Tim Allison created TIKA-4758:
---------------------------------

             Summary: Docker snapshots failing
                 Key: TIKA-4758
                 URL: https://issues.apache.org/jira/browse/TIKA-4758
             Project: Tika
          Issue Type: Task
            Reporter: Tim Allison


Claude's summary:

*Description:*

  Starting on 2026-06-15, the "Docker snapshot - tika-server and tika-grpc" 
workflow (.github/workflows/docker-snapshot.yml) fails on every push to main 
with conclusion startup_failure — the run never  starts, so no job/step 
executes and no snapshot Docker images are published.

  - Last successful run: 2026-06-13 — run 27469654104 (commit 8a55b9c3f)
  - First failing run: 2026-06-15 — run 27528574963 (commit f1b48f8ae)
  - Still failing: run 28019661756 (commit 979136ba1)

  {*}Root cause{*}: the apache enterprise GitHub Actions allowlist no longer 
permits the docker/* actions used by these workflows. The startup error is:

bq. The action 
docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 is not 
allowed in apache/tika because all actions must be from a repository owned by 
your enterprise, created by GitHub, or match one of the patterns: 
1Password/..., AdoptOpenJDK/install-jdk@*, DavidAnson/..., EnricoMi/..., 
JamesIves/..., JetBrains/qodana-action@..., … (docker/ is not in the list)*

  *This is not a code regression:*
  - The workflow file is byte-identical between the last-success commit 
(8a55b9c3f) and the first-failure commit (f1b48f8ae) — no .github/ change.
  - The only commit in that window is an unrelated dependabot bump 
(error_prone_annotations 2.49.0→2.50.0, #2890), which cannot affect workflow 
startup.
  - The push-triggered main jdk17 build workflow (uses only actions/*) keeps 
passing on the same commits; only the docker workflows (which add docker/*) 
fail, and they fail before any step runs.

*Affected actions (all SHA-pinned, all now disallowed):*
  - docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8
  - docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121
  - docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd

  Affected workflows: .github/workflows/docker-snapshot.yml, 
.github/workflows/docker-release.yml

*Impact:* snapshot (and release) Docker images for apache/tika and 
apache/tika-grpc have not been built/published since 2026-06-15.

*Proposed fix (one of):*
  1. Replace the docker/* actions with the docker CLI in run: steps (docker 
login, docker buildx create --use, docker buildx build --push). Buildx is 
pre-installed on ubuntu-latest, and the multi-arch QEMU step already uses 
docker run tonistiigi/binfmt (a container run, not an action — unaffected). 
Self-service, no INFRA dependency.
  2. Request ASF INFRA add the three docker/* action SHAs to the enterprise 
allowlist.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to