[SPARK-56724][INFRA] Make docker/* GitHub Actions up-to-date#55687
Closed
dongjoon-hyun wants to merge 1 commit into
Closed
[SPARK-56724][INFRA] Make docker/* GitHub Actions up-to-date#55687dongjoon-hyun wants to merge 1 commit into
docker/* GitHub Actions up-to-date#55687dongjoon-hyun wants to merge 1 commit into
Conversation
Member
Author
|
Could you review this PR, too, @peter-toth ? The CI failure is irrelevant . |
peter-toth
approved these changes
May 5, 2026
Member
Author
|
Thank you! Merged to master. |
dongjoon-hyun
added a commit
to apache/spark-docker
that referenced
this pull request
May 7, 2026
… hashes ### What changes were proposed in this pull request? This PR updates all `docker/*` GitHub Actions in `.github/workflows/main.yml` from major version tags to ASF-approved commit hashes registered in [`apache/infrastructure-actions/approved_patterns.yml`](https://raw.githubusercontent.com/apache/infrastructure-actions/main/approved_patterns.yml). | Action | Before | After (latest approved) | |---|---|---| | `docker/setup-qemu-action` | `v3` | `ce360397dd3f832beb865e1373c09c0e9f86d70a` (v4.0.0) | | `docker/setup-buildx-action` | `v2` | `4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd` (v4.0.0) | | `docker/build-push-action` (×3) | `v3` | `bcafcacb16a39f128d818304e6c9c0c18556b85f` (v7.1.0) | | `docker/login-action` (×2) | `v2` | `4907a6ddec9925e35a0a9e82d7399ccc52663121` (v4.1.0) | ### Why are the changes needed? ASF Infrastructure policy requires GitHub Actions to be pinned to commit hashes listed in `approved_patterns.yml`. The current `docker/*` references use legacy major version tags (`v2`/`v3`) that are out of compliance and several major versions behind upstream. Currently, CI is broken. > The actions docker/setup-qemu-actionv3, docker/setup-buildx-actionv2, docker/build-push-actionv3, and docker/login-actionv2 are not allowed in apache/spark-docker because all actions must be from a repository owned by your enterprise, created by GitHub, or match one of the patterns: For other Apache Spark repositories, we updated already but `spark-docker` seems to be outdated. - apache/spark#55687 - apache/spark-kubernetes-operator#651 ### Does this PR introduce _any_ user-facing change? No. ### How was this patch tested? Pass the CIs. ### Was this patch authored or co-authored using generative AI tooling? Generated-by: Claude Opus 4.7 (1M context) Closes #110 from dongjoon-hyun/dongjoon/trusting-sinoussi-78ed6b. Authored-by: Dongjoon Hyun <dongjoon@apache.org> Signed-off-by: Dongjoon Hyun <dongjoon@apache.org>
sarutak
pushed a commit
to sarutak/spark
that referenced
this pull request
Jun 15, 2026
This PR upgrades four `docker/*` GitHub Actions to the latest commit hashes approved by the Apache Software Foundation in [`infrastructure-actions/approved_patterns.yml`](https://github.com/apache/infrastructure-actions/blob/main/approved_patterns.yml): | Action | Before (tag) | After (tag) | | --- | --- | --- | | `docker/build-push-action` | `10e90e3645eae34f1e60eeb005ba3a3d33f178e8` (v6.19.2) | `bcafcacb16a39f128d818304e6c9c0c18556b85f` (v7.1.0) | | `docker/login-action` | `c94ce9fb468520275223c153574b00df6fe4bcc9` (v3.7.0) | `4907a6ddec9925e35a0a9e82d7399ccc52663121` (v4.1.0) | | `docker/setup-buildx-action` | `8d2750c68a42422c14e847fe6c8ac0403b4cbd6f` (v3.12.0) | `4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd` (v4.0.0) | | `docker/setup-qemu-action` | `29109295f81e9208d7d86ff1c6c12d2833863392` (v3.6.0) | `ce360397dd3f832beb865e1373c09c0e9f86d70a` (v4.0.0) | Updated workflow files (25 references in total): - `.github/workflows/build_and_test.yml` (8 references) - `.github/workflows/build_infra_images_cache.yml` (17 references) The previously pinned hashes were one major version behind upstream and predate the Node.js 20 runtime that Docker actions require going forward. Apache Infrastructure has already approved the newer hashes in `approved_patterns.yml`, so this PR brings Apache Spark's Docker actions onto the supported baseline while keeping ASF policy compliance. No. CI-only change; no Spark runtime, API, or release artifact is affected. Pass the CIs. Generated-by: Claude Code (claude-opus-4-7) Closes apache#55687 from dongjoon-hyun/SPARK-56724. Authored-by: Dongjoon Hyun <dongjoon@apache.org> Signed-off-by: Dongjoon Hyun <dongjoon@apache.org>
This was referenced Jun 15, 2026
sarutak
pushed a commit
that referenced
this pull request
Jun 17, 2026
### What changes were proposed in this pull request? Update the commit SHAs of the following Docker-related GitHub Actions in `branch-3.5` to match the ones registered in the Apache organization's GitHub Actions allowlist: - `docker/login-action` - `docker/setup-qemu-action` - `docker/setup-buildx-action` - `docker/build-push-action` ### Why are the changes needed? The `master` branch was already updated to the new SHAs, but `branch-3.5` still used tag-based references (e.g., v2) which are not in the allowlist. - #55687 ### Does this PR introduce _any_ user-facing change? No. ### How was this patch tested? CI should pass with this change. ### Was this patch authored or co-authored using generative AI tooling? Kiro CLI / Claude Closes #56532 from sarutak/update-docker-actions-branch-3.5. Authored-by: Dongjoon Hyun <dongjoon@apache.org> Signed-off-by: Kousuke Saruta <sarutak@apache.org>
sarutak
pushed a commit
that referenced
this pull request
Jun 17, 2026
### What changes were proposed in this pull request? Update the commit SHAs of the following Docker-related GitHub Actions in `branch-4.1` to match the ones registered in the Apache organization's GitHub Actions allowlist: - `docker/login-action` - `docker/setup-qemu-action` - `docker/setup-buildx-action` - `docker/build-push-action` ### Why are the changes needed? CI on `branch-4.1` fails with the error: > The actions docker/login-actionc94ce9fb..., docker/setup-qemu-action29109295..., docker/setup-buildx-action8d2750c6..., and docker/build-push-action10e90e36... are not allowed in apache/spark because all actions must be from a repository owned by your enterprise, created by GitHub, or match one of the patterns... https://github.com/apache/spark/actions/runs/27502448688 The `master` branch was already updated to the new SHAs, but `branch-4.1` still had the old ones that are no longer in the allowlist. - #55687 ### Does this PR introduce _any_ user-facing change? No. ### How was this patch tested? CI should pass with this change. ### Was this patch authored or co-authored using generative AI tooling? Kiro CLI / Claude Closes #56525 from sarutak/update-docker-actions-branch-4.1. Authored-by: Dongjoon Hyun <dongjoon@apache.org> Signed-off-by: Kousuke Saruta <sarutak@apache.org>
sarutak
pushed a commit
that referenced
this pull request
Jun 17, 2026
### What changes were proposed in this pull request? Update the commit SHAs of the following Docker-related GitHub Actions in `branch-4.x` to match the ones registered in the Apache organization's GitHub Actions allowlist: - `docker/login-action` - `docker/setup-qemu-action` - `docker/setup-buildx-action` - `docker/build-push-action` ### Why are the changes needed? CI on `branch-4.x` fails with the error: > The actions docker/login-actionc94ce9fb..., docker/setup-qemu-action29109295..., docker/setup-buildx-action8d2750c6..., and docker/build-push-action10e90e36... are not allowed in apache/spark because all actions must be from a repository owned by your enterprise, created by GitHub, or match one of the patterns... https://github.com/apache/spark/actions/runs/27544506457 The `master` branch was already updated to the new SHAs, but `branch-4.x` still had the old ones that are no longer in the allowlist. - #55687 ### Does this PR introduce _any_ user-facing change? No. ### How was this patch tested? CI should pass with this change. ### Was this patch authored or co-authored using generative AI tooling? Kiro CLI / Claude Closes #56517 from sarutak/update-docker-actions-branch-4x. Authored-by: Dongjoon Hyun <dongjoon@apache.org> Signed-off-by: Kousuke Saruta <sarutak@apache.org>
sarutak
pushed a commit
that referenced
this pull request
Jun 17, 2026
### What changes were proposed in this pull request? Update the commit SHAs of the following Docker-related GitHub Actions in `branch-4.0` to match the ones registered in the Apache organization's GitHub Actions allowlist: - `docker/login-action` - `docker/setup-qemu-action` - `docker/setup-buildx-action` - `docker/build-push-action` ### Why are the changes needed? The `master` branch was already updated to the new SHAs, but `branch-4.0` still had the old ones that are no longer in the allowlist. - #55687 ### Does this PR introduce _any_ user-facing change? No. ### How was this patch tested? CI should pass with this change. ### Was this patch authored or co-authored using generative AI tooling? Kiro CLI / Claude Closes #56531 from sarutak/update-docker-actions-branch-4.0. Authored-by: Dongjoon Hyun <dongjoon@apache.org> Signed-off-by: Kousuke Saruta <sarutak@apache.org>
sarutak
pushed a commit
that referenced
this pull request
Jun 17, 2026
### What changes were proposed in this pull request? Update the commit SHAs of the following Docker-related GitHub Actions in `branch-4.2` to match the ones registered in the Apache organization's GitHub Actions allowlist: - `docker/login-action` - `docker/setup-qemu-action` - `docker/setup-buildx-action` - `docker/build-push-action` ### Why are the changes needed? The `master` branch was already updated to the new SHAs, but `branch-4.2` still had the old ones that are no longer in the allowlist. - #55687 ### Does this PR introduce _any_ user-facing change? No. ### How was this patch tested? CI should pass with this change. ### Was this patch authored or co-authored using generative AI tooling? Kiro CLI / Claude Closes #56555 from sarutak/update-docker-actions-branch-4.2. Authored-by: Dongjoon Hyun <dongjoon@apache.org> Signed-off-by: Kousuke Saruta <sarutak@apache.org>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What changes were proposed in this pull request?
This PR upgrades four
docker/*GitHub Actions to the latest commit hashes approved by the Apache Software Foundation ininfrastructure-actions/approved_patterns.yml:docker/build-push-action10e90e3645eae34f1e60eeb005ba3a3d33f178e8(v6.19.2)bcafcacb16a39f128d818304e6c9c0c18556b85f(v7.1.0)docker/login-actionc94ce9fb468520275223c153574b00df6fe4bcc9(v3.7.0)4907a6ddec9925e35a0a9e82d7399ccc52663121(v4.1.0)docker/setup-buildx-action8d2750c68a42422c14e847fe6c8ac0403b4cbd6f(v3.12.0)4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd(v4.0.0)docker/setup-qemu-action29109295f81e9208d7d86ff1c6c12d2833863392(v3.6.0)ce360397dd3f832beb865e1373c09c0e9f86d70a(v4.0.0)Updated workflow files (25 references in total):
.github/workflows/build_and_test.yml(8 references).github/workflows/build_infra_images_cache.yml(17 references)Why are the changes needed?
The previously pinned hashes were one major version behind upstream and predate the Node.js 20 runtime that Docker actions require going forward. Apache Infrastructure has already approved the newer hashes in
approved_patterns.yml, so this PR brings Apache Spark's Docker actions onto the supported baseline while keeping ASF policy compliance.Does this PR introduce any user-facing change?
No. CI-only change; no Spark runtime, API, or release artifact is affected.
How was this patch tested?
Pass the CIs.
Was this patch authored or co-authored using generative AI tooling?
Generated-by: Claude Code (claude-opus-4-7)