This is an automated email from the ASF dual-hosted git repository. wusheng pushed a commit to branch fix/pin-docker-actions-to-approved-shas in repository https://gitbox.apache.org/repos/asf/skywalking.git
commit c5193ff867d23e67394cc1e4cebe957b93445160 Author: Wu Sheng <[email protected]> AuthorDate: Sat Mar 21 22:25:04 2026 +0800 Pin Docker GitHub Actions to Apache approved SHAs Replace version tags with SHA pins from Apache infrastructure-actions approved_patterns.yml to comply with the enterprise action allow list. - docker/login-action: v3/v1.10.0 → c94ce9fb... - docker/setup-buildx-action: v3 → 8d2750c6... - docker/setup-qemu-action: v3 → 29109295... --- .claude/skills/ci-e2e-debug/SKILL.md | 8 ++++++++ .github/workflows/publish-docker-e2e-service.yaml | 6 +++--- .github/workflows/publish-docker.yaml | 6 +++--- .github/workflows/skywalking.yaml | 8 ++++---- CLAUDE.md | 9 +++++++++ 5 files changed, 27 insertions(+), 10 deletions(-) diff --git a/.claude/skills/ci-e2e-debug/SKILL.md b/.claude/skills/ci-e2e-debug/SKILL.md index 23723d85e9..171b0fb165 100644 --- a/.claude/skills/ci-e2e-debug/SKILL.md +++ b/.claude/skills/ci-e2e-debug/SKILL.md @@ -34,6 +34,14 @@ Download test log artifacts from a GitHub Actions CI run and inspect them for er 5. **Report findings**: Summarize the root cause error from the logs. +## Fixing "action is not allowed" errors + +If a CI run or PR is blocked because a GitHub Action is not on the Apache allow list: + +1. **Check the approved list**: https://github.com/apache/infrastructure-actions/blob/main/approved_patterns.yml +2. **Update the workflow**: Replace the version tag (e.g., `@v3`) with the approved SHA pin from the list. +3. Actions owned by `actions/*`, `github/*`, and `apache/*` are always allowed (enterprise-owned) and don't need SHA pins. + ## Notes - CI artifacts are automatically uploaded by the e2e test framework to `$SW_INFRA_E2E_LOG_DIR` - Log files are organized by namespace/pod name diff --git a/.github/workflows/publish-docker-e2e-service.yaml b/.github/workflows/publish-docker-e2e-service.yaml index 661053ec40..e96ab745eb 100644 --- a/.github/workflows/publish-docker-e2e-service.yaml +++ b/.github/workflows/publish-docker-e2e-service.yaml @@ -51,14 +51,14 @@ jobs: restore-keys: | ${{ runner.os }}-maven- - name: Log in to the Container registry - uses: docker/[email protected] + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 with: registry: ${{ env.HUB }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f - name: Build and push images run: make -C test build.e2e-service docker.push-e2e-service diff --git a/.github/workflows/publish-docker.yaml b/.github/workflows/publish-docker.yaml index 3e2a3c757d..4d4fd851d9 100644 --- a/.github/workflows/publish-docker.yaml +++ b/.github/workflows/publish-docker.yaml @@ -66,15 +66,15 @@ jobs: echo "TAG=${{ github.sha }}" >> $GITHUB_ENV fi - name: Log in to the Container registry - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 with: registry: ${{ env.DOCKER_REGISTRY }} username: ${{ env.DOCKER_USERNAME }} password: ${{ env.DOCKER_PASSWORD }} - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f - name: Build and push docker images based on Java 11 env: SW_OAP_BASE_IMAGE: eclipse-temurin:11-jre diff --git a/.github/workflows/skywalking.yaml b/.github/workflows/skywalking.yaml index 3e4158e969..eeb41da645 100644 --- a/.github/workflows/skywalking.yaml +++ b/.github/workflows/skywalking.yaml @@ -734,7 +734,7 @@ jobs: name: dist path: dist - name: Login to ghcr - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 with: registry: ghcr.io username: ${{ github.repository_owner }} @@ -821,7 +821,7 @@ jobs: find docker-images -name "*.tar" -exec docker load -i {} \; find docker-images -name "*.tar" -exec rm {} \; - name: Login to ghcr - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 with: registry: ghcr.io username: ${{ github.repository_owner }} @@ -892,7 +892,7 @@ jobs: find docker-images -name "*.tar" -exec docker load -i {} \; find docker-images -name "*.tar" -exec rm {} \; - name: Login to ghcr - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 with: registry: ghcr.io username: ${{ github.repository_owner }} @@ -1007,7 +1007,7 @@ jobs: name: dist path: dist - name: Login to ghcr - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 with: registry: ghcr.io username: ${{ github.repository_owner }} diff --git a/CLAUDE.md b/CLAUDE.md index 0307c6c0c5..5cda8aa29b 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -231,6 +231,15 @@ Always use `--recurse-submodules` when cloning or update submodules manually. Use the `/gh-pull-request` skill for committing and pushing to a PR branch. It runs pre-flight checks (compile, checkstyle, license headers) before every push, and creates the PR if one doesn't exist yet. +## GitHub Actions Allow List + +Apache enforces an allow list for third-party GitHub Actions. All third-party actions must be pinned to an approved SHA from: +https://github.com/apache/infrastructure-actions/blob/main/approved_patterns.yml + +If a PR is blocked by "action is not allowed" errors, check the approved list and update `.github/workflows/` files to use the approved SHA pin instead of a version tag. + +Actions owned by `actions/*` (GitHub), `github/*`, and `apache/*` are always allowed (enterprise-owned). + ## Tips for AI Assistants 1. **Always check submodules**: Protocol changes may require submodule updates
