This is an automated email from the ASF dual-hosted git repository. wu-sheng pushed a commit to branch fix/pin-docker-login-action-asf in repository https://gitbox.apache.org/repos/asf/skywalking-java.git
commit 0dfa8ed5f96d6dcbb4d2726239f334fc192c997b Author: Wu Sheng <[email protected]> AuthorDate: Wed Jul 1 17:54:15 2026 +0800 Pin docker/login-action to an ASF-approved commit SHA The ASF org-wide GitHub Actions allow-list requires third-party actions to be pinned to a reviewed commit SHA rather than a floating version tag. publish-docker.yaml referenced docker/[email protected], which the allow-list rejects. Pin it to 650006c6eb7dba73a995cc03b0b2d7f5ca915bee (v4.2.0) — the same approved SHA used by the apache/skywalking repo and present in apache/infrastructure-actions' approved_patterns.yml. --- .github/workflows/publish-docker.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/publish-docker.yaml b/.github/workflows/publish-docker.yaml index 1eb75de778..13dd95e4ae 100644 --- a/.github/workflows/publish-docker.yaml +++ b/.github/workflows/publish-docker.yaml @@ -91,7 +91,7 @@ jobs: docker info echo "DOCKER_API_VERSION=$(docker version --format '{{.Server.APIVersion}}')" >> "$GITHUB_ENV" - name: Log in to the Container registry - uses: docker/[email protected] + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: registry: ${{ env.HUB }} username: ${{ github.actor }}
