From 4a0a3cbf026fac314de82170463c5c24e97349d6 Mon Sep 17 00:00:00 2001 From: Wu Sheng Date: Wed, 3 Jun 2026 15:10:04 +0800 Subject: [PATCH 1/2] Pin docker/login-action to an approved commit SHA The ASF GitHub Actions policy only allows third-party actions pinned to an allowed commit SHA, so `docker/login-action@v1.10.0` is rejected. Pin it to `c94ce9fb468520275223c153574b00df6fe4bcc9`, the same revision the apache/skywalking workflows use. The inputs (registry/username/password) are unchanged. Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/workflows/publish-docker.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/publish-docker.yaml b/.github/workflows/publish-docker.yaml index 3030c85..e72414a 100644 --- a/.github/workflows/publish-docker.yaml +++ b/.github/workflows/publish-docker.yaml @@ -45,7 +45,7 @@ jobs: with: go-version: "1.26" - name: Log in to the Container registry - uses: docker/login-action@v1.10.0 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 with: registry: ${{ env.HUB }} username: ${{ github.actor }} From f9548ad56fc32b29daa90a905f1b264d869aaba0 Mon Sep 17 00:00:00 2001 From: Wu Sheng Date: Wed, 3 Jun 2026 15:46:59 +0800 Subject: [PATCH 2/2] Retry the CI Build job's docker build on transient Docker Hub timeouts The Build job's `make docker` step boots buildkit by pulling moby/buildkit from Docker Hub, which intermittently times out on shared runners ("Client.Timeout exceeded while awaiting headers"). Retry once, mirroring the existing `make docker.push || make docker.push` pattern in publish-docker.yaml. Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/workflows/CI.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/CI.yaml b/.github/workflows/CI.yaml index f768792..a7b6193 100644 --- a/.github/workflows/CI.yaml +++ b/.github/workflows/CI.yaml @@ -84,7 +84,10 @@ jobs: run: make build -j3 - name: Build Docker images - run: make docker + # Retry once: booting buildkit pulls moby/buildkit from Docker Hub, which + # intermittently times out on shared runners. Mirrors publish-docker.yaml's + # `make docker.push || make docker.push`. + run: make docker || make docker command-tests: