wu-sheng opened a new pull request, #406: URL: https://github.com/apache/skywalking-python/pull/406
### Problem The `publish-docker` workflow fails at startup (`startup_failure`) on every push to `master` — the ASF GitHub Actions allow-list rejects its three third-party docker actions because they are pinned to floating `@v3` tags instead of approved SHAs: - `docker/login-action@v3` - `docker/setup-qemu-action@v3` - `docker/setup-buildx-action@v3` This workflow runs **only** on `push` to `master` and on `release` — never on `pull_request` — so the rejection does not appear in PR CI. It first surfaced when #388 merged: [run 28161685059](https://github.com/apache/skywalking-python/actions/runs/28161685059). ### Fix Pin all three to the SHAs already approved on the [ASF allow-list](https://github.com/apache/infrastructure-actions/blob/main/approved_patterns.yml) and used consistently across the sibling ASF SkyWalking repos: | Action | Pin | |--------|-----| | `docker/login-action` | `650006c6eb7dba73a995cc03b0b2d7f5ca915bee` # v4.2.0 | | `docker/setup-qemu-action` | `06116385d9baf250c9f4dcb4858b16962ea869c3` # v4.1.0 | | `docker/setup-buildx-action` | `d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5` # v4.1.0 | ### Audit Swept every `uses:` across all workflows. After this change, **all** third-party actions are SHA-pinned and on the allow-list (`dorny/paths-filter` was fixed in #405; `tcort/github-action-markdown-link-check` was already pinned). `actions/*` and `apache/*` are auto-allowed. No other floating third-party tags remain. > Note: `startup_failure` means the workflow was rejected before any job ran, so there is no log to re-run — this must be fixed by editing the pins (as done here). 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
