(iggy) branch master updated: ci: pin Docker actions to SHA and bump setup-bazel per ASF allowlist (#2999)

Fri, 20 Mar 2026 12:52:56 -0700 

This is an automated email from the ASF dual-hosted git repository.

hgruszecki pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/iggy.git


The following commit(s) were added to refs/heads/master by this push:
     new a6ba900a5 ci: pin Docker actions to SHA and bump setup-bazel per ASF 
allowlist (#2999)
a6ba900a5 is described below

commit a6ba900a527da6d152f62668db0519719fc9caf0
Author: Hubert Gruszecki <[email protected]>
AuthorDate: Fri Mar 20 20:52:28 2026 +0100

    ci: pin Docker actions to SHA and bump setup-bazel per ASF allowlist (#2999)
---
 .github/actions/utils/docker-buildx/action.yml        | 17 ++++++++++-------
 .github/actions/utils/setup-cpp-with-cache/action.yml |  2 +-
 .github/workflows/_test.yml                           |  2 +-
 .github/workflows/publish.yml                         |  4 ++--
 4 files changed, 14 insertions(+), 11 deletions(-)

diff --git a/.github/actions/utils/docker-buildx/action.yml 
b/.github/actions/utils/docker-buildx/action.yml
index 66f3b44c3..c7f765760 100644
--- a/.github/actions/utils/docker-buildx/action.yml
+++ b/.github/actions/utils/docker-buildx/action.yml
@@ -130,17 +130,20 @@ runs:
     - name: Set up QEMU
       # Skip QEMU when building single platform on native runner (no emulation 
needed)
       if: inputs.platform == ''
-      uses: docker/setup-qemu-action@v3
+      uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 
# v3.6.0
       with:
         platforms: all
 
     - name: Set up Docker Buildx
-      run: docker buildx create --use --driver-opt network=host --driver-opt 
image=moby/buildkit:latest
-      shell: bash
+      uses: 
docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+      with:
+        driver-opts: |
+          network=host
+          image=moby/buildkit:latest
 
     - name: Login to Docker Hub
       if: steps.config.outputs.should_push == 'true'
-      uses: docker/login-action@v3
+      uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # 
v3.7.0
       with:
         username: ${{ env.DOCKERHUB_USER }}
         password: ${{ env.DOCKERHUB_TOKEN }}
@@ -164,7 +167,7 @@ runs:
 
     - name: Docker meta
       id: meta
-      uses: docker/metadata-action@v5
+      uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # 
v5.10.0
       with:
         images: ${{ steps.config.outputs.image }}
         # Tags are only used for local builds (dry-run). Push mode always uses 
digest.
@@ -340,7 +343,7 @@ runs:
     - name: Build and push (by digest)
       id: build-push
       if: steps.config.outputs.should_push == 'true'
-      uses: docker/build-push-action@v6
+      uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 
# v6.19.2
       with:
         context: ${{ steps.ctx.outputs.context }}
         file: ${{ steps.config.outputs.dockerfile }}
@@ -355,7 +358,7 @@ runs:
     - name: Build only (dry-run)
       id: build-only
       if: steps.config.outputs.should_push != 'true'
-      uses: docker/build-push-action@v6
+      uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 
# v6.19.2
       with:
         context: ${{ steps.ctx.outputs.context }}
         file: ${{ steps.config.outputs.dockerfile }}
diff --git a/.github/actions/utils/setup-cpp-with-cache/action.yml 
b/.github/actions/utils/setup-cpp-with-cache/action.yml
index bc15dbfe5..baaa4ab53 100644
--- a/.github/actions/utils/setup-cpp-with-cache/action.yml
+++ b/.github/actions/utils/setup-cpp-with-cache/action.yml
@@ -22,7 +22,7 @@ runs:
   using: "composite"
   steps:
     - name: Setup Bazel with cache
-      uses: bazel-contrib/setup-bazel@8d2cb86a3680a820c3e219597279ce3f80d17a47
+      uses: bazel-contrib/setup-bazel@083175551ceeceebc757ebee2127fde78840ca77 
# v0.18.0
       with:
         bazelisk-cache: true
         disk-cache: true
diff --git a/.github/workflows/_test.yml b/.github/workflows/_test.yml
index fb170e35d..bcb37321c 100644
--- a/.github/workflows/_test.yml
+++ b/.github/workflows/_test.yml
@@ -76,7 +76,7 @@ jobs:
       # Python SDK
       - name: Set up Docker Buildx for Python
         if: inputs.component == 'sdk-python' && inputs.task == 'test'
-        run: docker buildx create --use
+        uses: 
docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
 
       - name: Run Python SDK task
         if: inputs.component == 'sdk-python'
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 301b6f8cd..ce72c73ae 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -739,10 +739,10 @@ jobs:
           path: ${{ runner.temp }}/digests
 
       - name: Set up Docker Buildx
-        run: docker buildx create --use
+        uses: 
docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
 
       - name: Login to Docker Hub
-        uses: docker/login-action@v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # 
v3.7.0
         with:
           username: ${{ env.DOCKERHUB_USER }}
           password: ${{ env.DOCKERHUB_TOKEN }}

Reply via email to