From f697b017472da3483084acf3875429a03d5a3083 Mon Sep 17 00:00:00 2001 From: Mason Huang Date: Thu, 16 Apr 2026 19:23:03 +0800 Subject: [PATCH] CI: pin Docker-related GitHub Actions (#67632) * CI: pin Docker-related GitHub Actions * CI: pin docker build-push action --- .github/workflows/docker-release.yml | 18 +++++++++--------- .github/workflows/install-smoke.yml | 10 +++++----- .github/workflows/sandbox-common-smoke.yml | 2 +- 3 files changed, 15 insertions(+), 15 deletions(-) diff --git a/.github/workflows/docker-release.yml b/.github/workflows/docker-release.yml index 3febad02f50..ca9f406ab91 100644 --- a/.github/workflows/docker-release.yml +++ b/.github/workflows/docker-release.yml @@ -83,10 +83,10 @@ jobs: fetch-depth: 0 - name: Set up Docker Builder - uses: docker/setup-buildx-action@v4 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4 - name: Login to GitHub Container Registry - uses: docker/login-action@v4 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4 with: registry: ${{ env.REGISTRY }} username: ${{ github.repository_owner }} @@ -153,7 +153,7 @@ jobs: - name: Build and push amd64 image id: build # WARNING: KEEP THE OFFICIAL DOCKER ACTION HERE; DO NOT SWITCH THIS BACK TO BLACKSMITH BLINDLY. - uses: docker/build-push-action@v6 + uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6 with: context: . platforms: linux/amd64 @@ -167,7 +167,7 @@ jobs: - name: Build and push amd64 slim image id: build-slim # WARNING: KEEP THE OFFICIAL DOCKER ACTION HERE; DO NOT SWITCH THIS BACK TO BLACKSMITH BLINDLY. - uses: docker/build-push-action@v6 + uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6 with: context: . platforms: linux/amd64 @@ -200,10 +200,10 @@ jobs: fetch-depth: 0 - name: Set up Docker Builder - uses: docker/setup-buildx-action@v4 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4 - name: Login to GitHub Container Registry - uses: docker/login-action@v4 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4 with: registry: ${{ env.REGISTRY }} username: ${{ github.repository_owner }} @@ -270,7 +270,7 @@ jobs: - name: Build and push arm64 image id: build # WARNING: KEEP THE OFFICIAL DOCKER ACTION HERE; DO NOT SWITCH THIS BACK TO BLACKSMITH BLINDLY. - uses: docker/build-push-action@v6 + uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6 with: context: . platforms: linux/arm64 @@ -284,7 +284,7 @@ jobs: - name: Build and push arm64 slim image id: build-slim # WARNING: KEEP THE OFFICIAL DOCKER ACTION HERE; DO NOT SWITCH THIS BACK TO BLACKSMITH BLINDLY. - uses: docker/build-push-action@v6 + uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6 with: context: . platforms: linux/arm64 @@ -314,7 +314,7 @@ jobs: fetch-depth: 0 - name: Login to GitHub Container Registry - uses: docker/login-action@v4 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4 with: registry: ${{ env.REGISTRY }} username: ${{ github.repository_owner }} diff --git a/.github/workflows/install-smoke.yml b/.github/workflows/install-smoke.yml index 275dcbcf22d..0211e1fc390 100644 --- a/.github/workflows/install-smoke.yml +++ b/.github/workflows/install-smoke.yml @@ -95,12 +95,12 @@ jobs: uses: actions/checkout@v6 - name: Set up Docker Builder - uses: docker/setup-buildx-action@v4 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4 # Blacksmith can fall back to the local docker driver, which rejects gha # cache export/import. Keep smoke builds driver-agnostic. - name: Build root Dockerfile smoke image - uses: useblacksmith/build-push-action@v2 + uses: useblacksmith/build-push-action@cbd1f60d194a98cb3be5523b15134501eaf0fbf3 # v2 with: context: . file: ./Dockerfile @@ -119,7 +119,7 @@ jobs: # runtime deps declared by the plugin and that matrix discovery stays # healthy in the final runtime image. - name: Build extension Dockerfile smoke image - uses: useblacksmith/build-push-action@v2 + uses: useblacksmith/build-push-action@cbd1f60d194a98cb3be5523b15134501eaf0fbf3 # v2 with: context: . file: ./Dockerfile @@ -177,7 +177,7 @@ jobs: ' - name: Build installer smoke image - uses: useblacksmith/build-push-action@v2 + uses: useblacksmith/build-push-action@cbd1f60d194a98cb3be5523b15134501eaf0fbf3 # v2 with: context: ./scripts/docker file: ./scripts/docker/install-sh-smoke/Dockerfile @@ -188,7 +188,7 @@ jobs: - name: Build installer non-root image if: github.event_name != 'pull_request' - uses: useblacksmith/build-push-action@v2 + uses: useblacksmith/build-push-action@cbd1f60d194a98cb3be5523b15134501eaf0fbf3 # v2 with: context: ./scripts/docker file: ./scripts/docker/install-sh-nonroot/Dockerfile diff --git a/.github/workflows/sandbox-common-smoke.yml b/.github/workflows/sandbox-common-smoke.yml index 172af769512..54ff92751eb 100644 --- a/.github/workflows/sandbox-common-smoke.yml +++ b/.github/workflows/sandbox-common-smoke.yml @@ -35,7 +35,7 @@ jobs: submodules: false - name: Set up Docker Builder - uses: docker/setup-buildx-action@v4 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4 - name: Build minimal sandbox base (USER sandbox) shell: bash