chore(ci): use git-hash in actions for ASF actions approval list

[LindaSummer]

Issue

Fix #3399

Proposed Changes

• Upgrade actions to align with ASF approval list.
• Temporarily disable SonarQube actions for CI pipeline.

Comment

We should enable SonarQube actions ASAP onece the request apache/infrastructure-actions#572 is approved.

[Copilot]

Pull request overview

Adjusts GitHub Actions workflows to comply with the ASF GitHub Actions allow-list constraints that are currently preventing CI from initializing (Issue #3399), by pinning actions and temporarily disabling SonarCloud automation.

Changes:

• Disable automatic SonarCloud execution from CI completion (workflow_run) and gate it behind manual dispatch.
• Temporarily remove the SonarCloud-with-coverage CI matrix entry and comment out SonarCloud build-wrapper steps.
• Pin Docker-related GitHub Actions in the nightly workflow (and docker build in CI) to specific commit SHAs.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File	Description
.github/workflows/sonar.yaml	Disables workflow_run trigger and pins SonarSource actions to a commit SHA.
.github/workflows/nightly.yaml	Pins Docker actions (metadata/login/qemu/buildx/build-push) to specific commit SHAs.
.github/workflows/kvrocks.yaml	Comments out the SonarCloud-with-coverage matrix entry/steps and pins docker/build-push-action to a commit SHA.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The FIXME comment says the workflow is “temporarily trigger[ed] … on CI workflow completion”, but the workflow_run trigger is actually commented out below. Consider rewording the comment to reflect that the CI trigger is temporarily disabled (and optionally link to the ASF infra action approval PR).

Suggested change

	# FIXME: temporarily trigger SonarCloud analysis on CI workflow completion, refer to #3399
	# FIXME: CI-based SonarCloud trigger via `workflow_run` is temporarily disabled; see #3399 (e.g. ASF infra action approval)

[Copilot]

workflow_run trigger is commented out and replaced with workflow_dispatch, but this workflow (job if, checkout ref/repository, artifact download script, and sonar.scm.revision) still relies on github.event.workflow_run.*. With workflow_dispatch, those fields are unset, so the job will be skipped (or run with missing values) and the workflow can’t be executed manually as written. Either remove workflow_dispatch to fully disable the workflow, or update the job logic to support workflow_dispatch (e.g., use github.sha/github.repository and/or add dispatch inputs for the run id/SHA).

Suggested change

	# workflow_run:
	# workflows: [CI]
	# types: [completed]
	workflow_dispatch:
	workflow_run:
	workflows: [CI]
	types: [completed]
	# workflow_dispatch:

[jihuayu]

1. I think we can wait 24 hours for upstream.
2. Could you tell me what needs to stay in the repo long-term, and what needs to be updated again after the upstream PR lands?

[jihuayu]

Why we need add it(workflow_dispatch)?

[LindaSummer]

Hi @jihuayu ,

I try to disable this workflow and use this as a placeholder.
It would be better to comment the whole workflow file.

The action has been added into the approval list.
We could just update the version of our action.

[LindaSummer]

1. I think we can wait 24 hours for upstream.

   2. Could you tell me what needs to stay in the repo long-term, and what needs to be updated again after the upstream PR lands?

Hi @jihuayu ,

Thanks very much for your review. 😊
The upstream has approved our request. We could update our action hash and it should be resolved.

[jihuayu]

Thanks for your work.