This is an automated email from the ASF dual-hosted git repository.
wu-sheng pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/skywalking-python.git
The following commit(s) were added to refs/heads/master by this push:
new 88d30ab fix(ci): pin docker/* actions to ASF-approved SHAs in
publish-docker (#406)
88d30ab is described below
commit 88d30abff4787b0d3331eb6825a52a8f1ad88a6d
Author: 吴晟 Wu Sheng <[email protected]>
AuthorDate: Thu Jun 25 21:42:41 2026 +0800
fix(ci): pin docker/* actions to ASF-approved SHAs in publish-docker (#406)
The publish-docker workflow used floating @v3 tags for docker/login-action,
docker/setup-qemu-action, and docker/setup-buildx-action. The ASF GitHub
Actions allow-list only approves specific SHAs for third-party actions, so
the workflow was rejected at startup (startup_failure) on master pushes.
This workflow only runs on push-to-master and release, never on PRs, so the
rejection did not surface in PR CI — it first failed when #388 merged.
Pin all three to the approved SHAs already used across the sibling ASF
SkyWalking repos:
- docker/login-action@650006c6... # v4.2.0
- docker/setup-qemu-action@06116385... # v4.1.0
- docker/setup-buildx-action@d7f5e7f5... # v4.1.0
---
.github/workflows/publish-docker.yaml | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/.github/workflows/publish-docker.yaml
b/.github/workflows/publish-docker.yaml
index e5d00e5..617244a 100644
--- a/.github/workflows/publish-docker.yaml
+++ b/.github/workflows/publish-docker.yaml
@@ -55,14 +55,14 @@ jobs:
echo "VERSION=${{ github.sha }}" >> $GITHUB_ENV
fi
- name: Log in to the Container registry
- uses: docker/login-action@v3
+ uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee #
v4.2.0
with:
registry: ${{ env.DOCKER_REGISTRY }}
username: ${{ env.DOCKER_USERNAME }}
password: ${{ env.DOCKER_PASSWORD }}
- name: Set up QEMU
- uses: docker/setup-qemu-action@v3
+ uses:
docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3 # v4.1.0
- name: Set up Docker Buildx
- uses: docker/setup-buildx-action@v3
+ uses:
docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
- name: Build and push docker image
run: make push-image -j 5