wu-sheng opened a new pull request, #59:
URL: https://github.com/apache/skywalking-horizon-ui/pull/59

   ## Why
   
   ASF tightened the org-level GitHub Actions allow-list. The 
`docker/setup-buildx-action` and `docker/login-action` SHAs pinned in 
`publish-image.yaml` are no longer permitted, so the image-publish workflow 
fails before it runs:
   
   > The actions `docker/setup-buildx-action@8d2750c…` and 
`docker/login-action@c94ce9f…` are not allowed in 
`apache/skywalking-horizon-ui` because all actions must be from a repository 
owned by your enterprise, created by GitHub, or match one of the patterns …
   
   ## What
   
   Bump both actions to the exact SHAs the main **apache/skywalking** repo pins 
(it passes CI under the same enterprise allow-list, so these revisions are 
vetted):
   
   | action | old | new |
   |---|---|---|
   | `docker/setup-buildx-action` | `8d2750c…` | `d7f5e7f5…` (v4.1.0) |
   | `docker/login-action` | `c94ce9f…` | `650006c6…` (v4.2.0) |
   
   5 references updated (build job ×2, manifest job ×3). No behaviour change — 
same actions, allow-listed revisions.
   
   I re-audited every third-party action across both workflows; the rest are 
already compliant:
   - `actions/*` — created by GitHub.
   - `apache/skywalking-eyes@…` — enterprise-owned.
   - `pnpm/action-setup@v4` — already passing in `ci.yaml`.
   
   ## Validation
   
   YAML-only SHA swap; structure unchanged. The publish workflow only runs on 
push to `main` / `v*` tags, so it'll exercise on merge.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to