From 480dc09c19eaab3c557301070c94ca091f7bfb99 Mon Sep 17 00:00:00 2001
From: Miguel Allende <miguel.allende@elastic.co>
Date: Fri, 6 Mar 2026 12:03:48 +0100
Subject: [PATCH] fix: disable buildx binary cache in release workflow to
 mitigate cache poisoning

Explicitly set `cache-binary: false` on docker/setup-buildx-action in
the publish-docker job to prevent potential cache poisoning attacks where
a compromised buildx binary could affect Docker image builds pushed to
the Elastic container registry.

Ref: https://github.com/elastic/observability-robots/issues/3264

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .github/workflows/release.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 25fd64918..1a19048c6 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -125,6 +125,8 @@ jobs:
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+        with:
+          cache-binary: false
 
       - name: Log in to the Elastic Container registry
         uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0