This is an automated email from the ASF dual-hosted git repository.

wu-sheng pushed a commit to branch fix/pin-docker-login-action-asf
in repository https://gitbox.apache.org/repos/asf/skywalking-java.git

commit 0dfa8ed5f96d6dcbb4d2726239f334fc192c997b
Author: Wu Sheng <[email protected]>
AuthorDate: Wed Jul 1 17:54:15 2026 +0800

    Pin docker/login-action to an ASF-approved commit SHA
    
    The ASF org-wide GitHub Actions allow-list requires third-party actions to 
be
    pinned to a reviewed commit SHA rather than a floating version tag. 
publish-docker.yaml
    referenced docker/[email protected], which the allow-list rejects. Pin 
it to
    650006c6eb7dba73a995cc03b0b2d7f5ca915bee (v4.2.0) — the same approved SHA 
used by
    the apache/skywalking repo and present in apache/infrastructure-actions' 
approved_patterns.yml.
---
 .github/workflows/publish-docker.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/publish-docker.yaml 
b/.github/workflows/publish-docker.yaml
index 1eb75de778..13dd95e4ae 100644
--- a/.github/workflows/publish-docker.yaml
+++ b/.github/workflows/publish-docker.yaml
@@ -91,7 +91,7 @@ jobs:
           docker info
           echo "DOCKER_API_VERSION=$(docker version --format 
'{{.Server.APIVersion}}')" >> "$GITHUB_ENV"
       - name: Log in to the Container registry
-        uses: docker/[email protected]
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # 
v4.2.0
         with:
           registry: ${{ env.HUB }}
           username: ${{ github.actor }}

Reply via email to