wu-sheng opened a new pull request, #59: URL: https://github.com/apache/skywalking-horizon-ui/pull/59
## Why ASF tightened the org-level GitHub Actions allow-list. The `docker/setup-buildx-action` and `docker/login-action` SHAs pinned in `publish-image.yaml` are no longer permitted, so the image-publish workflow fails before it runs: > The actions `docker/setup-buildx-action@8d2750c…` and `docker/login-action@c94ce9f…` are not allowed in `apache/skywalking-horizon-ui` because all actions must be from a repository owned by your enterprise, created by GitHub, or match one of the patterns … ## What Bump both actions to the exact SHAs the main **apache/skywalking** repo pins (it passes CI under the same enterprise allow-list, so these revisions are vetted): | action | old | new | |---|---|---| | `docker/setup-buildx-action` | `8d2750c…` | `d7f5e7f5…` (v4.1.0) | | `docker/login-action` | `c94ce9f…` | `650006c6…` (v4.2.0) | 5 references updated (build job ×2, manifest job ×3). No behaviour change — same actions, allow-listed revisions. I re-audited every third-party action across both workflows; the rest are already compliant: - `actions/*` — created by GitHub. - `apache/skywalking-eyes@…` — enterprise-owned. - `pnpm/action-setup@v4` — already passing in `ci.yaml`. ## Validation YAML-only SHA swap; structure unchanged. The publish workflow only runs on push to `main` / `v*` tags, so it'll exercise on merge. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
