[ 
https://issues.apache.org/jira/browse/TIKA-4758?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Tim Allison resolved TIKA-4758.
-------------------------------
    Resolution: Fixed

All good now.

 

https://hub.docker.com/layers/apache/tika/4.0.0-SNAPSHOT-full/images/sha256-2dba3320ab9d105acdb2fd8ee06f810115dbcfde574d19c8ec941d9afd85c0a4

> Docker snapshots failing
> ------------------------
>
>                 Key: TIKA-4758
>                 URL: https://issues.apache.org/jira/browse/TIKA-4758
>             Project: Tika
>          Issue Type: Task
>            Reporter: Tim Allison
>            Priority: Major
>
> Claude's summary:
> *Description:*
>   Starting on 2026-06-15, the "Docker snapshot - tika-server and tika-grpc" 
> workflow (.github/workflows/docker-snapshot.yml) fails on every push to main 
> with conclusion startup_failure — the run never  starts, so no job/step 
> executes and no snapshot Docker images are published.
>   - Last successful run: 2026-06-13 — run 27469654104 (commit 8a55b9c3f)
>   - First failing run: 2026-06-15 — run 27528574963 (commit f1b48f8ae)
>   - Still failing: run 28019661756 (commit 979136ba1)
>   {*}Root cause{*}: the apache enterprise GitHub Actions allowlist no longer 
> permits the docker/* actions used by these workflows. The startup error is:
> {quote}The action 
> docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 is not 
> allowed in apache/tika because all actions must be from a repository owned by 
> your enterprise, created by GitHub, or match one of the patterns: 
> 1Password/..., AdoptOpenJDK/install-jdk@{*}, DavidAnson/..., EnricoMi/..., 
> JamesIves/..., JetBrains/qodana-action@..., … (docker/ is not in the list){*}
> {quote}
>   *This is not a code regression:*
>   - The workflow file is byte-identical between the last-success commit 
> (8a55b9c3f) and the first-failure commit (f1b48f8ae) — no .github/ change.
>   - The only commit in that window is an unrelated dependabot bump 
> (error_prone_annotations 2.49.0→2.50.0, #2890), which cannot affect workflow 
> startup.
>   - The push-triggered main jdk17 build workflow (uses only actions/) keeps 
> passing on the same commits; only the docker workflows (which add docker/) 
> fail, and they fail before any step runs.
> *Affected actions (all SHA-pinned, all now disallowed):*
>   - docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8
>   - docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121
>   - docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd
>   Affected workflows: .github/workflows/docker-snapshot.yml, 
> .github/workflows/docker-release.yml
> *Impact:* snapshot (and release) Docker images for apache/tika and 
> apache/tika-grpc have not been built/published since 2026-06-15.
> *Proposed fix (one of):*
>   1. Replace the docker/* actions with the docker CLI in run: steps (docker 
> login, docker buildx create --use, docker buildx build --push). Buildx is 
> pre-installed on ubuntu-latest, and the multi-arch QEMU step already uses 
> docker run tonistiigi/binfmt (a container run, not an action — unaffected). 
> Self-service, no INFRA dependency.
>   2. Request ASF INFRA add the three docker/* action SHAs to the enterprise 
> allowlist.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to