobs:
# The canonical tag is the full 40-char commit SHA. We also publish
# moving tags so common workflows ("pull :main", "pull :v1.2.3")
- # work — they all resolve back to the same SHA-tagged image.
+ # work — they all resolve back to the same SHA-pinned image.
- name: Compute image tags
id: meta
- uses: docker/metadata-action@v5
+ uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
tags: |
@@ -87,7 +92,7 @@ jobs:
org.opencontainers.image.licenses=Apache-2.0
- name: Build + push
- uses: docker/build-push-action@v6
+ uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75
with:
context: .
file: Dockerfile
