From c5b552bd04d6be86d3960c29c5c8d7474dcfbd42 Mon Sep 17 00:00:00 2001
From: Nick Dimiduk <ndimiduk@apache.org>
Date: Mon, 23 Mar 2026 13:35:21 +0100
Subject: [PATCH 1/3] YETUS-1268. Pin docker actions in ghcr.yml to SHA for ASF
 allowlist compliance

---
 .github/workflows/ghcr.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ghcr.yml b/.github/workflows/ghcr.yml
index 09c16a94..85e4c4f2 100644
--- a/.github/workflows/ghcr.yml
+++ b/.github/workflows/ghcr.yml
@@ -37,14 +37,14 @@ jobs:
           fetch-depth: 0
       - name: Set up QEMU
         id: qemu
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c105540f5ed055e8a6ad78d82dd3a7e # v3.6.0
         with:
           image: tonistiigi/binfmt:qemu-v7.0.0-28
           platforms: all
       - name: Available platforms
         run: echo ${{ steps.qemu.outputs.platforms }}
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}

From 1087bd392d26c4cc075f75daa89299c3ea182589 Mon Sep 17 00:00:00 2001
From: Nick Dimiduk <ndimiduk@apache.org>
Date: Mon, 23 Mar 2026 13:55:10 +0100
Subject: [PATCH 2/3] yamllint

---
 .github/workflows/ghcr.yml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ghcr.yml b/.github/workflows/ghcr.yml
index 85e4c4f2..66952d0d 100644
--- a/.github/workflows/ghcr.yml
+++ b/.github/workflows/ghcr.yml
@@ -37,14 +37,16 @@ jobs:
           fetch-depth: 0
       - name: Set up QEMU
         id: qemu
-        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c105540f5ed055e8a6ad78d82dd3a7e # v3.6.0
+        # yamllint disable-line rule:line-length
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c105540f5ed055e8a6ad78d82dd3a7e  # v3.6.0
         with:
           image: tonistiigi/binfmt:qemu-v7.0.0-28
           platforms: all
       - name: Available platforms
         run: echo ${{ steps.qemu.outputs.platforms }}
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        # yamllint disable-line rule:line-length
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9  # v3.7.0
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}

From 74f230fdf8ca77b6957ac324bcb2d67c9aa5acc6 Mon Sep 17 00:00:00 2001
From: Nick Dimiduk <ndimiduk@apache.org>
Date: Mon, 23 Mar 2026 14:01:47 +0100
Subject: [PATCH 3/3] upgrade the versions while we're here.

---
 .github/workflows/ghcr.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ghcr.yml b/.github/workflows/ghcr.yml
index 66952d0d..9cc02248 100644
--- a/.github/workflows/ghcr.yml
+++ b/.github/workflows/ghcr.yml
@@ -38,7 +38,7 @@ jobs:
       - name: Set up QEMU
         id: qemu
         # yamllint disable-line rule:line-length
-        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c105540f5ed055e8a6ad78d82dd3a7e  # v3.6.0
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a  # v4.0.0
         with:
           image: tonistiigi/binfmt:qemu-v7.0.0-28
           platforms: all
@@ -46,7 +46,7 @@ jobs:
         run: echo ${{ steps.qemu.outputs.platforms }}
       - name: Login to GitHub Container Registry
         # yamllint disable-line rule:line-length
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9  # v3.7.0
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2  # v4.0.0
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}