wu-sheng opened a new pull request, #406:
URL: https://github.com/apache/skywalking-python/pull/406

   ### Problem
   
   The `publish-docker` workflow fails at startup (`startup_failure`) on every 
push to `master` — the ASF GitHub Actions allow-list rejects its three 
third-party docker actions because they are pinned to floating `@v3` tags 
instead of approved SHAs:
   
   - `docker/login-action@v3`
   - `docker/setup-qemu-action@v3`
   - `docker/setup-buildx-action@v3`
   
   This workflow runs **only** on `push` to `master` and on `release` — never 
on `pull_request` — so the rejection does not appear in PR CI. It first 
surfaced when #388 merged: [run 
28161685059](https://github.com/apache/skywalking-python/actions/runs/28161685059).
   
   ### Fix
   
   Pin all three to the SHAs already approved on the [ASF 
allow-list](https://github.com/apache/infrastructure-actions/blob/main/approved_patterns.yml)
 and used consistently across the sibling ASF SkyWalking repos:
   
   | Action | Pin |
   |--------|-----|
   | `docker/login-action` | `650006c6eb7dba73a995cc03b0b2d7f5ca915bee` # 
v4.2.0 |
   | `docker/setup-qemu-action` | `06116385d9baf250c9f4dcb4858b16962ea869c3` # 
v4.1.0 |
   | `docker/setup-buildx-action` | `d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5` 
# v4.1.0 |
   
   ### Audit
   
   Swept every `uses:` across all workflows. After this change, **all** 
third-party actions are SHA-pinned and on the allow-list (`dorny/paths-filter` 
was fixed in #405; `tcort/github-action-markdown-link-check` was already 
pinned). `actions/*` and `apache/*` are auto-allowed. No other floating 
third-party tags remain.
   
   > Note: `startup_failure` means the workflow was rejected before any job 
ran, so there is no log to re-run — this must be fixed by editing the pins (as 
done here).
   
   🤖 Generated with [Claude Code](https://claude.com/claude-code)


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to