xiangfu0 opened a new pull request, #18010: URL: https://github.com/apache/pinot/pull/18010
## Summary - Pin `docker/login-action`, `docker/setup-qemu-action`, and `docker/setup-buildx-action` to exact commit SHAs approved in the [ASF infrastructure-actions allowlist](https://github.com/apache/infrastructure-actions/blob/main/actions.yml), as required by the [ASF GitHub Actions policy](https://infra.apache.org/github-actions-policy.html) - Replace `aquasecurity/trivy-action@master` (not in ASF allowlist) with direct Trivy CLI installation and invocation in the vulnerability check workflow ## Details The ASF GitHub Actions policy requires all third-party actions (outside `apache/*`, `github/*`, `actions/*` namespaces) to be pinned to exact commit SHAs registered in the allowlist. These workflows were using tag references (`@v4`, `@master`) which are now rejected by the ASF enterprise action restrictions. ### Actions pinned (all from `actions.yml` allowlist): | Action | SHA | Tag | |--------|-----|-----| | `docker/login-action` | `b45d80f862d83dbcd57f89517bcf500b2ab88fb2` | v4.0.0 | | `docker/setup-qemu-action` | `ce360397dd3f832beb865e1373c09c0e9f86d70a` | v4.0.0 | | `docker/setup-buildx-action` | `4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd` | v4.0.0 | ### Trivy action replacement: Since `aquasecurity/trivy-action` is not in the ASF allowlist, the vulnerability check workflow now installs Trivy via apt and runs the scan directly via CLI with the same parameters (SARIF output, CRITICAL+HIGH severity, os+library vuln types, `.trivyignore` support). ### Files changed: - `.github/workflows/build-multi-arch-pinot-docker-image.yml` - `.github/workflows/build-pinot-base-docker-image.yml` - `.github/workflows/build-pinot-docker-image.yml` - `.github/workflows/build-superset-docker-image.yml` - `.github/workflows/pinot_vuln_check.yml` ## Test plan - [ ] Verify the Docker build workflows can be triggered successfully via workflow_dispatch - [ ] Verify the vulnerability check workflow runs Trivy scan and uploads SARIF results correctly - [ ] Confirm no other third-party actions remain referenced by tag instead of SHA -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
