fix: disable buildx binary cache in release workflow to mitigate cache poisoning

mallendem · claude · mallendem · commit 480dc09c19ea · 2026-03-06T12:03:48.000+01:00
Explicitly set `cache-binary: false` on docker/setup-buildx-action in the publish-docker job to prevent potential cache poisoning attacks where a compromised buildx binary could affect Docker image builds pushed to the Elastic container registry. Ref: elastic/observability-robots#3264 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -125,6 +125,8 @@ jobs:
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+        with:
+          cache-binary: false
 
       - name: Log in to the Elastic Container registry
         uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
