Skip to content

fix(ci): pin docker/* actions to ASF-approved SHAs in publish-docker#406

Merged
wu-sheng merged 2 commits into
masterfrom
fix/ci-publish-docker-approved-pins
Jun 25, 2026
Merged

fix(ci): pin docker/* actions to ASF-approved SHAs in publish-docker#406
wu-sheng merged 2 commits into
masterfrom
fix/ci-publish-docker-approved-pins

Conversation

@wu-sheng

@wu-sheng wu-sheng commented Jun 25, 2026

Copy link
Copy Markdown
Member

Problem

The publish-docker workflow fails at startup (startup_failure) on every push to master — the ASF GitHub Actions allow-list rejects its three third-party docker actions because they are pinned to floating @v3 tags instead of approved SHAs:

  • docker/login-action@v3
  • docker/setup-qemu-action@v3
  • docker/setup-buildx-action@v3

This workflow runs only on push to master and on release — never on pull_request — so the rejection does not appear in PR CI. It first surfaced when #388 merged: run 28161685059.

Fix

Pin all three to the SHAs already approved on the ASF allow-list and used consistently across the sibling ASF SkyWalking repos:

Action Pin
docker/login-action 650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
docker/setup-qemu-action 06116385d9baf250c9f4dcb4858b16962ea869c3 # v4.1.0
docker/setup-buildx-action d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0

Audit

Swept every uses: across all workflows. After this change, all third-party actions are SHA-pinned and on the allow-list (dorny/paths-filter was fixed in #405; tcort/github-action-markdown-link-check was already pinned). actions/* and apache/* are auto-allowed. No other floating third-party tags remain.

Note: startup_failure means the workflow was rejected before any job ran, so there is no log to re-run — this must be fixed by editing the pins (as done here).

🤖 Generated with Claude Code

wu-sheng and others added 2 commits June 25, 2026 20:47
@wu-sheng @claude
fix(ci): pin docker/* actions to ASF-approved SHAs in publish-docker
dbd69cf 
The publish-docker workflow used floating @V3 tags for docker/login-action,
docker/setup-qemu-action, and docker/setup-buildx-action. The ASF GitHub
Actions allow-list only approves specific SHAs for third-party actions, so
the workflow was rejected at startup (startup_failure) on master pushes.

This workflow only runs on push-to-master and release, never on PRs, so the
rejection did not surface in PR CI — it first failed when #388 merged.

Pin all three to the approved SHAs already used across the sibling ASF
SkyWalking repos:
  - docker/login-action@650006c6...      # v4.2.0
  - docker/setup-qemu-action@06116385...  # v4.1.0
  - docker/setup-buildx-action@d7f5e7f5... # v4.1.0

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@wu-sheng
Merge branch 'master' into fix/ci-publish-docker-approved-pins
47f652a
@wu-sheng wu-sheng added this to the 1.3.0 milestone Jun 25, 2026
@wu-sheng wu-sheng merged commit 88d30ab into master Jun 25, 2026
75 checks passed
@wu-sheng wu-sheng deleted the fix/ci-publish-docker-approved-pins branch June 25, 2026 13:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wankai123 wankai123 wankai123 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

1.3.0

Development

Successfully merging this pull request may close these issues.

2 participants

@wu-sheng @wankai123