This is an automated email from the ASF dual-hosted git repository.

wu-sheng pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/skywalking-python.git


The following commit(s) were added to refs/heads/master by this push:
     new 88d30ab  fix(ci): pin docker/* actions to ASF-approved SHAs in 
publish-docker (#406)
88d30ab is described below

commit 88d30abff4787b0d3331eb6825a52a8f1ad88a6d
Author: 吴晟 Wu Sheng <[email protected]>
AuthorDate: Thu Jun 25 21:42:41 2026 +0800

    fix(ci): pin docker/* actions to ASF-approved SHAs in publish-docker (#406)
    
    The publish-docker workflow used floating @v3 tags for docker/login-action,
    docker/setup-qemu-action, and docker/setup-buildx-action. The ASF GitHub
    Actions allow-list only approves specific SHAs for third-party actions, so
    the workflow was rejected at startup (startup_failure) on master pushes.
    
    This workflow only runs on push-to-master and release, never on PRs, so the
    rejection did not surface in PR CI — it first failed when #388 merged.
    
    Pin all three to the approved SHAs already used across the sibling ASF
    SkyWalking repos:
      - docker/login-action@650006c6...      # v4.2.0
      - docker/setup-qemu-action@06116385...  # v4.1.0
      - docker/setup-buildx-action@d7f5e7f5... # v4.1.0
---
 .github/workflows/publish-docker.yaml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/publish-docker.yaml 
b/.github/workflows/publish-docker.yaml
index e5d00e5..617244a 100644
--- a/.github/workflows/publish-docker.yaml
+++ b/.github/workflows/publish-docker.yaml
@@ -55,14 +55,14 @@ jobs:
             echo "VERSION=${{ github.sha }}" >> $GITHUB_ENV
           fi
       - name: Log in to the Container registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # 
v4.2.0
         with:
           registry: ${{ env.DOCKER_REGISTRY }}
           username: ${{ env.DOCKER_USERNAME }}
           password: ${{ env.DOCKER_PASSWORD }}
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: 
docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3 # v4.1.0
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: 
docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
       - name: Build and push docker image
         run: make push-image -j 5

Reply via email to