[SPARK-56724][INFRA][4.x] Make docker/* GitHub Actions up-to-date

[sarutak]

What changes were proposed in this pull request?

Update the commit SHAs of the following Docker-related GitHub Actions in branch-4.x to match the ones registered in the Apache organization's GitHub Actions allowlist:

• docker/login-action
• docker/setup-qemu-action
• docker/setup-buildx-action
• docker/build-push-action

Why are the changes needed?

CI on branch-4.x fails with the error:

The actions docker/login-action@c94ce9fb..., docker/setup-qemu-action@29109295..., docker/setup-buildx-action@8d2750c6..., and docker/build-push-action@10e90e36... are not allowed in apache/spark because all actions must be from a repository owned by your enterprise, created by GitHub, or match one of the patterns...

https://github.com/apache/spark/actions/runs/27544506457

The master branch was already updated to the new SHAs, but branch-4.x still had the old ones that are no longer in the allowlist.

• [SPARK-56724][INFRA] Make docker/* GitHub Actions up-to-date #55687

Does this PR introduce any user-facing change?

No.

How was this patch tested?

CI should pass with this change.

Was this patch authored or co-authored using generative AI tooling?

Kiro CLI / Claude

[dongjoon-hyun]

+1, LGTM.

I revised the PR description by referring.

• #55687

[gaogaotiantian]

Thank you for noticing this. We need the fix to all other maintenance branches too. 4.2 is probably freezing now so let's fix others first. The trigger is that we are moving CIs to the corresponding branches, which means we need to maintain the build_and_test.yml file for every branch (but it would be a much simpler file in the future).

[dongjoon-hyun]

BTW, @sarutak , if SHAs are different from #55687, you need to start from master branch again.

And, if there is not much difference, you had better cherry-pick and resolve the conflict while preserving the original JIRA ID. I guess we need this in branch-4.2 and older branch too, don't we?

Otherwise, it might be difficult to track because we need multiple JIRA issues for the same SHAs; master/branch-4.x/branch-4.2/branch-4.1/branch-4.0/branch-3.5.

[dongjoon-hyun]

Thank you for revising this PR, @sarutak .

[sarutak]

Cherry-picked from #55687 and change the PR title.
Also opened a PR for branch-4.1. Will open another PR for branch-4.2 once 4.0.3 4.2.0 is released.
I think branch-4.0 and older branches don't need to change the hash because branch-4.0 and older branches use tag-based references (e.g., @V3) instead of pinned SHAs, so they are not affected by this allowlist change.

[dongjoon-hyun]

I guess you want to mention 4.2.0 RC3 instead of 4.0.3? I released 4.0.3 already last week. :)

Will open another PR for branch-4.2 once 4.0.3 is released.

And, it's great for branch-4.0 and olders~ Thank you for checking.

[sarutak]

I guess you want to mention 4.2.0 RC3 instead of 4.0.3? I released 4.0.3 already last week. :)

Oh sorry for the typo, I was half-asleep because I just woke up a few minutes ago, so...

[gaogaotiantian]

Hi @sarutak , if it's possible, could you merge this to the older branches as well.

I don't think we are supposed to use version pins like v3 for apache projects (unless it's pre-approved like github/apache official actions?). It was okay because the yml file is almost never used for older branches. Once the branch is cut, the build_and_test.yml file would only be used when a new commit is pushed to that branch.

However, we are moving to a point where build_and_test.yml on that branch is the only CI source for that branch, so the scheduled CI is using the build_and_test.yml file from that branch, instead of master. This change will effectively make build_and_test.yml on every branch active. We will need to update those files in the future so maybe it's nice to just update them now.

Even if we don't think about scheduled CI, the current commit to the branch will trigger CI based on build_and_test.yml on the old branch so maybe it's good to just update them?

[sarutak]

I think branch-4.0 and older branches don't need to change the hash because branch-4.0 and older branches use tag-based references (e.g., @V3) instead of pinned SHAs, so they are not affected by this allowlist change.

Let me correct my comment above. branch-4.0 uses pinned SHAs. Anyway, I'm OK to open PRs for older branches as @gaogaotiantian suggested. What do you think, @dongjoon-hyun ?

[dongjoon-hyun]

I'm okay too~

[sarutak]

Opend following PRs:
branch-4.0: #56531
branch-3.5: #56532