CI: use commit hash for Docker actions

tuhaihe · tuhaihe · commit b84f7c67a9e9 · 2026-04-22T09:24:32.000+08:00
Replace version tags with commit hashes for Docker GitHub Actions to comply with Apache organization security requirements. Changes: - docker/setup-qemu-action@v3 → @c7c53464625b32c7a7e944ae62b3e17d2b600130 (v3.7.0) - docker/login-action@v3 → @c94ce9fb468520275223c153574b00df6fe4bcc9 (v3.7.0) - docker/setup-buildx-action@v3 → @8d2750c68a42422c14e847fe6c8ac0403b4cbd6f (v3.12.0) - docker/build-push-action@v6 → @10e90e3645eae34f1e60eeb005ba3a3d33f178e8 (v6.19.2) Affected workflows: - .github/workflows/docker-cbdb-build-containers.yml - .github/workflows/docker-cbdb-test-containers.yml Fixes #1687
diff --git a/.github/workflows/docker-cbdb-build-containers.yml b/.github/workflows/docker-cbdb-build-containers.yml
@@ -117,13 +117,13 @@ jobs:
       # This allows building ARM64 images on AMD64 infrastructure and vice versa
       - name: Set up QEMU
         if: ${{ steps.platform-filter.outputs[matrix.platform] == 'true' }}
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
 
       # Login to DockerHub for pushing images
       # Requires DOCKERHUB_USER and DOCKERHUB_TOKEN secrets to be set
       - name: Login to Docker Hub
         if: ${{ steps.platform-filter.outputs[matrix.platform] == 'true' && github.event_name == 'push' && github.ref == 'refs/heads/main' }}
-        uses: docker/login-action@v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
         with:
           username: ${{ secrets.DOCKERHUB_USER }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -132,7 +132,7 @@ jobs:
       # Enable debug mode for better troubleshooting
       - name: Set up Docker Buildx
         if: ${{ steps.platform-filter.outputs[matrix.platform] == 'true' }}
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
         with:
           buildkitd-flags: --debug
 
@@ -172,7 +172,7 @@ jobs:
       # This creates a manifest list that supports both architectures
       - name: Build and Push Multi-arch Docker images
         if: ${{ steps.platform-filter.outputs[matrix.platform] == 'true' && github.event_name == 'push' && github.ref == 'refs/heads/main' }}
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
         with:
           context: ./devops/deploy/docker/build/${{ matrix.platform }}
           push: true
diff --git a/.github/workflows/docker-cbdb-test-containers.yml b/.github/workflows/docker-cbdb-test-containers.yml
@@ -106,20 +106,20 @@ jobs:
       # This allows building ARM64 images on AMD64 infrastructure and vice versa
       - name: Set up QEMU
         if: ${{ steps.platform-filter.outputs[matrix.platform] == 'true' }}
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
 
       # Login to DockerHub for pushing images
       - name: Login to Docker Hub
         if: ${{ steps.platform-filter.outputs[matrix.platform] == 'true' && github.event_name == 'push' && github.ref == 'refs/heads/main' }}
-        uses: docker/login-action@v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
         with:
           username: ${{ secrets.DOCKERHUB_USER }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       # Setup Docker Buildx for efficient multi-architecture builds
       - name: Set up Docker Buildx
         if: ${{ steps.platform-filter.outputs[matrix.platform] == 'true' }}
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
         with:
           buildkitd-flags: --debug
 
@@ -142,7 +142,7 @@ jobs:
       # Creates a manifest list that supports both architectures
       - name: Build and Push Multi-arch Docker images
         if: ${{ steps.platform-filter.outputs[matrix.platform] == 'true' && github.event_name == 'push' && github.ref == 'refs/heads/main' }}
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
         with:
           context: ./devops/deploy/docker/test/${{ matrix.platform }}
           push: true
