Skip to content

CI: use commit hash for Docker actions#1688

Open
tuhaihe wants to merge 1 commit intoapache:mainfrom
tuhaihe:update-docker-container-workflow-commit
Open

CI: use commit hash for Docker actions#1688
tuhaihe wants to merge 1 commit intoapache:mainfrom
tuhaihe:update-docker-container-workflow-commit

Conversation

@tuhaihe
Copy link
Copy Markdown
Member

@tuhaihe tuhaihe commented Apr 21, 2026

Replace version tags with commit hashes for Docker GitHub Actions to comply with Apache organization security requirements.

Changes:

  • docker/setup-qemu-action@v3 → @c7c53464625b32c7a7e944ae62b3e17d2b600130 (v3.7.0)
  • docker/login-action@v3 → @c94ce9fb468520275223c153574b00df6fe4bcc9 (v3.7.0)
  • docker/setup-buildx-action@v3 → @8d2750c68a42422c14e847fe6c8ac0403b4cbd6f (v3.12.0)
  • docker/build-push-action@v6 → @10e90e3645eae34f1e60eeb005ba3a3d33f178e8 (v6.19.2)

Affected workflows:

  • .github/workflows/docker-cbdb-build-containers.yml
  • .github/workflows/docker-cbdb-test-containers.yml

Fixes #1687

Fixes #ISSUE_Number

What does this PR do?

Type of Change

  • Bug fix (non-breaking change)
  • New feature (non-breaking change)
  • Breaking change (fix or feature with breaking changes)
  • Documentation update

Breaking Changes

Test Plan

  • Unit tests added/updated
  • Integration tests added/updated
  • Passed make installcheck
  • Passed make -C src/test installcheck-cbdb-parallel

Impact

Performance:

User-facing changes:

Dependencies:

Checklist

Additional Context

CI Skip Instructions

@tuhaihe
CI: use commit hash for Docker actions
effda71 
Replace version tags with commit hashes for Docker GitHub Actions
to comply with Apache organization security requirements.

Changes:
- docker/setup-qemu-action@v3 → @c7c53464625b32c7a7e944ae62b3e17d2b600130 (v3.7.0)
- docker/login-action@v3 → @c94ce9fb468520275223c153574b00df6fe4bcc9 (v3.7.0)
- docker/setup-buildx-action@v3 → @8d2750c68a42422c14e847fe6c8ac0403b4cbd6f (v3.12.0)
- docker/build-push-action@v6 → @10e90e3645eae34f1e60eeb005ba3a3d33f178e8 (v6.19.2)

Affected workflows:
- .github/workflows/docker-cbdb-build-containers.yml
- .github/workflows/docker-cbdb-test-containers.yml

Fixes apache#1687
leborchuk
leborchuk approved these changes Apr 21, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@leborchuk leborchuk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, the the recommendations is here https://github.com/apache/tooling-actions#versioning-policy

Versioning Policy
We do not tag versions. For security and stability, you must refer to every action by its pinned commit hash (SHA). Do not use @main or @v1

It's better to use hash commits

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@leborchuk leborchuk leborchuk approved these changes

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug] CI: docker-cbdb-test-containers workflow failed

2 participants

@tuhaihe @leborchuk