This is an automated email from the ASF dual-hosted git repository.

wu-sheng pushed a commit to branch fix/ci-publish-docker-approved-pins
in repository https://gitbox.apache.org/repos/asf/skywalking-python.git

commit dbd69cf68a365f2e2c05f248e338475eac61c685
Author: Wu Sheng <[email protected]>
AuthorDate: Thu Jun 25 20:47:59 2026 +0800

    fix(ci): pin docker/* actions to ASF-approved SHAs in publish-docker
    
    The publish-docker workflow used floating @v3 tags for docker/login-action,
    docker/setup-qemu-action, and docker/setup-buildx-action. The ASF GitHub
    Actions allow-list only approves specific SHAs for third-party actions, so
    the workflow was rejected at startup (startup_failure) on master pushes.
    
    This workflow only runs on push-to-master and release, never on PRs, so the
    rejection did not surface in PR CI — it first failed when #388 merged.
    
    Pin all three to the approved SHAs already used across the sibling ASF
    SkyWalking repos:
      - docker/login-action@650006c6...      # v4.2.0
      - docker/setup-qemu-action@06116385...  # v4.1.0
      - docker/setup-buildx-action@d7f5e7f5... # v4.1.0
    
    Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
---
 .github/workflows/publish-docker.yaml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/publish-docker.yaml 
b/.github/workflows/publish-docker.yaml
index e5d00e5..617244a 100644
--- a/.github/workflows/publish-docker.yaml
+++ b/.github/workflows/publish-docker.yaml
@@ -55,14 +55,14 @@ jobs:
             echo "VERSION=${{ github.sha }}" >> $GITHUB_ENV
           fi
       - name: Log in to the Container registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # 
v4.2.0
         with:
           registry: ${{ env.DOCKER_REGISTRY }}
           username: ${{ env.DOCKER_USERNAME }}
           password: ${{ env.DOCKER_PASSWORD }}
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: 
docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3 # v4.1.0
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: 
docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
       - name: Build and push docker image
         run: make push-image -j 5

Reply via email to