Skip to content

[fix][ci] Update docker/build-push-action to ASF allowlisted version#602

Open
geniusjoe wants to merge 1 commit into
apache:mainfrom
geniusjoe:bugfix/actions-image-update
Open

[fix][ci] Update docker/build-push-action to ASF allowlisted version#602
geniusjoe wants to merge 1 commit into
apache:mainfrom
geniusjoe:bugfix/actions-image-update

Conversation

@geniusjoe

Copy link
Copy Markdown
Contributor

Related: apache/infrastructure-actions@062f6aa
Related: apache/infrastructure-actions#994
Related: apache/spark#54935

Motivation

The docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 (v7.0.0) used in our CI workflows was removed from the ASF GitHub Actions allowlist on 2026-07-07 by the automated remove_expired.yml workflow (commit), causing all Docker-related CI jobs to fail with:

The action docker/build-push-action@d08e5c3 is not allowed in apache/pulsar-client-cpp because all actions must be from a repository owned by your enterprise, created by GitHub, or match one of the patterns...

This is the same class of issue that Apache Spark encountered and fixed in apache/spark#54935.

Modifications

Updated docker/build-push-action in:

  • .github/workflows/ci-pr-validation.yaml
  • .github/workflows/ci-build-binary-artifacts.yaml

Version mapping (SHA → tag):

SHA Tag Status
d08e5c354a6adb9ed34480a06d141179aa583294 (old) v7.0.0 ❌ expired from allowlist on 2026-07-07
bcafcacb16a39f128d818304e6c9c0c18556b85f v7.1.0 ✅ in allowlist (used by Apache Spark)
ca052bb54ab0790a636c9b5f226502c73d547a25 v7.2.0 ✅ in allowlist
f9f3042f7e2789586610d6e8b85c8f03e5195baf v7.2.0 ✅ in allowlist
53b7df96c91f9c12dcc8a07bcb9ccacbed38856a (new) v7.3.0 ✅ in allowlist (PR #994)

Why v7.3.0 instead of v7.1.0 (Spark's choice)?

Apache Spark updated to v7.1.0 (bcafcacb...) back in March 2026. Since then, the ASF approved_patterns.yml has added newer versions. We chose v7.3.0 (53b7df96...) because:

  1. It is the latest version in the ASF approved patterns allowlist.
  2. It is also the current v7 floating tag target in the docker/build-push-action repository, meaning it includes the latest bug fixes and dependency updates.
  3. Using the newest allowlisted version reduces the chance of needing another update soon if older SHAs are pruned from the allowlist.

Verifying this change

  • Make sure that the change passes the CI checks.

This change is a trivial rework / code cleanup without any test coverage.

Documentation

  • doc-not-needed
    (CI infrastructure fix only, no user-facing changes.)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant