yamoyamoto opened a new issue, #8851: URL: https://github.com/apache/incubator-devlake/issues/8851
### Search before asking - [x] I had searched in the [issues](https://github.com/apache/incubator-devlake/issues?q=is%3Aissue) and found no similar issues. ### What happened The `Build-Images-Push-Docker` workflow (`.github/workflows/build.yml`) fails with `startup_failure` on every trigger because four `docker/*` actions are tag-pinned (`@v2` / `@v3`) and do not match the ASF GitHub Actions allowlist ([approved_patterns.yml](https://github.com/apache/infrastructure-actions/blob/main/approved_patterns.yml)). GitHub error excerpt: > The actions docker/setup-qemu-action@v2, docker/setup-buildx-action@v2, docker/login-action@v2, and docker/build-push-action@v3 are not allowed in apache/incubator-devlake ... Example failed run: https://github.com/apache/incubator-devlake/actions/runs/24931484095 `v1.0.3-beta11` (released 2026-04-25) is not on Docker Hub; the latest image at `apache/devlake` is still `v1.0.3-beta10` (2026-03-12). ### What do you expect to happen The workflow parses successfully, all jobs run, and Docker images are published to `apache/devlake` for new tags and `main` commits. ### How to reproduce Push to any of `v*` tag, `main`, `release-*`, or `fix-clear-docker-images-before-build`. The `Build-Images-Push-Docker` workflow exits with `startup_failure` at workflow-parse time. Replace the four `docker/*` tag pins with allowlisted SHAs: | Action | Old | New SHA (tag) | |---|---|---| | `docker/setup-qemu-action` | `@v2` | `ce360397dd3f832beb865e1373c09c0e9f86d70a` (v4.0.0) | | `docker/setup-buildx-action` | `@v2` | `4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd` (v4.0.0) | | `docker/login-action` | `@v2` | `4907a6ddec9925e35a0a9e82d7399ccc52663121` (v4.1.0) | | `docker/build-push-action` | `@v3` | `bcafcacb16a39f128d818304e6c9c0c18556b85f` (v7.1.0) | Adopted SHAs are the latest commit-date entries in `approved_patterns.yml` (commit-date-newest rule per ASF allowlist policy). ### Anything else Same fix pattern recently landed in apache/tika#2779 (INFRA-27837, merged 2026-04-22). ### Version v1.0.3-beta11 ### Are you willing to submit PR? - [x] Yes I am willing to submit a PR! ### Code of Conduct - [x] I agree to follow this project's [Code of Conduct](https://www.apache.org/foundation/policies/conduct) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
