From d2e6de355a8d7080ff08bfbd3c66cc756f2d5a43 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Mon, 11 May 2026 23:46:49 +0600 Subject: [PATCH 01/21] Use dynamic github token Signed-off-by: Tamal Saha --- .github/workflows/release-tracker.yml | 8 ++++---- .github/workflows/update-crds.yaml | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/release-tracker.yml b/.github/workflows/release-tracker.yml index 4b79b251d..ddf30b2aa 100644 --- a/.github/workflows/release-tracker.yml +++ b/.github/workflows/release-tracker.yml @@ -18,8 +18,8 @@ jobs: - name: Prepare git env: - GITHUB_USER: 1gtm - GITHUB_TOKEN: ${{ secrets.LGTM_GITHUB_TOKEN }} + GITHUB_USER: ${{ github.actor }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | git config --global user.name "${GITHUB_USER}" git config --global user.email "${GITHUB_USER}@appscode.com" @@ -35,7 +35,7 @@ jobs: github.event.action == 'closed' && github.event.pull_request.merged == true env: - GITHUB_USER: 1gtm - GITHUB_TOKEN: ${{ secrets.LGTM_GITHUB_TOKEN }} + GITHUB_USER: ${{ github.actor }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | ./hack/scripts/update-release-tracker.sh diff --git a/.github/workflows/update-crds.yaml b/.github/workflows/update-crds.yaml index 18e9c88d1..2126f29c1 100644 --- a/.github/workflows/update-crds.yaml +++ b/.github/workflows/update-crds.yaml @@ -36,8 +36,8 @@ jobs: - name: Clone installer repository env: - GITHUB_USER: 1gtm - GITHUB_TOKEN: ${{ secrets.LGTM_GITHUB_TOKEN }} + GITHUB_USER: ${{ github.actor }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} INSTALLER_REPOSITORY: ${{ secrets.INSTALLER_REPOSITORY }} run: | url="https://${GITHUB_USER}:${GITHUB_TOKEN}@${INSTALLER_REPOSITORY}.git" @@ -49,8 +49,8 @@ jobs: - name: Update crds env: - GITHUB_USER: 1gtm - GITHUB_TOKEN: ${{ secrets.LGTM_GITHUB_TOKEN }} + GITHUB_USER: ${{ github.actor }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} INSTALLER_REPOSITORY: ${{ secrets.INSTALLER_REPOSITORY }} run: | export INSTALLER_ROOT=$RUNNER_WORKSPACE/$(basename $INSTALLER_REPOSITORY) From a5792cac91e07c19f442eb43d2af4f798845a8d1 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Mon, 11 May 2026 23:46:49 +0600 Subject: [PATCH 02/21] Harden GitHub Actions workflows - Pin every action ref to a full-length commit SHA with a trailing version comment, so floating tags like @v4 can't be re-pointed at malicious code. - Bump outdated actions/checkout@v1 to @v4.3.1 (where present). - Tag-triggered workflows now check out with fetch-depth: 1 and fetch-tags: true so the tag ref is available downstream. - release-tracker.yml grants contents: write at the job level so the default GITHUB_TOKEN can push commits/tags back to the repo. Signed-off-by: Tamal Saha --- .github/workflows/ci.yml | 12 ++++++------ .github/workflows/release-tracker.yml | 4 +++- .github/workflows/release.yml | 11 +++++++---- .github/workflows/update-crds.yaml | 4 ++-- 4 files changed, 18 insertions(+), 13 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 423bbaf9e..be3dc3987 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -19,22 +19,22 @@ jobs: runs-on: firecracker steps: - name: Set up Go 1.25 - uses: actions/setup-go@v5 + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0 with: go-version: '1.25' id: go - name: Check out code into the Go module directory - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Set up QEMU id: qemu - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 with: cache-image: false - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 - name: Login GitHub Container Registry env: @@ -65,11 +65,11 @@ jobs: matrix: k8s: [v1.28.15, v1.30.13, v1.32.5, v1.34.0] steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Create Kubernetes ${{ matrix.k8s }} cluster id: kind - uses: engineerd/setup-kind@v0.5.0 + uses: engineerd/setup-kind@aa272fe2a7309878ffc2a81c56cfe3ef108ae7d0 # v0.5.0 with: version: v0.29.0 image: kindest/node:${{ matrix.k8s }} diff --git a/.github/workflows/release-tracker.yml b/.github/workflows/release-tracker.yml index ddf30b2aa..3bbd8b29b 100644 --- a/.github/workflows/release-tracker.yml +++ b/.github/workflows/release-tracker.yml @@ -12,9 +12,11 @@ concurrency: jobs: build: runs-on: ubuntu-24.04 + permissions: + contents: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Prepare git env: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 1f12bc6a5..1f9f9d216 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -16,10 +16,13 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Check out code into the Go module directory - uses: actions/checkout@v1 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + with: + fetch-depth: 1 + fetch-tags: true - name: Set up Go 1.25 - uses: actions/setup-go@v5 + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0 with: go-version: '1.25' id: go @@ -31,12 +34,12 @@ jobs: - name: Set up QEMU id: qemu - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 with: cache-image: false - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 - name: Publish to GitHub Container Registry env: diff --git a/.github/workflows/update-crds.yaml b/.github/workflows/update-crds.yaml index 2126f29c1..3eb95e678 100644 --- a/.github/workflows/update-crds.yaml +++ b/.github/workflows/update-crds.yaml @@ -16,12 +16,12 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Set up Go 1.25 - uses: actions/setup-go@v5 + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0 with: go-version: '1.25' id: go - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Install GitHub CLI run: | From df639b52653ca3969a0ea5b17bc48a22de809d6b Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Wed, 13 May 2026 00:06:04 +0600 Subject: [PATCH 03/21] Push to ghcr.io/appscodeci with docker/login-action Signed-off-by: Tamal Saha --- .github/workflows/ci.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index be3dc3987..3b205c43a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -36,12 +36,12 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 - - name: Login GitHub Container Registry - env: - DOCKER_TOKEN: ${{ secrets.LGTM_GITHUB_TOKEN }} - USERNAME: 1gtm - run: | - docker login ghcr.io --username ${USERNAME} --password ${DOCKER_TOKEN} + - name: Login to GitHub Container Registry + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 + with: + registry: ghcr.io + username: 1gtm + password: ${{ secrets.LGTM_GITHUB_TOKEN }} - name: Push Docker Image env: From 880fa1f600797c04b86526c61f9814d7814c6058 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Wed, 13 May 2026 14:49:41 +0600 Subject: [PATCH 04/21] Use GitHub App token for release tracker comments Signed-off-by: Tamal Saha --- .github/workflows/release-tracker.yml | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release-tracker.yml b/.github/workflows/release-tracker.yml index 3bbd8b29b..0c59d75fd 100644 --- a/.github/workflows/release-tracker.yml +++ b/.github/workflows/release-tracker.yml @@ -32,12 +32,24 @@ jobs: curl -fsSL https://github.com/github/hub/raw/master/script/get | bash -s 2.14.1 sudo mv bin/hub /usr/local/bin + - name: Generate GitHub App token + id: app-token + if: | + github.event.action == 'closed' && + github.event.pull_request.merged == true + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 + with: + client-id: ${{ secrets.LGTM_APP_CLIENT_ID }} + private-key: ${{ secrets.LGTM_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} + repositories: CHANGELOG + - name: Update release tracker if: | github.event.action == 'closed' && github.event.pull_request.merged == true env: GITHUB_USER: ${{ github.actor }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} run: | ./hack/scripts/update-release-tracker.sh From 200e4cbcf0fd4a160c48411d309d3e27d561b3e6 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Wed, 13 May 2026 17:31:01 +0600 Subject: [PATCH 05/21] Apply kubedb/installer#2281: harden CI workflows Signed-off-by: Tamal Saha --- .github/workflows/ci.yml | 4 ++-- .github/workflows/release-tracker.yml | 5 ----- .github/workflows/update-crds.yaml | 5 ----- hack/scripts/update-release-tracker.sh | 2 +- 4 files changed, 3 insertions(+), 13 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3b205c43a..7488a206a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -69,10 +69,10 @@ jobs: - name: Create Kubernetes ${{ matrix.k8s }} cluster id: kind - uses: engineerd/setup-kind@aa272fe2a7309878ffc2a81c56cfe3ef108ae7d0 # v0.5.0 + uses: helm/kind-action@ef37e7f390d99f746eb8b610417061a60e82a6cc # v1.14.0 with: version: v0.29.0 - image: kindest/node:${{ matrix.k8s }} + node_image: kindest/node:${{ matrix.k8s }} - name: Test crds run: | diff --git a/.github/workflows/release-tracker.yml b/.github/workflows/release-tracker.yml index 0c59d75fd..f2cd0588b 100644 --- a/.github/workflows/release-tracker.yml +++ b/.github/workflows/release-tracker.yml @@ -27,11 +27,6 @@ jobs: git config --global user.email "${GITHUB_USER}@appscode.com" git remote set-url origin https://${GITHUB_USER}:${GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}.git - - name: Install GitHub CLI - run: | - curl -fsSL https://github.com/github/hub/raw/master/script/get | bash -s 2.14.1 - sudo mv bin/hub /usr/local/bin - - name: Generate GitHub App token id: app-token if: | diff --git a/.github/workflows/update-crds.yaml b/.github/workflows/update-crds.yaml index 3eb95e678..3b46a5ead 100644 --- a/.github/workflows/update-crds.yaml +++ b/.github/workflows/update-crds.yaml @@ -23,11 +23,6 @@ jobs: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - - name: Install GitHub CLI - run: | - curl -fsSL https://github.com/github/hub/raw/master/script/get | bash -s 2.14.1 - sudo mv bin/hub /usr/local/bin - - name: Install crd-importer run: | curl -L -o crd-importer https://github.com/kmodules/crd-importer/releases/download/v0.0.1/crd-importer-linux-amd64 diff --git a/hack/scripts/update-release-tracker.sh b/hack/scripts/update-release-tracker.sh index 7184cb6fe..c8bfc4ff2 100755 --- a/hack/scripts/update-release-tracker.sh +++ b/hack/scripts/update-release-tracker.sh @@ -69,4 +69,4 @@ case $GITHUB_BASE_REF in ;; esac -hub api "$api_url" -f body="$msg" +gh api "$api_url" -f body="$msg" From 1047d689f1f9cf4ee36e399de830921b6930f754 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Wed, 13 May 2026 17:44:39 +0600 Subject: [PATCH 06/21] Remove Prepare git step from release-tracker.yml Signed-off-by: Tamal Saha --- .github/workflows/release-tracker.yml | 9 --------- 1 file changed, 9 deletions(-) diff --git a/.github/workflows/release-tracker.yml b/.github/workflows/release-tracker.yml index f2cd0588b..b52463897 100644 --- a/.github/workflows/release-tracker.yml +++ b/.github/workflows/release-tracker.yml @@ -18,15 +18,6 @@ jobs: steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - - name: Prepare git - env: - GITHUB_USER: ${{ github.actor }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - git config --global user.name "${GITHUB_USER}" - git config --global user.email "${GITHUB_USER}@appscode.com" - git remote set-url origin https://${GITHUB_USER}:${GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}.git - - name: Generate GitHub App token id: app-token if: | From 1f9e8450ee55f4c88b8d611921b1750822bb1ee8 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Wed, 13 May 2026 18:10:04 +0600 Subject: [PATCH 07/21] Rename LGTM App token step id to lgtm-app-token Signed-off-by: Tamal Saha --- .github/workflows/release-tracker.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release-tracker.yml b/.github/workflows/release-tracker.yml index b52463897..96fd05c95 100644 --- a/.github/workflows/release-tracker.yml +++ b/.github/workflows/release-tracker.yml @@ -18,8 +18,8 @@ jobs: steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - - name: Generate GitHub App token - id: app-token + - name: Generate LGTM App token + id: lgtm-app-token if: | github.event.action == 'closed' && github.event.pull_request.merged == true @@ -36,6 +36,6 @@ jobs: github.event.pull_request.merged == true env: GITHUB_USER: ${{ github.actor }} - GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} + GITHUB_TOKEN: ${{ steps.lgtm-app-token.outputs.token }} run: | ./hack/scripts/update-release-tracker.sh From 6a4ff4d69b95e690d6b7d4a0456cd13d73f5727e Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Wed, 13 May 2026 18:20:05 +0600 Subject: [PATCH 08/21] release-tracker.yml: gate at job level with merged == true Signed-off-by: Tamal Saha --- .github/workflows/release-tracker.yml | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/.github/workflows/release-tracker.yml b/.github/workflows/release-tracker.yml index 96fd05c95..d6971e418 100644 --- a/.github/workflows/release-tracker.yml +++ b/.github/workflows/release-tracker.yml @@ -11,6 +11,7 @@ concurrency: jobs: build: + if: github.event.pull_request.merged == true runs-on: ubuntu-24.04 permissions: contents: write @@ -20,9 +21,6 @@ jobs: - name: Generate LGTM App token id: lgtm-app-token - if: | - github.event.action == 'closed' && - github.event.pull_request.merged == true uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 with: client-id: ${{ secrets.LGTM_APP_CLIENT_ID }} @@ -31,9 +29,6 @@ jobs: repositories: CHANGELOG - name: Update release tracker - if: | - github.event.action == 'closed' && - github.event.pull_request.merged == true env: GITHUB_USER: ${{ github.actor }} GITHUB_TOKEN: ${{ steps.lgtm-app-token.outputs.token }} From 6d59b4a65b04dec47302e674e48bd806636ed70b Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Wed, 13 May 2026 18:55:12 +0600 Subject: [PATCH 09/21] release-tracker.yml: drop permissions block Signed-off-by: Tamal Saha --- .github/workflows/release-tracker.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/release-tracker.yml b/.github/workflows/release-tracker.yml index d6971e418..1e11e07df 100644 --- a/.github/workflows/release-tracker.yml +++ b/.github/workflows/release-tracker.yml @@ -13,8 +13,6 @@ jobs: build: if: github.event.pull_request.merged == true runs-on: ubuntu-24.04 - permissions: - contents: write steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 From 164b9dd5b8d0f1396658b2d0bfa084928848c0d2 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Wed, 13 May 2026 19:03:35 +0600 Subject: [PATCH 10/21] release-tracker.yml: grant permission-pull-requests to LGTM App Signed-off-by: Tamal Saha --- .github/workflows/release-tracker.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/release-tracker.yml b/.github/workflows/release-tracker.yml index 1e11e07df..6be6c21ef 100644 --- a/.github/workflows/release-tracker.yml +++ b/.github/workflows/release-tracker.yml @@ -25,6 +25,7 @@ jobs: private-key: ${{ secrets.LGTM_APP_PRIVATE_KEY }} owner: ${{ github.repository_owner }} repositories: CHANGELOG + permission-pull-requests: write - name: Update release tracker env: From 08e6ab6dfeb4307ba661bba1a9debcf7d7e95e98 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Thu, 14 May 2026 10:36:01 +0600 Subject: [PATCH 11/21] Normalize Prepare git user, fetch-depth, drop permission-issues Signed-off-by: Tamal Saha --- .github/workflows/release.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 1f9f9d216..92cccb61f 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -18,8 +18,7 @@ jobs: - name: Check out code into the Go module directory uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: - fetch-depth: 1 - fetch-tags: true + fetch-depth: 0 - name: Set up Go 1.25 uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0 From f02104201a3d28fc14d128405c78e75e754ad841 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Thu, 14 May 2026 11:49:30 +0600 Subject: [PATCH 12/21] Use docker/login-action; drop redundant docker hub steps Signed-off-by: Tamal Saha --- .github/workflows/release.yml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 92cccb61f..7b69eb5e9 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -40,12 +40,16 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 + - name: Log in to the GitHub Container registry + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 + with: + registry: ghcr.io + username: 1gtm + password: ${{ secrets.LGTM_GITHUB_TOKEN }} + - name: Publish to GitHub Container Registry env: REGISTRY: ghcr.io/stashed - DOCKER_TOKEN: ${{ secrets.LGTM_GITHUB_TOKEN }} - USERNAME: 1gtm APPSCODE_ENV: prod run: | - docker login ghcr.io --username ${USERNAME} --password ${DOCKER_TOKEN} make release From 6290779cc98637fae6183aab6a756540e5a306b7 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Thu, 14 May 2026 14:07:35 +0600 Subject: [PATCH 13/21] Add 1gtm-app[bot] to kodiak auto_approve_usernames Signed-off-by: Tamal Saha --- .github/.kodiak.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/.kodiak.toml b/.github/.kodiak.toml index ded81e43d..e58645893 100644 --- a/.github/.kodiak.toml +++ b/.github/.kodiak.toml @@ -15,4 +15,4 @@ strip_html_comments = true # default: false always = true # default: false [approve] -auto_approve_usernames = ["1gtm", "tamalsaha"] +auto_approve_usernames = ["1gtm", "tamalsaha", "1gtm-app[bot]"] From e6d25c819dc2096468b179d3309376b32754c2ab Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Thu, 14 May 2026 15:09:06 +0600 Subject: [PATCH 14/21] Normalize kodiak auto_approve_usernames Signed-off-by: Tamal Saha --- .github/.kodiak.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/.kodiak.toml b/.github/.kodiak.toml index e58645893..b64a5f6fc 100644 --- a/.github/.kodiak.toml +++ b/.github/.kodiak.toml @@ -15,4 +15,4 @@ strip_html_comments = true # default: false always = true # default: false [approve] -auto_approve_usernames = ["1gtm", "tamalsaha", "1gtm-app[bot]"] +auto_approve_usernames = ["tamalsaha", "1gtm", "1gtm-app[bot]"] \ No newline at end of file From 944a3ff2ac51394f93332ed6c5952961b6ad0138 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Thu, 14 May 2026 17:35:26 +0600 Subject: [PATCH 15/21] Pin docker/login-action to v4.1.0 Signed-off-by: Tamal Saha --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 7b69eb5e9..fdea8e28d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -41,7 +41,7 @@ jobs: uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 - name: Log in to the GitHub Container registry - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 with: registry: ghcr.io username: 1gtm From 96f34eb4fbc74cccff784eb14330402221c5ff65 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Thu, 14 May 2026 17:43:49 +0600 Subject: [PATCH 16/21] Bump softprops/action-gh-release to v2.6.2; add permissions Signed-off-by: Tamal Saha --- .github/workflows/release.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index fdea8e28d..c73e7ae12 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -14,6 +14,8 @@ jobs: build: name: Build runs-on: ubuntu-24.04 + permissions: + contents: write steps: - name: Check out code into the Go module directory uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 From 781a08b86962ceb3c67bfee1259ee500e9437342 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Thu, 14 May 2026 17:57:24 +0600 Subject: [PATCH 17/21] Makefile: use --tags in git describe so lightweight tags resolve Signed-off-by: Tamal Saha --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 976647dee..c1baa93f2 100644 --- a/Makefile +++ b/Makefile @@ -29,7 +29,7 @@ API_GROUPS ?= repositories:v1alpha1 stash:v1alpha1 stash:v1beta1 ui:v1 # This version-strategy uses git tags to set the version string git_branch := $(shell git rev-parse --abbrev-ref HEAD) -git_tag := $(shell git describe --exact-match --abbrev=0 2>/dev/null || echo "") +git_tag := $(shell git describe --tags --exact-match --abbrev=0 2>/dev/null || echo "") commit_hash := $(shell git rev-parse --verify HEAD) commit_timestamp := $(shell date --date="@$$(git show -s --format=%ct)" --utc +%FT%T) From 57d61173d0eaab8441ec37c497215622ee531381 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Thu, 14 May 2026 18:55:36 +0600 Subject: [PATCH 18/21] Rename .yaml workflow files to .yml for consistency Signed-off-by: Tamal Saha --- .github/workflows/{update-crds.yaml => update-crds.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename .github/workflows/{update-crds.yaml => update-crds.yml} (100%) diff --git a/.github/workflows/update-crds.yaml b/.github/workflows/update-crds.yml similarity index 100% rename from .github/workflows/update-crds.yaml rename to .github/workflows/update-crds.yml From 27574f565daccdb8439751fa834722c4e3bb8927 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Thu, 14 May 2026 23:37:18 +0600 Subject: [PATCH 19/21] Pin git user to 1gtm in update-crds/update-docs workflows Signed-off-by: Tamal Saha --- .github/workflows/update-crds.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/update-crds.yml b/.github/workflows/update-crds.yml index 3b46a5ead..38a5e816c 100644 --- a/.github/workflows/update-crds.yml +++ b/.github/workflows/update-crds.yml @@ -39,8 +39,8 @@ jobs: cd $RUNNER_WORKSPACE git clone $url cd $(basename $INSTALLER_REPOSITORY) - git config user.name "${GITHUB_USER}" - git config user.email "${GITHUB_USER}@appscode.com" + git config user.name "1gtm" + git config user.email "1gtm@appscode.com" - name: Update crds env: From 09125071cd32c36667ec1a8546ba1994c5529398 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Fri, 15 May 2026 11:45:09 +0600 Subject: [PATCH 20/21] ci.yml: drop redundant apt-get update step The Run checks step does not install any apt packages; kubectl is fetched via curl. Removing the no-op apt-get update tightens the workflow. Signed-off-by: Tamal Saha --- .github/workflows/ci.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7488a206a..7786ab9fc 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -51,7 +51,6 @@ jobs: - name: Run checks run: | - sudo apt-get -qq update || true curl -LO https://storage.googleapis.com/kubernetes-release/release/v1.31.0/bin/linux/amd64/kubectl chmod +x ./kubectl sudo mv ./kubectl /usr/local/bin/kubectl From 089ae9aea2ee16665fab3b59ac53a5f6a1805595 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Fri, 15 May 2026 11:45:18 +0600 Subject: [PATCH 21/21] update-crds.yml: use LGTM App token; drop unused Go setup - Generate a scoped LGTM App token (contents+pull-requests write) instead of using the default GITHUB_TOKEN, which lacks cross-repo push access to the installer repository. - Mask the parsed owner/name derived from the INSTALLER_REPOSITORY secret so they do not leak into logs. - Set http.extraheader via git config before cloning so the token is never baked into the remote URL or .git/config. - Pin GITHUB_USER to 1gtm for consistent attribution on manual workflow_dispatch runs. - Drop the Set up Go step; neither import-crds.sh nor open-pr.sh invokes the Go toolchain. Signed-off-by: Tamal Saha --- .github/workflows/update-crds.yml | 42 ++++++++++++++++++++++--------- 1 file changed, 30 insertions(+), 12 deletions(-) diff --git a/.github/workflows/update-crds.yml b/.github/workflows/update-crds.yml index 38a5e816c..fa05bd76f 100644 --- a/.github/workflows/update-crds.yml +++ b/.github/workflows/update-crds.yml @@ -15,12 +15,6 @@ jobs: name: Build runs-on: ubuntu-24.04 steps: - - name: Set up Go 1.25 - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0 - with: - go-version: '1.25' - id: go - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Install crd-importer @@ -29,23 +23,47 @@ jobs: chmod +x ./crd-importer sudo mv ./crd-importer /usr/local/bin/crd-importer + - name: Parse installer repository + id: installer + env: + INSTALLER_REPOSITORY: ${{ secrets.INSTALLER_REPOSITORY }} + run: | + owner=$(basename $(dirname $INSTALLER_REPOSITORY)) + name=$(basename $INSTALLER_REPOSITORY) + echo "::add-mask::$owner" + echo "::add-mask::$name" + echo "owner=$owner" >> $GITHUB_OUTPUT + echo "name=$name" >> $GITHUB_OUTPUT + + - name: Generate LGTM App token + id: lgtm-app-token + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 + with: + client-id: ${{ secrets.LGTM_APP_CLIENT_ID }} + private-key: ${{ secrets.LGTM_APP_PRIVATE_KEY }} + owner: ${{ steps.installer.outputs.owner }} + repositories: ${{ steps.installer.outputs.name }} + permission-contents: write + permission-pull-requests: write + - name: Clone installer repository env: - GITHUB_USER: ${{ github.actor }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_USER: 1gtm + GITHUB_TOKEN: ${{ steps.lgtm-app-token.outputs.token }} INSTALLER_REPOSITORY: ${{ secrets.INSTALLER_REPOSITORY }} run: | - url="https://${GITHUB_USER}:${GITHUB_TOKEN}@${INSTALLER_REPOSITORY}.git" + git config --global http.https://github.com/.extraheader \ + "AUTHORIZATION: basic $(echo -n x-access-token:${GITHUB_TOKEN} | base64)" cd $RUNNER_WORKSPACE - git clone $url + git clone "https://${INSTALLER_REPOSITORY}.git" cd $(basename $INSTALLER_REPOSITORY) git config user.name "1gtm" git config user.email "1gtm@appscode.com" - name: Update crds env: - GITHUB_USER: ${{ github.actor }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_USER: 1gtm + GITHUB_TOKEN: ${{ steps.lgtm-app-token.outputs.token }} INSTALLER_REPOSITORY: ${{ secrets.INSTALLER_REPOSITORY }} run: | export INSTALLER_ROOT=$RUNNER_WORKSPACE/$(basename $INSTALLER_REPOSITORY)