Skip to content

Fix CI workflows: approved docker/login-action SHA + retry flaky docker build#229

Merged
wu-sheng merged 2 commits into
masterfrom
fix-docker-login-action-pin
Jun 3, 2026
Merged

Fix CI workflows: approved docker/login-action SHA + retry flaky docker build#229
wu-sheng merged 2 commits into
masterfrom
fix-docker-login-action-pin

Conversation

@wu-sheng
Copy link
Copy Markdown
Member

@wu-sheng wu-sheng commented Jun 3, 2026
edited
Loading

Two CI-workflow robustness fixes surfaced by the master CI run after #228.

1. publish-docker.yaml — approved docker/login-action SHA

The ASF GitHub Actions policy only permits third-party actions pinned to an allowed commit SHA, so docker/login-action@v1.10.0 (a version tag) is rejected:

The action docker/login-action@v1.10.0 is not allowed in apache/skywalking-cli because all actions must be from a repository owned by your enterprise, created by GitHub, or match one of the patterns …

Pinned to c94ce9fb468520275223c153574b00df6fe4bcc9 — the same revision the apache/skywalking workflows already use (so it's on the ASF allow-list). Inputs (registry/username/password) are unchanged, so it's a drop-in change. This was the only blocked action in the repo.

2. CI.yaml Build job — retry the docker build

The Build job's make docker step boots buildkit by pulling moby/buildkit:buildx-stable-1 from Docker Hub, which intermittently times out on shared runners:

#1 pulling image moby/buildkit:buildx-stable-1
#1 ERROR: Get "https://registry-1.docker.io/v2/": ... Client.Timeout exceeded while awaiting headers
make: *** [Makefile:168: docker] Error 1

This flaked the Build job (and the Required gate) on the post-#228 master run, while all other jobs — including the new e2e suites — passed. Added a single retry (make docker || make docker), mirroring the existing make docker.push || make docker.push pattern already used in publish-docker.yaml.

🤖 Generated with Claude Code

@wu-sheng @claude
Pin docker/login-action to an approved commit SHA
4a0a3cb 
The ASF GitHub Actions policy only allows third-party actions pinned to an
allowed commit SHA, so `docker/login-action@v1.10.0` is rejected. Pin it to
`c94ce9fb468520275223c153574b00df6fe4bcc9`, the same revision the apache/skywalking
workflows use. The inputs (registry/username/password) are unchanged.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@wu-sheng wu-sheng added this to the 0.15.0 milestone Jun 3, 2026
kezhenxu94
kezhenxu94 previously approved these changes Jun 3, 2026
View reviewed changes
@wu-sheng @claude
Retry the CI Build job's docker build on transient Docker Hub timeouts
f9548ad 
The Build job's `make docker` step boots buildkit by pulling moby/buildkit
from Docker Hub, which intermittently times out on shared runners
("Client.Timeout exceeded while awaiting headers"). Retry once, mirroring the
existing `make docker.push || make docker.push` pattern in publish-docker.yaml.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@wu-sheng wu-sheng changed the title Pin docker/login-action to an approved commit SHA Fix CI workflows: approved docker/login-action SHA + retry flaky docker build Jun 3, 2026
@wu-sheng wu-sheng merged commit b447211 into master Jun 3, 2026
7 checks passed
@wu-sheng wu-sheng deleted the fix-docker-login-action-pin branch June 3, 2026 08:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wankai123 wankai123 wankai123 approved these changes

@kezhenxu94 kezhenxu94 kezhenxu94 left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

0.15.0

Development

Successfully merging this pull request may close these issues.

3 participants

@wu-sheng @kezhenxu94 @wankai123