Skip to content

fix: disable buildx binary cache in release workflow#2572

Open
mallendem wants to merge 1 commit intomainfrom
fix/cache-poisoning-mitigation
Open

fix: disable buildx binary cache in release workflow#2572
mallendem wants to merge 1 commit intomainfrom
fix/cache-poisoning-mitigation

Conversation

@mallendem
Copy link

@mallendem mallendem commented Mar 6, 2026
edited
Loading

Summary

  • Added cache-binary: false to docker/setup-buildx-action in the publish-docker job of release.yml
  • Mitigates cache poisoning risk where a compromised buildx binary in GHA cache could affect Docker image builds pushed to docker.elastic.co/observability/apm-agent-python

Impact

  • Build time: Buildx binary downloaded fresh each release (~seconds, negligible)
  • Functional: None — identical Docker image output

🤖 Generated with Claude Code

@mallendem @claude
fix: disable buildx binary cache in release workflow to mitigate cach…
480dc09 
…e poisoning

Explicitly set `cache-binary: false` on docker/setup-buildx-action in
the publish-docker job to prevent potential cache poisoning attacks where
a compromised buildx binary could affect Docker image builds pushed to
the Elastic container registry.

Ref: elastic/observability-robots#3264

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@github-actions
Copy link

github-actions bot commented Mar 6, 2026

🤖 GitHub comments

Just comment with:

  • run docs-build : Re-trigger the docs validation. (use unformatted text in the comment!)

@mallendem mallendem marked this pull request as ready for review March 6, 2026 11:06
@mallendem mallendem requested review from a team as code owners March 6, 2026 11:06
Copilot AI review requested due to automatic review settings March 6, 2026 11:06
Copilot AI reviewed Mar 6, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the release workflow to reduce supply-chain risk during Docker image publishing by disabling caching of the Buildx binary in GitHub Actions.

Changes:

  • Configure docker/setup-buildx-action in the publish-docker job to download the Buildx binary fresh each run by setting cache-binary: false.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@xrmx xrmx xrmx approved these changes

@v1v v1v v1v approved these changes

Assignees

No one assigned

Labels

agent-python

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@mallendem @xrmx @v1v