fix: disable buildx binary cache in release workflow to mitigate cache poisoning (#2572)

mallendem · claude · web-flow · commit 60da68adffdb · 2026-03-10T08:11:52.000Z
Explicitly set `cache-binary: false` on docker/setup-buildx-action in the publish-docker job to prevent potential cache poisoning attacks where a compromised buildx binary could affect Docker image builds pushed to the Elastic container registry. Ref: elastic/observability-robots#3264 Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -124,7 +124,9 @@ jobs:
       - uses: actions/checkout@v6
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+        with:
+          cache-binary: false
 
       - name: Log in to the Elastic Container registry
         uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
