ci: log in to GHCR inline in release-publish.yml (bypass ASF Actions allow-list)#154
Merged
Merged
Conversation
…s allow-list release-publish.yml authenticates to GHCR with docker/login-action, a third-party action not on the Apache org's GitHub Actions allow-list. Allow-list rejection is parse-time, so it fails the whole workflow at startup (zero jobs) the moment a release runs. The v4.2.0 (650006c6) SHA-pin from apache#145 does not help — that SHA is not allow-listed, unlike graalvm (329c42c), which is and is left as-is. Replace both GHCR login steps with an inline 'docker login' using the built-in GITHUB_TOKEN. The token is piped via stdin (never on the command line or in logs) and the username is read from an env var, so no untrusted value is interpolated into the run script. This removes the allow-list dependency. Companion to apache#153, which removed the unused publish job from build-and-publish.yml. release-publish.yml genuinely needs to publish, so it keeps the login — just inline. Signed-off-by: adityamparikh <aditya.m.parikh@gmail.com> Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
epugh
pushed a commit
that referenced
this pull request
Jun 19, 2026
nightly-build.yml failed at startup on every scan (zero jobs) because of a secrets-in-if expression: 'if: ${{ secrets.APACHE_NIGHTLIES_USER != '\'''\'' }}'. The secrets context is not available in if: conditions, so GitHub rejects the workflow at parse time — a separate cause from the docker/login-action allow-list issue fixed in #153/#154.
The nightlies.apache.org upload was only a placeholder and a daily nightly pre-release isn't wanted, so remove the workflow entirely rather than fix the parse error. dev-docs/WORKFLOWS.md and dev-docs/DOCKER_PUBLISHING.md are updated to drop nightly references (dedicated section, comparison-matrix column, scenario, registry list, tagging).
Note: the 'COMPARISON WITH OTHER WORKFLOWS' header comments in build-and-publish.yml, release-publish.yml, and atr-release.yml still list nightly-build; left as-is to avoid conflicts with #153/#154 which modify the first two.
Signed-off-by: adityamparikh <aditya.m.parikh@gmail.com>
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
release-publish.ymlauthenticates to GHCR withdocker/login-actionin two GHCR‑login steps. That third‑party action is not on the Apache org's GitHub Actions allow‑list, and allow‑list rejection happens at workflow‑parse time — so the action fails the entire workflow at startup (zero jobs run) the moment a release is run.The SHA‑pin to
650006c6…(v4.2.0) added in #145 does not help: that SHA isn't allow‑listed. (Thegraalvm/setup-graalvm@329c42c…pin in the same file is allow‑listed and is left untouched.)This workflow is dormant today (manual release trigger), so it isn't failing CI now — but it would startup‑fail the first time someone cuts a release.
Fix
Unlike #153 (where
build-and-publish.ymldoesn't publish, so the job was removed),release-publish.ymlgenuinely needs to publish — so it keeps the login, just inline:docker/login-actionGHCR‑login steps with an inlinedocker login ghcr.iousing the built‑inGITHUB_TOKEN.--password-stdin) so it never appears on the command line or in logs; the username is read from anenv:var, so no untrusted value is interpolated into therun:script.This removes the allow‑list dependency entirely — the inline
docker loginuses only the Docker CLI already on the runner.18 insertions, 10 deletions, one file. No publish behavior changes — the subsequent Jib push steps and Docker Hub publishing are untouched.Companion PR
This is the follow‑up to #153 (which fixed
build-and-publish.ymlby removing its unused publish job). Together they cleardocker/login-actionfrom both workflows.🤖 Generated with Claude Code