This is an automated email from the ASF dual-hosted git repository.

wu-sheng pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/skywalking-java.git


The following commit(s) were added to refs/heads/main by this push:
     new a9b0cf4ca1 Pin docker/login-action to an ASF-approved commit SHA (#811)
a9b0cf4ca1 is described below

commit a9b0cf4ca1a424dcd8b1cdad7beb6289465ea363
Author: 吴晟 Wu Sheng <[email protected]>
AuthorDate: Wed Jul 1 20:05:22 2026 +0800

    Pin docker/login-action to an ASF-approved commit SHA (#811)
    
    The ASF org-wide GitHub Actions allow-list requires third-party actions to 
be
    pinned to a reviewed commit SHA rather than a floating version tag. 
publish-docker.yaml
    referenced docker/[email protected], which the allow-list rejects. Pin 
it to
    650006c6eb7dba73a995cc03b0b2d7f5ca915bee (v4.2.0) — the same approved SHA 
used by
    the apache/skywalking repo and present in apache/infrastructure-actions' 
approved_patterns.yml.
---
 .github/workflows/publish-docker.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/publish-docker.yaml 
b/.github/workflows/publish-docker.yaml
index 1eb75de778..13dd95e4ae 100644
--- a/.github/workflows/publish-docker.yaml
+++ b/.github/workflows/publish-docker.yaml
@@ -91,7 +91,7 @@ jobs:
           docker info
           echo "DOCKER_API_VERSION=$(docker version --format 
'{{.Server.APIVersion}}')" >> "$GITHUB_ENV"
       - name: Log in to the Container registry
-        uses: docker/[email protected]
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # 
v4.2.0
         with:
           registry: ${{ env.HUB }}
           username: ${{ github.actor }}

Reply via email to