Skip to content

ORC-2182: Pin docker setup actions to approved commit hashes to recover CIs#2655

Closed
dongjoon-hyun wants to merge 1 commit into
apache:mainfrom
dongjoon-hyun:ORC-2182
Closed

ORC-2182: Pin docker setup actions to approved commit hashes to recover CIs#2655
dongjoon-hyun wants to merge 1 commit into
apache:mainfrom
dongjoon-hyun:ORC-2182

Conversation

@dongjoon-hyun

@dongjoon-hyun dongjoon-hyun commented Jul 1, 2026

Copy link
Copy Markdown
Member

What changes were proposed in this pull request?

This PR pins two docker/* GitHub Actions in .github/workflows/build_and_test.yml to commit hashes approved by the ASF (apache/infrastructure-actions/approved_patterns.yml):

Action Before After
docker/setup-qemu-action @v3 @c7c53464625b32c7a7e944ae62b3e17d2b600130 (v3.7.0)
docker/setup-buildx-action @v3 @d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 (v4.1.0)

Note that the approved patterns list has no v3.x hash for docker/setup-buildx-action, so it is bumped from v3 to the latest approved v4.1.0.

Why are the changes needed?

The ASF infrastructure policy requires third-party GitHub Actions to be pinned to approved commit hashes instead of mutable version tags, to prevent supply-chain attacks from tag reassignment.

Currently, the CI is broken like the following.

Screenshot 2026-07-01 at 08 35 48

How was this patch tested?

Pass the GitHub Actions.

Was this patch authored or co-authored using generative AI tooling?

Generated-by: Claude Opus 4.8

@dongjoon-hyun

Copy link
Copy Markdown
Member Author

Since CI is triggered successfully, this is verified already.

@dongjoon-hyun dongjoon-hyun added this to the 3.0.0 milestone Jul 1, 2026
@dongjoon-hyun dongjoon-hyun deleted the ORC-2182 branch July 1, 2026 15:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant