CI: Revert GitHub Actions for Docker, by hash

[lupyuen]

Summary

(Sorry to resubmit this PR. We must specify the GitHub Actions by Hash, not Version Number)

All CI Builds have been failing since 18 hours ago:

• net/nat: g_nat_lock can be used recursively #18571 (comment)
• https://github.com/apache/nuttx/actions/runs/23389990049

The action docker/login-action@v4 is not allowed in apache/nuttx because all actions must be from a repository owned by your enterprise, created by GitHub, or match one of the patterns: 1Password/load-secrets-action@13f58ee, 1Password/load-secrets-action@8d0d610, 1Password/load-secrets-action@dafbe7c, AdoptOpenJDK/install-jdk@, BobAnkh/auto-generate-changelog@, DavidAnson/markdownlint-cli2-action@07035fd, DavidAnson/markdownlint-cli2-action@30a0e04, EnricoMi/publish-unit-test-result-action@*, JamesIves/github-pages-deploy-action@4a3abc7, JamesIves/github-pages-deploy-action@d92aa23, Jimver/cuda-toolkit@6008063, Jimver/cuda-toolkit@b6fc3a9, JustinBeckwith/linkinator-action@af984b9f30f63e796...

That's because ASF Infrastructure Team has mandated that we use the Hash Versions of GitHub Actions for Docker, stated below:

• https://github.com/apache/infrastructure-actions/blob/main/actions.yml
• Which generates: https://github.com/apache/infrastructure-actions/blob/main/approved_patterns.yml
• Due to: Add Docker official actions (login, buildx, metadata, build-push) infrastructure-actions#547
• Because of the Trivy Security Incident: https://news.apache.org/foundation/entry/initial-report-on-trivy-security-incident

docker/build-push-action:
  10e90e3645eae34f1e60eeb005ba3a3d33f178e8:
    tag: v6.19.2
docker/login-action:
  c94ce9fb468520275223c153574b00df6fe4bcc9:
    tag: v3.7.0
docker/metadata-action:
  c299e40c65443455700f0fdfc63efafe5b349051:
    tag: v5.10.0
docker/setup-buildx-action:
  8d2750c68a42422c14e847fe6c8ac0403b4cbd6f:
    tag: v3.12.0

This PR reverts our GitHub Actions for Docker to the hash versions stated above.

Impact

All CI Builds will now be started correctly.

Testing

We tested the updated GitHub Actions for Docker in our own NuttX Repo. The CI Build runs successfully:

• https://github.com/lupyuen14/nuttx/actions/runs/23392418389

[cederom]

Thank you @lupyuen :-)

[cederom]

Yeah because c94ce9fb468520275223c153574b00df6fe4bcc9 is far more readable than v3.7.0 and also confirms it's a release :D :D

[lupyuen]

@simbit18 FYI we need to update docker/login-action before June 2026, but after ASF has approved the new version (sigh): https://github.com/apache/nuttx/actions/runs/23392538906

Linux (risc-v-01)
Node.js 20 actions are deprecated. The following actions are running on Node.js 20 and may not work as expected: docker/login-action@c94ce9f. Actions will be forced to run with Node.js 24 by default starting June 2nd, 2026. Please check if updated versions of these actions are available that support Node.js 24. To opt into Node.js 24 now, set the FORCE_JAVASCRIPT_ACTIONS_TO_NODE24=true environment variable on the runner or in your workflow file. Once Node.js 24 becomes the default, you can temporarily opt out by setting ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION=true. For more information see: https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/

[lupyuen]

Yep the ASF Policy Change is due to the Trivy Security Incident. Yesterday somehow I failed to understand the meaning of the exact words when I read this broadcast email (maybe actions should have been stated explicitly as GitHub Actions): https://news.apache.org/foundation/entry/initial-report-on-trivy-security-incident

ASF Infra and ASF Security agreed to disable all previously allowed “verified creator” actions while the incident is being investigated

This may cause build failures, and require projects request newly-failed actions be added via the Infra GHA approval process: github.com/apache/infrastructure-actions?tab=readme-ov-file#adding-a-new-version-to-the-allow-list

[cederom]

Yup, saw that too, better safe than sorry :-)

[cederom]

I also had this idea once to verify master history against injected changes. This may come handy :-P Maybe there are projects like that already? :-)