From f992407811061833de3ebb135e422b7d90e6b0ef Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Mon, 11 May 2026 23:53:54 +0600 Subject: [PATCH 01/17] Use dynamic github token Signed-off-by: Tamal Saha --- .github/workflows/release-tracker.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release-tracker.yml b/.github/workflows/release-tracker.yml index 06bee2c0..84f42009 100644 --- a/.github/workflows/release-tracker.yml +++ b/.github/workflows/release-tracker.yml @@ -19,8 +19,8 @@ jobs: - name: Prepare git env: - GITHUB_USER: 1gtm - GITHUB_TOKEN: ${{ secrets.LGTM_GITHUB_TOKEN }} + GITHUB_USER: ${{ github.actor }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | git config --global user.name "${GITHUB_USER}" git config --global user.email "${GITHUB_USER}@appscode.com" @@ -36,7 +36,7 @@ jobs: github.event.action == 'closed' && github.event.pull_request.merged == true env: - GITHUB_USER: 1gtm - GITHUB_TOKEN: ${{ secrets.LGTM_GITHUB_TOKEN }} + GITHUB_USER: ${{ github.actor }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | ./hack/scripts/update-release-tracker.sh From 4e9f22d94999eb658d132e446c1c3b1123668079 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Mon, 11 May 2026 23:53:54 +0600 Subject: [PATCH 02/17] Harden GitHub Actions workflows - Pin every action ref to a full-length commit SHA with a trailing version comment, so floating tags like @v4 can't be re-pointed at malicious code. - Bump outdated actions/checkout@v1 to @v4.3.1 (where present). - Tag-triggered workflows now check out with fetch-depth: 1 and fetch-tags: true so the tag ref is available downstream. - release-tracker.yml grants contents: write at the job level so the default GITHUB_TOKEN can push commits/tags back to the repo. Signed-off-by: Tamal Saha --- .github/workflows/ci.yml | 8 ++++---- .github/workflows/release-tracker.yml | 4 +++- .github/workflows/release.yml | 13 ++++++++----- 3 files changed, 15 insertions(+), 10 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 845631ed..4044bf47 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -21,21 +21,21 @@ jobs: steps: - name: Set up Go 1.25 - uses: actions/setup-go@v5 + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0 with: go-version: '1.25' id: go - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Set up QEMU id: qemu - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 with: cache-image: false - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 - name: Prepare Host run: | diff --git a/.github/workflows/release-tracker.yml b/.github/workflows/release-tracker.yml index 84f42009..6b545cd5 100644 --- a/.github/workflows/release-tracker.yml +++ b/.github/workflows/release-tracker.yml @@ -13,9 +13,11 @@ concurrency: jobs: build: runs-on: ubuntu-24.04 + permissions: + contents: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Prepare git env: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 17e855bd..3bdb61c8 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -16,7 +16,10 @@ jobs: name: Build runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v1 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + with: + fetch-depth: 1 + fetch-tags: true - name: Print version info id: semver @@ -25,15 +28,15 @@ jobs: - name: Set up QEMU id: qemu - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 with: cache-image: false - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 - name: Log in to the GitHub Container registry - uses: docker/login-action@v2 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -47,7 +50,7 @@ jobs: make release - name: Release - uses: softprops/action-gh-release@v1 + uses: softprops/action-gh-release@26994186c0ac3ef5cae75ac16aa32e8153525f77 # v1 if: startsWith(github.ref, 'refs/tags/') env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 2c9384146242790145a3031d95835fd9c2e2ed2d Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Wed, 13 May 2026 09:43:43 +0600 Subject: [PATCH 03/17] Add job permissions for workflow Signed-off-by: Tamal Saha --- .github/workflows/release.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 3bdb61c8..c88c2ebb 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -15,6 +15,9 @@ jobs: build: name: Build runs-on: ubuntu-24.04 + permissions: + contents: write + packages: write steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: From e877148ee221c188b544ebef602f5d3c8bd433cb Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Wed, 13 May 2026 14:49:20 +0600 Subject: [PATCH 04/17] Use GitHub App token for release tracker comments Signed-off-by: Tamal Saha --- .github/workflows/release-tracker.yml | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release-tracker.yml b/.github/workflows/release-tracker.yml index 6b545cd5..a86340be 100644 --- a/.github/workflows/release-tracker.yml +++ b/.github/workflows/release-tracker.yml @@ -33,12 +33,24 @@ jobs: curl -fsSL https://github.com/github/hub/raw/master/script/get | bash -s 2.14.1 sudo mv bin/hub /usr/local/bin + - name: Generate GitHub App token + id: app-token + if: | + github.event.action == 'closed' && + github.event.pull_request.merged == true + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 + with: + client-id: ${{ secrets.LGTM_APP_CLIENT_ID }} + private-key: ${{ secrets.LGTM_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} + repositories: CHANGELOG + - name: Update release tracker if: | github.event.action == 'closed' && github.event.pull_request.merged == true env: GITHUB_USER: ${{ github.actor }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} run: | ./hack/scripts/update-release-tracker.sh From 1693ba0a7232789d358f0a819e0611ff297a9d29 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Wed, 13 May 2026 17:31:27 +0600 Subject: [PATCH 05/17] Apply kubedb/installer#2281: harden CI workflows Signed-off-by: Tamal Saha --- .github/workflows/release-tracker.yml | 5 ----- hack/scripts/update-release-tracker.sh | 2 +- 2 files changed, 1 insertion(+), 6 deletions(-) diff --git a/.github/workflows/release-tracker.yml b/.github/workflows/release-tracker.yml index a86340be..7099df74 100644 --- a/.github/workflows/release-tracker.yml +++ b/.github/workflows/release-tracker.yml @@ -28,11 +28,6 @@ jobs: git config --global user.email "${GITHUB_USER}@appscode.com" git remote set-url origin https://${GITHUB_USER}:${GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}.git - - name: Install GitHub CLI - run: | - curl -fsSL https://github.com/github/hub/raw/master/script/get | bash -s 2.14.1 - sudo mv bin/hub /usr/local/bin - - name: Generate GitHub App token id: app-token if: | diff --git a/hack/scripts/update-release-tracker.sh b/hack/scripts/update-release-tracker.sh index 75234700..693ed570 100755 --- a/hack/scripts/update-release-tracker.sh +++ b/hack/scripts/update-release-tracker.sh @@ -69,4 +69,4 @@ case $GITHUB_BASE_REF in ;; esac -hub api "$api_url" -f body="$msg" +gh api "$api_url" -f body="$msg" From b441970eaa700102363bbac4641002c42a53a5b3 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Wed, 13 May 2026 17:44:57 +0600 Subject: [PATCH 06/17] Remove Prepare git step from release-tracker.yml Signed-off-by: Tamal Saha --- .github/workflows/release-tracker.yml | 9 --------- 1 file changed, 9 deletions(-) diff --git a/.github/workflows/release-tracker.yml b/.github/workflows/release-tracker.yml index 7099df74..20067da3 100644 --- a/.github/workflows/release-tracker.yml +++ b/.github/workflows/release-tracker.yml @@ -19,15 +19,6 @@ jobs: steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - - name: Prepare git - env: - GITHUB_USER: ${{ github.actor }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - git config --global user.name "${GITHUB_USER}" - git config --global user.email "${GITHUB_USER}@appscode.com" - git remote set-url origin https://${GITHUB_USER}:${GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}.git - - name: Generate GitHub App token id: app-token if: | From 38233f27f24e13b47c1887b8eebc6e7db82b73ae Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Wed, 13 May 2026 18:10:26 +0600 Subject: [PATCH 07/17] Rename LGTM App token step id to lgtm-app-token Signed-off-by: Tamal Saha --- .github/workflows/release-tracker.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release-tracker.yml b/.github/workflows/release-tracker.yml index 20067da3..8a510b97 100644 --- a/.github/workflows/release-tracker.yml +++ b/.github/workflows/release-tracker.yml @@ -19,8 +19,8 @@ jobs: steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - - name: Generate GitHub App token - id: app-token + - name: Generate LGTM App token + id: lgtm-app-token if: | github.event.action == 'closed' && github.event.pull_request.merged == true @@ -37,6 +37,6 @@ jobs: github.event.pull_request.merged == true env: GITHUB_USER: ${{ github.actor }} - GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} + GITHUB_TOKEN: ${{ steps.lgtm-app-token.outputs.token }} run: | ./hack/scripts/update-release-tracker.sh From 5c1b58a10649618ad43995a4ed0f0871eb36d41b Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Wed, 13 May 2026 18:20:26 +0600 Subject: [PATCH 08/17] release-tracker.yml: gate at job level with merged == true Signed-off-by: Tamal Saha --- .github/workflows/release-tracker.yml | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/.github/workflows/release-tracker.yml b/.github/workflows/release-tracker.yml index 8a510b97..0721e5df 100644 --- a/.github/workflows/release-tracker.yml +++ b/.github/workflows/release-tracker.yml @@ -12,6 +12,7 @@ concurrency: jobs: build: + if: github.event.pull_request.merged == true runs-on: ubuntu-24.04 permissions: contents: write @@ -21,9 +22,6 @@ jobs: - name: Generate LGTM App token id: lgtm-app-token - if: | - github.event.action == 'closed' && - github.event.pull_request.merged == true uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 with: client-id: ${{ secrets.LGTM_APP_CLIENT_ID }} @@ -32,9 +30,6 @@ jobs: repositories: CHANGELOG - name: Update release tracker - if: | - github.event.action == 'closed' && - github.event.pull_request.merged == true env: GITHUB_USER: ${{ github.actor }} GITHUB_TOKEN: ${{ steps.lgtm-app-token.outputs.token }} From 74d9695071a0d7c8acf49d04fa30a418fa9eba19 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Wed, 13 May 2026 18:55:35 +0600 Subject: [PATCH 09/17] release-tracker.yml: drop permissions block Signed-off-by: Tamal Saha --- .github/workflows/release-tracker.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/release-tracker.yml b/.github/workflows/release-tracker.yml index 0721e5df..ec7b274f 100644 --- a/.github/workflows/release-tracker.yml +++ b/.github/workflows/release-tracker.yml @@ -14,8 +14,6 @@ jobs: build: if: github.event.pull_request.merged == true runs-on: ubuntu-24.04 - permissions: - contents: write steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 From cfdcc6650d489a9ba8a884a60aec60c42451aad4 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Wed, 13 May 2026 19:03:55 +0600 Subject: [PATCH 10/17] release-tracker.yml: grant permission-pull-requests to LGTM App Signed-off-by: Tamal Saha --- .github/workflows/release-tracker.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/release-tracker.yml b/.github/workflows/release-tracker.yml index ec7b274f..42866304 100644 --- a/.github/workflows/release-tracker.yml +++ b/.github/workflows/release-tracker.yml @@ -26,6 +26,7 @@ jobs: private-key: ${{ secrets.LGTM_APP_PRIVATE_KEY }} owner: ${{ github.repository_owner }} repositories: CHANGELOG + permission-pull-requests: write - name: Update release tracker env: From da4ec0cd831f1aa87d0b6b7e99e17b1962eb3ec2 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Thu, 14 May 2026 10:36:25 +0600 Subject: [PATCH 11/17] Normalize Prepare git user, fetch-depth, drop permission-issues Signed-off-by: Tamal Saha --- .github/workflows/release.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c88c2ebb..e84a8a4c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -21,8 +21,7 @@ jobs: steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: - fetch-depth: 1 - fetch-tags: true + fetch-depth: 0 - name: Print version info id: semver From d0879fdcd2787917b6d1f8434726230a554a876e Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Thu, 14 May 2026 14:07:58 +0600 Subject: [PATCH 12/17] Add 1gtm-app[bot] to kodiak auto_approve_usernames Signed-off-by: Tamal Saha --- .github/.kodiak.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/.kodiak.toml b/.github/.kodiak.toml index ded81e43..e5864589 100644 --- a/.github/.kodiak.toml +++ b/.github/.kodiak.toml @@ -15,4 +15,4 @@ strip_html_comments = true # default: false always = true # default: false [approve] -auto_approve_usernames = ["1gtm", "tamalsaha"] +auto_approve_usernames = ["1gtm", "tamalsaha", "1gtm-app[bot]"] From 7ecd7f0d2a54a72b4d6be544bea26d9d93001bed Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Thu, 14 May 2026 15:09:32 +0600 Subject: [PATCH 13/17] Normalize kodiak auto_approve_usernames Signed-off-by: Tamal Saha --- .github/.kodiak.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/.kodiak.toml b/.github/.kodiak.toml index e5864589..b64a5f6f 100644 --- a/.github/.kodiak.toml +++ b/.github/.kodiak.toml @@ -15,4 +15,4 @@ strip_html_comments = true # default: false always = true # default: false [approve] -auto_approve_usernames = ["1gtm", "tamalsaha", "1gtm-app[bot]"] +auto_approve_usernames = ["tamalsaha", "1gtm", "1gtm-app[bot]"] \ No newline at end of file From 46cc5896f5aa1cd6a6bb89ee20da11ba8a7654aa Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Thu, 14 May 2026 17:35:51 +0600 Subject: [PATCH 14/17] Pin docker/login-action to v4.1.0 Signed-off-by: Tamal Saha --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e84a8a4c..bc653ae8 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -38,7 +38,7 @@ jobs: uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 - name: Log in to the GitHub Container registry - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 with: registry: ghcr.io username: ${{ github.actor }} From 870144ef674bac1348fc9bf7591b9e4c502e1813 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Thu, 14 May 2026 17:44:14 +0600 Subject: [PATCH 15/17] Bump softprops/action-gh-release to v2.6.2; add permissions Signed-off-by: Tamal Saha --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index bc653ae8..d882a71a 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -52,7 +52,7 @@ jobs: make release - name: Release - uses: softprops/action-gh-release@26994186c0ac3ef5cae75ac16aa32e8153525f77 # v1 + uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2.6.2 if: startsWith(github.ref, 'refs/tags/') env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 5f460ef3dcf237ca4d4174a8bb5dc0bbc2ddfd42 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Thu, 14 May 2026 17:57:52 +0600 Subject: [PATCH 16/17] Makefile: use --tags in git describe so lightweight tags resolve Signed-off-by: Tamal Saha --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 3fd38c3a..6280a1e2 100644 --- a/Makefile +++ b/Makefile @@ -29,7 +29,7 @@ SRC_REG ?= # This version-strategy uses git tags to set the version string git_branch := $(shell git rev-parse --abbrev-ref HEAD) -git_tag := $(shell git describe --exact-match --abbrev=0 2>/dev/null || echo "") +git_tag := $(shell git describe --tags --exact-match --abbrev=0 2>/dev/null || echo "") commit_hash := $(shell git rev-parse --verify HEAD) commit_timestamp := $(shell date --date="@$$(git show -s --format=%ct)" --utc +%FT%T) From 3e4f56b8ba6c11f2b5d307c26124c7d5194ece32 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Thu, 14 May 2026 21:53:10 +0600 Subject: [PATCH 17/17] Remove bzr install from workflows Signed-off-by: Tamal Saha --- .github/workflows/ci.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4044bf47..9f966978 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -39,8 +39,6 @@ jobs: - name: Prepare Host run: | - sudo apt-get -qq update || true - sudo apt-get install -y bzr - name: Run checks run: |