Tim Allison created TIKA-4758:
---------------------------------
Summary: Docker snapshots failing
Key: TIKA-4758
URL: https://issues.apache.org/jira/browse/TIKA-4758
Project: Tika
Issue Type: Task
Reporter: Tim Allison
Claude's summary:
*Description:*
Starting on 2026-06-15, the "Docker snapshot - tika-server and tika-grpc"
workflow (.github/workflows/docker-snapshot.yml) fails on every push to main
with conclusion startup_failure — the run never starts, so no job/step
executes and no snapshot Docker images are published.
- Last successful run: 2026-06-13 — run 27469654104 (commit 8a55b9c3f)
- First failing run: 2026-06-15 — run 27528574963 (commit f1b48f8ae)
- Still failing: run 28019661756 (commit 979136ba1)
{*}Root cause{*}: the apache enterprise GitHub Actions allowlist no longer
permits the docker/* actions used by these workflows. The startup error is:
bq. The action
docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 is not
allowed in apache/tika because all actions must be from a repository owned by
your enterprise, created by GitHub, or match one of the patterns:
1Password/..., AdoptOpenJDK/install-jdk@*, DavidAnson/..., EnricoMi/...,
JamesIves/..., JetBrains/qodana-action@..., … (docker/ is not in the list)*
*This is not a code regression:*
- The workflow file is byte-identical between the last-success commit
(8a55b9c3f) and the first-failure commit (f1b48f8ae) — no .github/ change.
- The only commit in that window is an unrelated dependabot bump
(error_prone_annotations 2.49.0→2.50.0, #2890), which cannot affect workflow
startup.
- The push-triggered main jdk17 build workflow (uses only actions/*) keeps
passing on the same commits; only the docker workflows (which add docker/*)
fail, and they fail before any step runs.
*Affected actions (all SHA-pinned, all now disallowed):*
- docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8
- docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121
- docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd
Affected workflows: .github/workflows/docker-snapshot.yml,
.github/workflows/docker-release.yml
*Impact:* snapshot (and release) Docker images for apache/tika and
apache/tika-grpc have not been built/published since 2026-06-15.
*Proposed fix (one of):*
1. Replace the docker/* actions with the docker CLI in run: steps (docker
login, docker buildx create --use, docker buildx build --push). Buildx is
pre-installed on ubuntu-latest, and the multi-arch QEMU step already uses
docker run tonistiigi/binfmt (a container run, not an action — unaffected).
Self-service, no INFRA dependency.
2. Request ASF INFRA add the three docker/* action SHAs to the enterprise
allowlist.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)