(solr-orbit) branch main updated: Pin GitHub Actions to commit SHAs for ASF policy compliance (#21)

Mon, 25 May 2026 15:00:18 -0700 

This is an automated email from the ASF dual-hosted git repository.

janhoy pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/solr-orbit.git


The following commit(s) were added to refs/heads/main by this push:
     new 3d58f5d7 Pin GitHub Actions to commit SHAs for ASF policy compliance 
(#21)
3d58f5d7 is described below

commit 3d58f5d7ae8196e7aab73c2dff5da5b1c3c9b5bf
Author: Jan Høydahl <[email protected]>
AuthorDate: Mon May 25 23:59:07 2026 +0200

    Pin GitHub Actions to commit SHAs for ASF policy compliance (#21)
    
    * Pin GitHub Actions to commit SHAs for ASF policy compliance
    * Update Dockerfile to Python 3.12 to match pyproject.toml requirement
    * Fix hadolint lint warnings in Dockerfile
    * Use WORKDIR instead of cd in Dockerfile build stage (DL3003, SC2164)
---
 .github/workflows/check-actions-usage.yml | 22 ++++++++++++++++++++++
 .github/workflows/docker-build.yml        |  9 ++++++---
 .github/workflows/dockerfile-lint.yml     |  7 +++++--
 .github/workflows/unit-test.yml           | 11 +++++++----
 docker/Dockerfile                         | 29 ++++++++++++++++-------------
 5 files changed, 56 insertions(+), 22 deletions(-)

diff --git a/.github/workflows/check-actions-usage.yml 
b/.github/workflows/check-actions-usage.yml
new file mode 100644
index 00000000..2843be19
--- /dev/null
+++ b/.github/workflows/check-actions-usage.yml
@@ -0,0 +1,22 @@
+name: Check ASF Actions Compliance
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+    paths:
+      - ".github/**"
+  pull_request:
+    paths:
+      - ".github/**"
+
+permissions:
+  contents: read
+
+jobs:
+  check:
+    name: Check actions usage
+    uses: 
apache/infrastructure-actions/check-project-actions/check-project-actions.yml@main
+    permissions:
+      contents: read
diff --git a/.github/workflows/docker-build.yml 
b/.github/workflows/docker-build.yml
index dc884f87..f2bf5d8c 100644
--- a/.github/workflows/docker-build.yml
+++ b/.github/workflows/docker-build.yml
@@ -13,6 +13,9 @@ on:
           - warning
           - debug
 
+permissions:
+  contents: read
+
 jobs:
   docker:
     runs-on: ubuntu-latest
@@ -21,10 +24,10 @@ jobs:
         platform: ['linux/amd64', 'linux/arm64']
     steps:
       - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: 
docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
         # Workaround for a memory allocation layout bug in QEMU,
         # triggered by a kernel update to Linux machine images.
         # Note that this is not an actual fix.
@@ -32,7 +35,7 @@ jobs:
           image: tonistiigi/binfmt:qemu-v7.0.0-28
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: 
docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
 
       - name: Docker Build ${{ matrix.platform }}
         run: |
diff --git a/.github/workflows/dockerfile-lint.yml 
b/.github/workflows/dockerfile-lint.yml
index 0c1fb882..94661b8c 100644
--- a/.github/workflows/dockerfile-lint.yml
+++ b/.github/workflows/dockerfile-lint.yml
@@ -6,12 +6,15 @@ on:
     paths:
       - 'docker/**'
 
+permissions:
+  contents: read
+
 jobs:
   test_docker:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-      - uses: jbergstroem/hadolint-gh-action@v1
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      - uses: 
hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0
         with:
           dockerfile: 'docker/*Dockerfile'
           annotate: false
diff --git a/.github/workflows/unit-test.yml b/.github/workflows/unit-test.yml
index e81921fb..da75c920 100644
--- a/.github/workflows/unit-test.yml
+++ b/.github/workflows/unit-test.yml
@@ -1,5 +1,9 @@
 name: Run Unit Tests
 on: [workflow_dispatch, pull_request]
+
+permissions:
+  contents: read
+
 jobs:
   Unit-Tests:
     strategy:
@@ -17,7 +21,7 @@ jobs:
           sudo apt-get install -y libbz2-dev
 
       - name: Check out repository code
-        uses: actions/checkout@v2
+        uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2
 
       - name: Clone pyenv
         run: git clone https://github.com/pyenv/pyenv.git ~/.pyenv
@@ -32,10 +36,10 @@ jobs:
         working-directory: docs
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Setup Ruby
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@afeafc3d1ab54a631816aba4c914a0081c12ff2f # v1
         with:
           ruby-version: "3.3"
           bundler-cache: true
@@ -44,4 +48,3 @@ jobs:
 
       - name: Build docs (lint check)
         run: bundle exec jekyll build --baseurl ""
-
diff --git a/docker/Dockerfile b/docker/Dockerfile
index b52b8976..8a160aba 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -5,24 +5,26 @@
 #
 # Stage 1: build packages and compile where needed
 #
-FROM python:3.11.2-slim AS build-stage
+FROM python:3.12-slim AS build-stage
 
+# hadolint ignore=DL3008
 RUN apt-get -y update && \
-    apt-get install -y curl git gcc pbzip2 pigz make jq && \
-    apt-get -y upgrade
+    apt-get install -y --no-install-recommends curl git gcc pbzip2 pigz make 
jq && \
+    apt-get -y upgrade && \
+    rm -rf /var/lib/apt/lists/*
 
-COPY . solr-orbit
+WORKDIR /build/solr-orbit
+COPY . .
 
 # There is no binary package currently available for yappi on ARM.
-RUN cd solr-orbit; \
-    make build; \
-    if test "`uname -m`" = aarch64; then pip wheel yappi && cp yappi-*.whl 
dist; fi
+RUN make build && \
+    if test "$(uname -m)" = aarch64; then pip wheel yappi && cp yappi-*.whl 
dist; fi
 
 
 #
 # Stage 2: create image
 #
-FROM python:3.11.2-slim AS image-stage
+FROM python:3.12-slim AS image-stage
 ENV BENCHMARK_RUNNING_IN_DOCKER=True
 
 RUN groupadd --gid 1000 solr-orbit && \
@@ -33,15 +35,16 @@ WORKDIR /solr-orbit
 RUN mkdir -p /solr-orbit/.solr-orbit && \
     chown -R 1000:0 /solr-orbit/.solr-orbit
 
-COPY --from=build-stage /solr-orbit/dist/*.whl ./
+COPY --from=build-stage /build/solr-orbit/dist/*.whl ./
 
+# hadolint ignore=DL3008
 RUN set -ex; \
     apt-get -y update; \
-    apt-get install -y git pbzip2; \
+    apt-get install -y --no-install-recommends git pbzip2; \
     apt-get -y upgrade; \
     rm -rf /var/lib/apt/lists/*; \
-    PIP_ONLY_BINARY=h5py pip install *.whl; \
-    rm *.whl
+    pip install --no-cache-dir ./*.whl; \
+    rm ./*.whl
 
 USER 1000
 
@@ -57,7 +60,7 @@ LABEL org.label-schema.schema-version="1.0" \
   org.label-schema.description="Apache Solr Orbit — performance benchmarking 
tool for Apache Solr clusters" \
   org.label-schema.build-date="$BUILD_DATE" \
   org.label-schema.vcs-url="https://github.com/apache/solr-orbit"; \
-  
"DOCKERFILE"="https://github.com/apache/solr-orbit/blob/main/docker/Dockerfile";
+  
org.label-schema.dockerfile="https://github.com/apache/solr-orbit/blob/main/docker/Dockerfile";
 
 VOLUME ["/solr-orbit/.solr-orbit"]

Reply via email to