This is an automated email from the ASF dual-hosted git repository. hgruszecki pushed a commit to branch ci/pin-docker-actions in repository https://gitbox.apache.org/repos/asf/iggy.git
commit ffd417b0c9b0a6af062789e34beb54c9510b4fc6 Author: Hubert Gruszecki <[email protected]> AuthorDate: Fri Mar 20 19:06:13 2026 +0100 ci(docker): pin Docker actions to SHA per ASF allowlist policy ASF tightened GitHub Actions enforcement on 2026-03-20, switching from "verified creators" to explicit allowlist only. Docker actions that worked implicitly now require SHA-pinned entries in apache/infrastructure-actions. Restore docker/setup-buildx-action (reverts shell workaround from ba8e865af) and pin all Docker actions to approved commit SHAs. Allowlist PR: https://github.com/apache/infrastructure-actions/pull/547 --- .github/actions/utils/docker-buildx/action.yml | 17 ++++++++++------- .github/workflows/_test.yml | 2 +- .github/workflows/publish.yml | 4 ++-- 3 files changed, 13 insertions(+), 10 deletions(-) diff --git a/.github/actions/utils/docker-buildx/action.yml b/.github/actions/utils/docker-buildx/action.yml index 66f3b44c3..c7f765760 100644 --- a/.github/actions/utils/docker-buildx/action.yml +++ b/.github/actions/utils/docker-buildx/action.yml @@ -130,17 +130,20 @@ runs: - name: Set up QEMU # Skip QEMU when building single platform on native runner (no emulation needed) if: inputs.platform == '' - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 with: platforms: all - name: Set up Docker Buildx - run: docker buildx create --use --driver-opt network=host --driver-opt image=moby/buildkit:latest - shell: bash + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 + with: + driver-opts: | + network=host + image=moby/buildkit:latest - name: Login to Docker Hub if: steps.config.outputs.should_push == 'true' - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 with: username: ${{ env.DOCKERHUB_USER }} password: ${{ env.DOCKERHUB_TOKEN }} @@ -164,7 +167,7 @@ runs: - name: Docker meta id: meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0 with: images: ${{ steps.config.outputs.image }} # Tags are only used for local builds (dry-run). Push mode always uses digest. @@ -340,7 +343,7 @@ runs: - name: Build and push (by digest) id: build-push if: steps.config.outputs.should_push == 'true' - uses: docker/build-push-action@v6 + uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 with: context: ${{ steps.ctx.outputs.context }} file: ${{ steps.config.outputs.dockerfile }} @@ -355,7 +358,7 @@ runs: - name: Build only (dry-run) id: build-only if: steps.config.outputs.should_push != 'true' - uses: docker/build-push-action@v6 + uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 with: context: ${{ steps.ctx.outputs.context }} file: ${{ steps.config.outputs.dockerfile }} diff --git a/.github/workflows/_test.yml b/.github/workflows/_test.yml index fb170e35d..bcb37321c 100644 --- a/.github/workflows/_test.yml +++ b/.github/workflows/_test.yml @@ -76,7 +76,7 @@ jobs: # Python SDK - name: Set up Docker Buildx for Python if: inputs.component == 'sdk-python' && inputs.task == 'test' - run: docker buildx create --use + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 - name: Run Python SDK task if: inputs.component == 'sdk-python' diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 301b6f8cd..ce72c73ae 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -739,10 +739,10 @@ jobs: path: ${{ runner.temp }}/digests - name: Set up Docker Buildx - run: docker buildx create --use + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 - name: Login to Docker Hub - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 with: username: ${{ env.DOCKERHUB_USER }} password: ${{ env.DOCKERHUB_TOKEN }}
