ci(docker): pin Docker actions to SHA per ASF allowlist policy

hubcio · hubcio · commit ffd417b0c9b0 · 2026-03-20T19:32:49.000+01:00
ASF tightened GitHub Actions enforcement on 2026-03-20, switching from "verified creators" to explicit allowlist only. Docker actions that worked implicitly now require SHA-pinned entries in apache/infrastructure-actions. Restore docker/setup-buildx-action (reverts shell workaround from ba8e865) and pin all Docker actions to approved commit SHAs. Allowlist PR: apache/infrastructure-actions#547
diff --git a/.github/actions/utils/docker-buildx/action.yml b/.github/actions/utils/docker-buildx/action.yml
@@ -130,17 +130,20 @@ runs:
     - name: Set up QEMU
       # Skip QEMU when building single platform on native runner (no emulation needed)
       if: inputs.platform == ''
-      uses: docker/setup-qemu-action@v3
+      uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
       with:
         platforms: all
 
     - name: Set up Docker Buildx
-      run: docker buildx create --use --driver-opt network=host --driver-opt image=moby/buildkit:latest
-      shell: bash
+      uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+      with:
+        driver-opts: |
+          network=host
+          image=moby/buildkit:latest
 
     - name: Login to Docker Hub
       if: steps.config.outputs.should_push == 'true'
-      uses: docker/login-action@v3
+      uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
       with:
         username: ${{ env.DOCKERHUB_USER }}
         password: ${{ env.DOCKERHUB_TOKEN }}
@@ -164,7 +167,7 @@ runs:
 
     - name: Docker meta
       id: meta
-      uses: docker/metadata-action@v5
+      uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
       with:
         images: ${{ steps.config.outputs.image }}
         # Tags are only used for local builds (dry-run). Push mode always uses digest.
@@ -340,7 +343,7 @@ runs:
     - name: Build and push (by digest)
       id: build-push
       if: steps.config.outputs.should_push == 'true'
-      uses: docker/build-push-action@v6
+      uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
       with:
         context: ${{ steps.ctx.outputs.context }}
         file: ${{ steps.config.outputs.dockerfile }}
@@ -355,7 +358,7 @@ runs:
     - name: Build only (dry-run)
       id: build-only
       if: steps.config.outputs.should_push != 'true'
-      uses: docker/build-push-action@v6
+      uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
       with:
         context: ${{ steps.ctx.outputs.context }}
         file: ${{ steps.config.outputs.dockerfile }}
diff --git a/.github/workflows/_test.yml b/.github/workflows/_test.yml
@@ -76,7 +76,7 @@ jobs:
       # Python SDK
       - name: Set up Docker Buildx for Python
         if: inputs.component == 'sdk-python' && inputs.task == 'test'
-        run: docker buildx create --use
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
 
       - name: Run Python SDK task
         if: inputs.component == 'sdk-python'
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -739,10 +739,10 @@ jobs:
           path: ${{ runner.temp }}/digests
 
       - name: Set up Docker Buildx
-        run: docker buildx create --use
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
 
       - name: Login to Docker Hub
-        uses: docker/login-action@v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
         with:
           username: ${{ env.DOCKERHUB_USER }}
           password: ${{ env.DOCKERHUB_TOKEN }}
