adityamparikh opened a new pull request, #154: URL: https://github.com/apache/solr-mcp/pull/154
## Problem `release-publish.yml` authenticates to GHCR with `docker/login-action` in two GHCR‑login steps. That third‑party action is **not on the Apache org's GitHub Actions allow‑list**, and allow‑list rejection happens at workflow‑parse time — so the action fails the **entire workflow at startup** (zero jobs run) the moment a release is run. The SHA‑pin to `650006c6…` (v4.2.0) added in #145 does not help: that SHA isn't allow‑listed. (The `graalvm/setup-graalvm@329c42c…` pin in the same file *is* allow‑listed and is left untouched.) This workflow is dormant today (manual release trigger), so it isn't failing CI now — but it would startup‑fail the first time someone cuts a release. ## Fix Unlike #153 (where `build-and-publish.yml` doesn't publish, so the job was removed), `release-publish.yml` genuinely needs to publish — so it keeps the login, just **inline**: - Replace both `docker/login-action` GHCR‑login steps with an inline `docker login ghcr.io` using the built‑in `GITHUB_TOKEN`. - Token is piped via **stdin** (`--password-stdin`) so it never appears on the command line or in logs; the username is read from an `env:` var, so **no untrusted value is interpolated** into the `run:` script. This removes the allow‑list dependency entirely — the inline `docker login` uses only the Docker CLI already on the runner. `18 insertions, 10 deletions`, one file. No publish behavior changes — the subsequent Jib push steps and Docker Hub publishing are untouched. ## Companion PR This is the follow‑up to #153 (which fixed `build-and-publish.yml` by removing its unused publish job). Together they clear `docker/login-action` from both workflows. 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
