Copilot commented on code in PR #10507:
URL: https://github.com/apache/gravitino/pull/10507#discussion_r2972703474
##########
.github/workflows/docker-image.yml:
##########
@@ -115,16 +115,16 @@ jobs:
fi
- name: Set up QEMU
- uses: docker/setup-qemu-action@v3
+ uses:
docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
- name: Login to Docker Hub
- uses: docker/login-action@v3
+ uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 #
v4.0.0
with:
username: ${{ github.event.inputs.username }}
password: ${{ secrets.DOCKER_REPOSITORY_PASSWORD }}
- name: Set up Docker Buildx
- uses: docker/setup-buildx-action@v3
+ uses:
docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
Review Comment:
This PR description says all `docker/*` actions are SHA-pinned in every CI
workflow, but `.github/workflows/chart-test.yaml` still uses floating tags
(`docker/setup-qemu-action@v3` and `docker/setup-buildx-action@v3`). Under the
Apache org policy, that workflow will still be blocked and can keep CI failing.
Please include an update to `chart-test.yaml` (pin to the same v4.0.0 SHAs) or
adjust the PR scope/description accordingly.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
