Add Docker official actions (login, buildx, metadata, build-push)#547
Merged
dfoulks1 merged 1 commit intoapache:mainfrom Mar 20, 2026
Merged
Add Docker official actions (login, buildx, metadata, build-push)#547dfoulks1 merged 1 commit intoapache:mainfrom
dfoulks1 merged 1 commit intoapache:mainfrom
Conversation
hubcio
added a commit
to apache/iggy
that referenced
this pull request
Mar 20, 2026
…tion Revert shell workaround from ba8e865 and restore docker/setup-buildx-action usage. Pin all Docker actions to exact commit SHAs per ASF GitHub Actions policy: - docker/setup-qemu-action@29109295 (v3.6.0) - already approved - docker/setup-buildx-action@8d2750c6 (v3.12.0) - docker/login-action@c94ce9fb (v3.7.0) - docker/metadata-action@c299e40c (v5.10.0) - docker/build-push-action@10e90e36 (v6.19.2) Allowlist PR: apache/infrastructure-actions#547
hubcio
added a commit
to apache/iggy
that referenced
this pull request
Mar 20, 2026
ASF tightened GitHub Actions enforcement on 2026-03-20, switching from "verified creators" to explicit allowlist only. Docker actions that worked implicitly now require SHA-pinned entries in apache/infrastructure-actions. Restore docker/setup-buildx-action (reverts shell workaround from ba8e865) and pin all Docker actions to approved commit SHAs. Allowlist PR: apache/infrastructure-actions#547
hubcio
added a commit
to apache/iggy
that referenced
this pull request
Mar 20, 2026
ASF tightened GitHub Actions enforcement on 2026-03-20, switching from "verified creators" to explicit allowlist only. Docker actions that worked implicitly now require SHA-pinned entries in apache/infrastructure-actions. Restore docker/setup-buildx-action (reverts shell workaround from ba8e865) and pin all Docker actions to approved commit SHAs. Allowlist PR: apache/infrastructure-actions#547
dongjoon-hyun
added a commit
to apache/spark-kubernetes-operator
that referenced
this pull request
Mar 21, 2026
…F approved patterns ### What changes were proposed in this pull request? This PR aims to sync `docker`-related GitHub Actions versions to the ASF approved patterns. ### Why are the changes needed? Currently, the CI is blocked by the ASF check because of the recent change. - https://github.com/apache/spark-connect-swift/actions/runs/23365458370 - apache/infrastructure-actions#547 > The actions docker/setup-qemu-actionv3, docker/setup-buildx-actionv3, docker/login-actionv3, and docker/build-push-actionv6 are not allowed in apache/spark-connect-swift because all actions must be from a repository owned by your enterprise, created by GitHub, or match one of the patterns As of now, the updated patterns are the following. - https://github.com/apache/infrastructure-actions/blob/07f5f9d2b05fe0ec9886e3ef0a9d79797817f0cb/approved_patterns.yml#L100-L104 ``` - docker/build-push-action10e90e3645eae34f1e60eeb005ba3a3d33f178e8 - docker/login-actionc94ce9fb468520275223c153574b00df6fe4bcc9 - docker/metadata-actionc299e40c65443455700f0fdfc63efafe5b349051 - docker/setup-buildx-action8d2750c68a42422c14e847fe6c8ac0403b4cbd6f - docker/setup-qemu-action29109295f81e9208d7d86ff1c6c12d2833863392 ``` ### Does this PR introduce _any_ user-facing change? No. ### How was this patch tested? Manual review because the updated CI should be triggered manually. ### Was this patch authored or co-authored using generative AI tooling? Generated-by: Claude Code (claude-opus-4-6) Closes #567 from dongjoon-hyun/SPARK-56119. Authored-by: Dongjoon Hyun <[email protected]> Signed-off-by: Dongjoon Hyun <[email protected]>
dongjoon-hyun
added a commit
to apache/spark-connect-swift
that referenced
this pull request
Mar 21, 2026
…F approved patterns ### What changes were proposed in this pull request? This PR aims to sync `docker`-related GitHub Actions versions to the ASF approved patterns. ### Why are the changes needed? Currently, the CI is blocked by the ASF check because of the recent change. - https://github.com/apache/spark-connect-swift/actions/runs/23365458370 - apache/infrastructure-actions#547 > The actions docker/setup-qemu-actionv3, docker/setup-buildx-actionv3, docker/login-actionv3, and docker/build-push-actionv6 are not allowed in apache/spark-connect-swift because all actions must be from a repository owned by your enterprise, created by GitHub, or match one of the patterns As of now, the updated patterns are the following. - https://github.com/apache/infrastructure-actions/blob/07f5f9d2b05fe0ec9886e3ef0a9d79797817f0cb/approved_patterns.yml#L100-L104 ``` - docker/build-push-action10e90e3645eae34f1e60eeb005ba3a3d33f178e8 - docker/login-actionc94ce9fb468520275223c153574b00df6fe4bcc9 - docker/metadata-actionc299e40c65443455700f0fdfc63efafe5b349051 - docker/setup-buildx-action8d2750c68a42422c14e847fe6c8ac0403b4cbd6f - docker/setup-qemu-action29109295f81e9208d7d86ff1c6c12d2833863392 ``` ### Does this PR introduce _any_ user-facing change? No. ### How was this patch tested? Manual review because the updated CI should be triggered manually. ### Was this patch authored or co-authored using generative AI tooling? Generated-by: Claude Code (claude-opus-4-6) Closes #334 from dongjoon-hyun/SPARK-56124. Authored-by: Dongjoon Hyun <[email protected]> Signed-off-by: Dongjoon Hyun <[email protected]>
This was referenced Mar 21, 2026
dongjoon-hyun
added a commit
to apache/spark
that referenced
this pull request
Mar 21, 2026
… the ASF approved patterns ### What changes were proposed in this pull request? This PR aims to sync `docker`-related GitHub Actions versions to the ASF approved patterns. ### Why are the changes needed? Currently, the CI is blocked by the ASF check because of the recent change. - https://github.com/apache/spark/actions/workflows/build_main.yml - https://github.com/apache/spark/actions/runs/23362042477 - https://github.com/apache/spark/actions/workflows/build_non_ansi.yml - https://github.com/apache/spark/actions/runs/23369253367 > The actions docker/login-actionv3, docker/setup-qemu-actionv3, docker/setup-buildx-actionv3, and docker/build-push-actionv6 are not allowed in apache/spark because all actions must be from a repository owned by your enterprise, created by GitHub, or match one of the patterns: <img width="905" height="380" alt="Screenshot 2026-03-20 at 20 32 56" src="https://github.com/user-attachments/assets/2582b68a-6303-44ab-b961-d9b753072f1e" /> This is due to the following change. - apache/infrastructure-actions#547 As of now, the updated patterns are the following. - https://github.com/apache/infrastructure-actions/blob/07f5f9d2b05fe0ec9886e3ef0a9d79797817f0cb/approved_patterns.yml#L100-L104 ``` - docker/build-push-action10e90e3645eae34f1e60eeb005ba3a3d33f178e8 - docker/login-actionc94ce9fb468520275223c153574b00df6fe4bcc9 - docker/metadata-actionc299e40c65443455700f0fdfc63efafe5b349051 - docker/setup-buildx-action8d2750c68a42422c14e847fe6c8ac0403b4cbd6f - docker/setup-qemu-action29109295f81e9208d7d86ff1c6c12d2833863392 ``` ### Does this PR introduce _any_ user-facing change? No. ### How was this patch tested? Manually check like the following because the updated CI should be triggered manually. ``` $ git grep 'uses: docker' | sort | uniq -c 5 .github/workflows/build_and_test.yml: uses: docker/build-push-action10e90e3645eae34f1e60eeb005ba3a3d33f178e8 1 .github/workflows/build_and_test.yml: uses: docker/login-actionc94ce9fb468520275223c153574b00df6fe4bcc9 1 .github/workflows/build_and_test.yml: uses: docker/setup-buildx-action8d2750c68a42422c14e847fe6c8ac0403b4cbd6f 1 .github/workflows/build_and_test.yml: uses: docker/setup-qemu-action29109295f81e9208d7d86ff1c6c12d2833863392 16 .github/workflows/build_infra_images_cache.yml: uses: docker/build-push-action10e90e3645eae34f1e60eeb005ba3a3d33f178e8 1 .github/workflows/build_infra_images_cache.yml: uses: docker/login-actionc94ce9fb468520275223c153574b00df6fe4bcc9 1 .github/workflows/build_infra_images_cache.yml: uses: docker/setup-buildx-action8d2750c68a42422c14e847fe6c8ac0403b4cbd6f 1 .github/workflows/build_infra_images_cache.yml: uses: docker/setup-qemu-action29109295f81e9208d7d86ff1c6c12d2833863392 ``` ### Was this patch authored or co-authored using generative AI tooling? Generated-by: Claude Code (claude-opus-4-6) Closes #54935 from dongjoon-hyun/SPARK-56126. Authored-by: Dongjoon Hyun <[email protected]> Signed-off-by: Dongjoon Hyun <[email protected]>
dongjoon-hyun
added a commit
to apache/spark
that referenced
this pull request
Mar 21, 2026
…ns to the ASF approved patterns ### What changes were proposed in this pull request? This PR aims to sync `docker`-related GitHub Actions versions to the ASF approved patterns. ### Why are the changes needed? Currently, the `branch-4.1` CI is blocked by the ASF check because of the recent change. - https://github.com/apache/spark/actions/workflows/build_branch41_non_ansi.yml - https://github.com/apache/spark/actions/runs/23370546081 > The actions docker/login-actionv3, docker/setup-qemu-actionv3, docker/setup-buildx-actionv3, and docker/build-push-actionv6 are not allowed in apache/spark because all actions must be from a repository owned by your enterprise, created by GitHub, or match one of the patterns: This is due to the following change. - apache/infrastructure-actions#547 As of now, the updated patterns are the following. - https://github.com/apache/infrastructure-actions/blob/07f5f9d2b05fe0ec9886e3ef0a9d79797817f0cb/approved_patterns.yml#L100-L104 ``` - docker/build-push-action10e90e3645eae34f1e60eeb005ba3a3d33f178e8 - docker/login-actionc94ce9fb468520275223c153574b00df6fe4bcc9 - docker/metadata-actionc299e40c65443455700f0fdfc63efafe5b349051 - docker/setup-buildx-action8d2750c68a42422c14e847fe6c8ac0403b4cbd6f - docker/setup-qemu-action29109295f81e9208d7d86ff1c6c12d2833863392 ``` ### Does this PR introduce _any_ user-facing change? No. ### How was this patch tested? Manually check like the following because the updated CI should be triggered manually. ``` $ git grep 'uses: docker' | sort | uniq -c 5 .github/workflows/build_and_test.yml: uses: docker/build-push-action10e90e3645eae34f1e60eeb005ba3a3d33f178e8 1 .github/workflows/build_and_test.yml: uses: docker/login-actionc94ce9fb468520275223c153574b00df6fe4bcc9 1 .github/workflows/build_and_test.yml: uses: docker/setup-buildx-action8d2750c68a42422c14e847fe6c8ac0403b4cbd6f 1 .github/workflows/build_and_test.yml: uses: docker/setup-qemu-action29109295f81e9208d7d86ff1c6c12d2833863392 15 .github/workflows/build_infra_images_cache.yml: uses: docker/build-push-action10e90e3645eae34f1e60eeb005ba3a3d33f178e8 1 .github/workflows/build_infra_images_cache.yml: uses: docker/login-actionc94ce9fb468520275223c153574b00df6fe4bcc9 1 .github/workflows/build_infra_images_cache.yml: uses: docker/setup-buildx-action8d2750c68a42422c14e847fe6c8ac0403b4cbd6f 1 .github/workflows/build_infra_images_cache.yml: uses: docker/setup-qemu-action29109295f81e9208d7d86ff1c6c12d2833863392 ``` ### Was this patch authored or co-authored using generative AI tooling? Generated-by: Claude Code (claude-opus-4-6) Closes #54936 from dongjoon-hyun/SPARK-56126-4.1. Authored-by: Dongjoon Hyun <[email protected]> Signed-off-by: Dongjoon Hyun <[email protected]>
dongjoon-hyun
added a commit
to apache/spark
that referenced
this pull request
Mar 21, 2026
…ns to the ASF approved patterns ### What changes were proposed in this pull request? This PR aims to sync `docker`-related GitHub Actions versions to the ASF approved patterns. ### Why are the changes needed? Currently, the `branch-4.0` CI is blocked by the ASF check because of the recent change. - https://github.com/apache/spark/actions/workflows/build_branch40_non_ansi.yml - https://github.com/apache/spark/actions/runs/23370475022 > The actions docker/login-actionv3, docker/setup-qemu-actionv3, docker/setup-buildx-actionv3, and docker/build-push-actionv6 are not allowed in apache/spark because all actions must be from a repository owned by your enterprise, created by GitHub, or match one of the patterns: This is due to the following change. - apache/infrastructure-actions#547 As of now, the updated patterns are the following. - https://github.com/apache/infrastructure-actions/blob/07f5f9d2b05fe0ec9886e3ef0a9d79797817f0cb/approved_patterns.yml#L100-L104 ``` - docker/build-push-action10e90e3645eae34f1e60eeb005ba3a3d33f178e8 - docker/login-actionc94ce9fb468520275223c153574b00df6fe4bcc9 - docker/metadata-actionc299e40c65443455700f0fdfc63efafe5b349051 - docker/setup-buildx-action8d2750c68a42422c14e847fe6c8ac0403b4cbd6f - docker/setup-qemu-action29109295f81e9208d7d86ff1c6c12d2833863392 ``` ### Does this PR introduce _any_ user-facing change? No. ### How was this patch tested? Manually check like the following because the updated CI should be triggered manually. ``` $ git grep 'uses: docker' | sort | uniq -c 5 .github/workflows/build_and_test.yml: uses: docker/build-push-action10e90e3645eae34f1e60eeb005ba3a3d33f178e8 1 .github/workflows/build_and_test.yml: uses: docker/login-actionc94ce9fb468520275223c153574b00df6fe4bcc9 1 .github/workflows/build_and_test.yml: uses: docker/setup-buildx-action8d2750c68a42422c14e847fe6c8ac0403b4cbd6f 1 .github/workflows/build_and_test.yml: uses: docker/setup-qemu-action29109295f81e9208d7d86ff1c6c12d2833863392 12 .github/workflows/build_infra_images_cache.yml: uses: docker/build-push-action10e90e3645eae34f1e60eeb005ba3a3d33f178e8 1 .github/workflows/build_infra_images_cache.yml: uses: docker/login-actionc94ce9fb468520275223c153574b00df6fe4bcc9 1 .github/workflows/build_infra_images_cache.yml: uses: docker/setup-buildx-action8d2750c68a42422c14e847fe6c8ac0403b4cbd6f 1 .github/workflows/build_infra_images_cache.yml: uses: docker/setup-qemu-action29109295f81e9208d7d86ff1c6c12d2833863392 ``` ### Was this patch authored or co-authored using generative AI tooling? Generated-by: Claude Code (claude-opus-4-6) Closes #54937 from dongjoon-hyun/dongjoon/hopeful-kepler. Authored-by: Dongjoon Hyun <[email protected]> Signed-off-by: Dongjoon Hyun <[email protected]>
lupyuen
added a commit
to lupyuen14/nuttx
that referenced
this pull request
Mar 22, 2026
All CI Builds have been failing since 18 hours ago: - apache#18571 (comment) - https://github.com/apache/nuttx/actions/runs/23389990049 > _The action docker/login-action@v4 is not allowed in apache/nuttx because all actions must be from a repository owned by your enterprise, created by GitHub, or match one of the patterns: 1Password/load-secrets-action@13f58ee, 1Password/load-secrets-action@8d0d610, 1Password/load-secrets-action@dafbe7c, AdoptOpenJDK/install-jdk@*, BobAnkh/auto-generate-changelog@*, DavidAnson/markdownlint-cli2-action@07035fd, DavidAnson/markdownlint-cli2-action@30a0e04, EnricoMi/publish-unit-test-result-action@*, JamesIves/github-pages-deploy-action@4a3abc7, JamesIves/github-pages-deploy-action@d92aa23, Jimver/cuda-toolkit@6008063, Jimver/cuda-toolkit@b6fc3a9, JustinBeckwith/linkinator-action@af984b9f30f63e796..._ That's because ASF Infrastructure Team has mandated that we use the Hash Versions of GitHub Actions for Docker, stated below: - https://github.com/apache/infrastructure-actions/blob/main/actions.yml - Which generates: https://github.com/apache/infrastructure-actions/blob/main/approved_patterns.yml - Due to: apache/infrastructure-actions#547 ```yaml docker/build-push-action: 10e90e3645eae34f1e60eeb005ba3a3d33f178e8: tag: v6.19.2 docker/login-action: c94ce9fb468520275223c153574b00df6fe4bcc9: tag: v3.7.0 docker/metadata-action: c299e40c65443455700f0fdfc63efafe5b349051: tag: v5.10.0 docker/setup-buildx-action: 8d2750c68a42422c14e847fe6c8ac0403b4cbd6f: tag: v3.12.0 ``` This PR reverts our GitHub Actions for Docker to the hash versions stated above. Signed-off-by: Lup Yuen Lee <[email protected]>
lupyuen
added a commit
to lupyuen14/nuttx-apps
that referenced
this pull request
Mar 22, 2026
All CI Builds have been failing since 18 hours ago: - apache/nuttx#18571 (comment) - https://github.com/apache/nuttx/actions/runs/23389990049 > _The action docker/login-action@v4 is not allowed in apache/nuttx because all actions must be from a repository owned by your enterprise, created by GitHub, or match one of the patterns: 1Password/load-secrets-action@13f58ee, 1Password/load-secrets-action@8d0d610, 1Password/load-secrets-action@dafbe7c, AdoptOpenJDK/install-jdk@*, BobAnkh/auto-generate-changelog@*, DavidAnson/markdownlint-cli2-action@07035fd, DavidAnson/markdownlint-cli2-action@30a0e04, EnricoMi/publish-unit-test-result-action@*, JamesIves/github-pages-deploy-action@4a3abc7, JamesIves/github-pages-deploy-action@d92aa23, Jimver/cuda-toolkit@6008063, Jimver/cuda-toolkit@b6fc3a9, JustinBeckwith/linkinator-action@af984b9f30f63e796..._ That's because ASF Infrastructure Team has mandated that we use the Hash Versions of GitHub Actions for Docker, stated below: - https://github.com/apache/infrastructure-actions/blob/main/actions.yml - Which generates: https://github.com/apache/infrastructure-actions/blob/main/approved_patterns.yml - Due to: apache/infrastructure-actions#547 ```yaml docker/build-push-action: 10e90e3645eae34f1e60eeb005ba3a3d33f178e8: tag: v6.19.2 docker/login-action: c94ce9fb468520275223c153574b00df6fe4bcc9: tag: v3.7.0 docker/metadata-action: c299e40c65443455700f0fdfc63efafe5b349051: tag: v5.10.0 docker/setup-buildx-action: 8d2750c68a42422c14e847fe6c8ac0403b4cbd6f: tag: v3.12.0 ``` This PR reverts our GitHub Actions for Docker to the hash versions stated above. Signed-off-by: Lup Yuen Lee <[email protected]>
simbit18
pushed a commit
to apache/nuttx
that referenced
this pull request
Mar 22, 2026
All CI Builds have been failing since 18 hours ago: - #18571 (comment) - https://github.com/apache/nuttx/actions/runs/23389990049 > _The action docker/login-action@v4 is not allowed in apache/nuttx because all actions must be from a repository owned by your enterprise, created by GitHub, or match one of the patterns: 1Password/load-secrets-action@13f58ee, 1Password/load-secrets-action@8d0d610, 1Password/load-secrets-action@dafbe7c, AdoptOpenJDK/install-jdk@*, BobAnkh/auto-generate-changelog@*, DavidAnson/markdownlint-cli2-action@07035fd, DavidAnson/markdownlint-cli2-action@30a0e04, EnricoMi/publish-unit-test-result-action@*, JamesIves/github-pages-deploy-action@4a3abc7, JamesIves/github-pages-deploy-action@d92aa23, Jimver/cuda-toolkit@6008063, Jimver/cuda-toolkit@b6fc3a9, JustinBeckwith/linkinator-action@af984b9f30f63e796..._ That's because ASF Infrastructure Team has mandated that we use the Hash Versions of GitHub Actions for Docker, stated below: - https://github.com/apache/infrastructure-actions/blob/main/actions.yml - Which generates: https://github.com/apache/infrastructure-actions/blob/main/approved_patterns.yml - Due to: apache/infrastructure-actions#547 ```yaml docker/build-push-action: 10e90e3645eae34f1e60eeb005ba3a3d33f178e8: tag: v6.19.2 docker/login-action: c94ce9fb468520275223c153574b00df6fe4bcc9: tag: v3.7.0 docker/metadata-action: c299e40c65443455700f0fdfc63efafe5b349051: tag: v5.10.0 docker/setup-buildx-action: 8d2750c68a42422c14e847fe6c8ac0403b4cbd6f: tag: v3.12.0 ``` This PR reverts our GitHub Actions for Docker to the hash versions stated above. Signed-off-by: Lup Yuen Lee <[email protected]>
lupyuen
added a commit
to apache/nuttx-apps
that referenced
this pull request
Mar 22, 2026
All CI Builds have been failing since 18 hours ago: - apache/nuttx#18571 (comment) - https://github.com/apache/nuttx/actions/runs/23389990049 > _The action docker/login-action@v4 is not allowed in apache/nuttx because all actions must be from a repository owned by your enterprise, created by GitHub, or match one of the patterns: 1Password/load-secrets-action@13f58ee, 1Password/load-secrets-action@8d0d610, 1Password/load-secrets-action@dafbe7c, AdoptOpenJDK/install-jdk@*, BobAnkh/auto-generate-changelog@*, DavidAnson/markdownlint-cli2-action@07035fd, DavidAnson/markdownlint-cli2-action@30a0e04, EnricoMi/publish-unit-test-result-action@*, JamesIves/github-pages-deploy-action@4a3abc7, JamesIves/github-pages-deploy-action@d92aa23, Jimver/cuda-toolkit@6008063, Jimver/cuda-toolkit@b6fc3a9, JustinBeckwith/linkinator-action@af984b9f30f63e796..._ That's because ASF Infrastructure Team has mandated that we use the Hash Versions of GitHub Actions for Docker, stated below: - https://github.com/apache/infrastructure-actions/blob/main/actions.yml - Which generates: https://github.com/apache/infrastructure-actions/blob/main/approved_patterns.yml - Due to: apache/infrastructure-actions#547 ```yaml docker/build-push-action: 10e90e3645eae34f1e60eeb005ba3a3d33f178e8: tag: v6.19.2 docker/login-action: c94ce9fb468520275223c153574b00df6fe4bcc9: tag: v3.7.0 docker/metadata-action: c299e40c65443455700f0fdfc63efafe5b349051: tag: v5.10.0 docker/setup-buildx-action: 8d2750c68a42422c14e847fe6c8ac0403b4cbd6f: tag: v3.12.0 ``` This PR reverts our GitHub Actions for Docker to the hash versions stated above. Signed-off-by: Lup Yuen Lee <[email protected]>
terana
pushed a commit
to terana/spark
that referenced
this pull request
Mar 23, 2026
… the ASF approved patterns ### What changes were proposed in this pull request? This PR aims to sync `docker`-related GitHub Actions versions to the ASF approved patterns. ### Why are the changes needed? Currently, the CI is blocked by the ASF check because of the recent change. - https://github.com/apache/spark/actions/workflows/build_main.yml - https://github.com/apache/spark/actions/runs/23362042477 - https://github.com/apache/spark/actions/workflows/build_non_ansi.yml - https://github.com/apache/spark/actions/runs/23369253367 > The actions docker/login-actionv3, docker/setup-qemu-actionv3, docker/setup-buildx-actionv3, and docker/build-push-actionv6 are not allowed in apache/spark because all actions must be from a repository owned by your enterprise, created by GitHub, or match one of the patterns: <img width="905" height="380" alt="Screenshot 2026-03-20 at 20 32 56" src="https://github.com/user-attachments/assets/2582b68a-6303-44ab-b961-d9b753072f1e" /> This is due to the following change. - apache/infrastructure-actions#547 As of now, the updated patterns are the following. - https://github.com/apache/infrastructure-actions/blob/07f5f9d2b05fe0ec9886e3ef0a9d79797817f0cb/approved_patterns.yml#L100-L104 ``` - docker/build-push-action10e90e3645eae34f1e60eeb005ba3a3d33f178e8 - docker/login-actionc94ce9fb468520275223c153574b00df6fe4bcc9 - docker/metadata-actionc299e40c65443455700f0fdfc63efafe5b349051 - docker/setup-buildx-action8d2750c68a42422c14e847fe6c8ac0403b4cbd6f - docker/setup-qemu-action29109295f81e9208d7d86ff1c6c12d2833863392 ``` ### Does this PR introduce _any_ user-facing change? No. ### How was this patch tested? Manually check like the following because the updated CI should be triggered manually. ``` $ git grep 'uses: docker' | sort | uniq -c 5 .github/workflows/build_and_test.yml: uses: docker/build-push-action10e90e3645eae34f1e60eeb005ba3a3d33f178e8 1 .github/workflows/build_and_test.yml: uses: docker/login-actionc94ce9fb468520275223c153574b00df6fe4bcc9 1 .github/workflows/build_and_test.yml: uses: docker/setup-buildx-action8d2750c68a42422c14e847fe6c8ac0403b4cbd6f 1 .github/workflows/build_and_test.yml: uses: docker/setup-qemu-action29109295f81e9208d7d86ff1c6c12d2833863392 16 .github/workflows/build_infra_images_cache.yml: uses: docker/build-push-action10e90e3645eae34f1e60eeb005ba3a3d33f178e8 1 .github/workflows/build_infra_images_cache.yml: uses: docker/login-actionc94ce9fb468520275223c153574b00df6fe4bcc9 1 .github/workflows/build_infra_images_cache.yml: uses: docker/setup-buildx-action8d2750c68a42422c14e847fe6c8ac0403b4cbd6f 1 .github/workflows/build_infra_images_cache.yml: uses: docker/setup-qemu-action29109295f81e9208d7d86ff1c6c12d2833863392 ``` ### Was this patch authored or co-authored using generative AI tooling? Generated-by: Claude Code (claude-opus-4-6) Closes apache#54935 from dongjoon-hyun/SPARK-56126. Authored-by: Dongjoon Hyun <[email protected]> Signed-off-by: Dongjoon Hyun <[email protected]>
Otpvondoiats
pushed a commit
to Otpvondoiats/nuttx
that referenced
this pull request
Mar 31, 2026
All CI Builds have been failing since 18 hours ago: - apache#18571 (comment) - https://github.com/apache/nuttx/actions/runs/23389990049 > _The action docker/login-action@v4 is not allowed in apache/nuttx because all actions must be from a repository owned by your enterprise, created by GitHub, or match one of the patterns: 1Password/load-secrets-action@13f58ee, 1Password/load-secrets-action@8d0d610, 1Password/load-secrets-action@dafbe7c, AdoptOpenJDK/install-jdk@*, BobAnkh/auto-generate-changelog@*, DavidAnson/markdownlint-cli2-action@07035fd, DavidAnson/markdownlint-cli2-action@30a0e04, EnricoMi/publish-unit-test-result-action@*, JamesIves/github-pages-deploy-action@4a3abc7, JamesIves/github-pages-deploy-action@d92aa23, Jimver/cuda-toolkit@6008063, Jimver/cuda-toolkit@b6fc3a9, JustinBeckwith/linkinator-action@af984b9f30f63e796..._ That's because ASF Infrastructure Team has mandated that we use the Hash Versions of GitHub Actions for Docker, stated below: - https://github.com/apache/infrastructure-actions/blob/main/actions.yml - Which generates: https://github.com/apache/infrastructure-actions/blob/main/approved_patterns.yml - Due to: apache/infrastructure-actions#547 ```yaml docker/build-push-action: 10e90e3645eae34f1e60eeb005ba3a3d33f178e8: tag: v6.19.2 docker/login-action: c94ce9fb468520275223c153574b00df6fe4bcc9: tag: v3.7.0 docker/metadata-action: c299e40c65443455700f0fdfc63efafe5b349051: tag: v5.10.0 docker/setup-buildx-action: 8d2750c68a42422c14e847fe6c8ac0403b4cbd6f: tag: v3.12.0 ``` This PR reverts our GitHub Actions for Docker to the hash versions stated above. Signed-off-by: Lup Yuen Lee <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Request for adding new GitHub Actions to the allow list
Overview
Docker's official CI/CD actions used by apache/iggy for multi-arch Docker image builds and publishing. These are companion actions to
docker/setup-qemu-actionwhich is already on the allow list.These actions were previously allowed implicitly but started failing on March 20, 2026 after an apparent org-level policy change.
Name of actions:
docker/login-action
docker/setup-buildx-action
docker/metadata-action
docker/build-push-action
URL of actions:
https://github.com/docker/login-action
https://github.com/docker/setup-buildx-action
https://github.com/docker/metadata-action
https://github.com/docker/build-push-action
Version to pin to (hash only):
Permissions
DOCKERHUB_USERandDOCKERHUB_TOKENto be set.Related Actions
docker/setup-qemu-actionis already approved (SHA29109295f81e9208d7d86ff1c6c12d2833863392, tag v3.6.0). These four actions form the standard Docker CI/CD toolkit and are typically used together for multi-arch image builds.Checklist