From 54260f6b40348de9b6322be0d9815da0852b56ea Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Mon, 11 May 2026 23:47:46 +0600 Subject: [PATCH 01/19] Use dynamic github token Signed-off-by: Tamal Saha --- .github/workflows/release-tracker.yml | 8 ++++---- .github/workflows/release.yml | 8 ++++---- .github/workflows/update-docs.yml | 8 ++++---- 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/.github/workflows/release-tracker.yml b/.github/workflows/release-tracker.yml index 4b79b251d..ddf30b2aa 100644 --- a/.github/workflows/release-tracker.yml +++ b/.github/workflows/release-tracker.yml @@ -18,8 +18,8 @@ jobs: - name: Prepare git env: - GITHUB_USER: 1gtm - GITHUB_TOKEN: ${{ secrets.LGTM_GITHUB_TOKEN }} + GITHUB_USER: ${{ github.actor }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | git config --global user.name "${GITHUB_USER}" git config --global user.email "${GITHUB_USER}@appscode.com" @@ -35,7 +35,7 @@ jobs: github.event.action == 'closed' && github.event.pull_request.merged == true env: - GITHUB_USER: 1gtm - GITHUB_TOKEN: ${{ secrets.LGTM_GITHUB_TOKEN }} + GITHUB_USER: ${{ github.actor }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | ./hack/scripts/update-release-tracker.sh diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 2e7050efb..b87cda88b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -60,8 +60,8 @@ jobs: - name: Clone krew-index repository env: - GITHUB_USER: 1gtm - GITHUB_TOKEN: ${{ secrets.LGTM_GITHUB_TOKEN }} + GITHUB_USER: ${{ github.actor }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | KREW_INDEX_REPOSITORY=github.com/appscode/krew-index url="https://${GITHUB_USER}:${GITHUB_TOKEN}@${KREW_INDEX_REPOSITORY}.git" @@ -73,8 +73,8 @@ jobs: - name: Publish krew manifest env: - GITHUB_USER: 1gtm - GITHUB_TOKEN: ${{ secrets.LGTM_GITHUB_TOKEN }} + GITHUB_USER: ${{ github.actor }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} if: startsWith(github.event.ref, 'refs/tags/') && (contains(github.ref, '-alpha.') || contains(github.ref, '-beta.') || contains(github.ref, '-rc.')) == false run: | cd $RUNNER_WORKSPACE/krew-index diff --git a/.github/workflows/update-docs.yml b/.github/workflows/update-docs.yml index df70bc7ef..2100cd814 100644 --- a/.github/workflows/update-docs.yml +++ b/.github/workflows/update-docs.yml @@ -30,8 +30,8 @@ jobs: - name: Clone charts repository env: - GITHUB_USER: 1gtm - GITHUB_TOKEN: ${{ secrets.LGTM_GITHUB_TOKEN }} + GITHUB_USER: ${{ github.actor }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} DOCS_REPOSITORY: ${{ secrets.DOCS_REPOSITORY }} run: | url="https://${GITHUB_USER}:${GITHUB_TOKEN}@${DOCS_REPOSITORY}.git" @@ -43,8 +43,8 @@ jobs: - name: Update docs env: - GITHUB_USER: 1gtm - GITHUB_TOKEN: ${{ secrets.LGTM_GITHUB_TOKEN }} + GITHUB_USER: ${{ github.actor }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} DOCS_REPOSITORY: ${{ secrets.DOCS_REPOSITORY }} run: | export DOCS_ROOT=$RUNNER_WORKSPACE/$(basename $DOCS_REPOSITORY) From b17ead4f3c3b7ef9753cd350863326098707e31d Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Mon, 11 May 2026 23:47:46 +0600 Subject: [PATCH 02/19] Harden GitHub Actions workflows - Pin every action ref to a full-length commit SHA with a trailing version comment, so floating tags like @v4 can't be re-pointed at malicious code. - Bump outdated actions/checkout@v1 to @v4.3.1 (where present). - Tag-triggered workflows now check out with fetch-depth: 1 and fetch-tags: true so the tag ref is available downstream. - release-tracker.yml grants contents: write at the job level so the default GITHUB_TOKEN can push commits/tags back to the repo. Signed-off-by: Tamal Saha --- .github/workflows/ci.yml | 4 ++-- .github/workflows/release-tracker.yml | 4 +++- .github/workflows/release.yml | 11 +++++++---- .github/workflows/update-docs.yml | 4 ++-- 4 files changed, 14 insertions(+), 9 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8f9447c97..7f0d3203f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -19,13 +19,13 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Set up Go 1.25 - uses: actions/setup-go@v5 + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0 with: go-version: '1.25' id: go - name: Check out code into the Go module directory - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Run checks run: | diff --git a/.github/workflows/release-tracker.yml b/.github/workflows/release-tracker.yml index ddf30b2aa..3bbd8b29b 100644 --- a/.github/workflows/release-tracker.yml +++ b/.github/workflows/release-tracker.yml @@ -12,9 +12,11 @@ concurrency: jobs: build: runs-on: ubuntu-24.04 + permissions: + contents: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Prepare git env: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b87cda88b..0f9d9f985 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -16,7 +16,10 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Check out code into the Go module directory - uses: actions/checkout@v1 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + with: + fetch-depth: 1 + fetch-tags: true - name: Print version info id: semver @@ -25,12 +28,12 @@ jobs: - name: Set up QEMU id: qemu - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 with: cache-image: false - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 - name: Build env: @@ -39,7 +42,7 @@ jobs: make release COMPRESS=yes - name: Release - uses: softprops/action-gh-release@v1 + uses: softprops/action-gh-release@26994186c0ac3ef5cae75ac16aa32e8153525f77 # v1 if: startsWith(github.ref, 'refs/tags/') with: files: | diff --git a/.github/workflows/update-docs.yml b/.github/workflows/update-docs.yml index 2100cd814..0f3140162 100644 --- a/.github/workflows/update-docs.yml +++ b/.github/workflows/update-docs.yml @@ -16,12 +16,12 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Set up Go 1.25 - uses: actions/setup-go@v5 + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0 with: go-version: '1.25' id: go - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Install GitHub CLI run: | From 3d96d451e9adc536117cb07063d85bd5c5fa2f5c Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Wed, 13 May 2026 09:43:43 +0600 Subject: [PATCH 03/19] Add job permissions for workflow Signed-off-by: Tamal Saha --- .github/workflows/release.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 0f9d9f985..7bddba850 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -14,6 +14,8 @@ jobs: build: name: Build runs-on: ubuntu-24.04 + permissions: + contents: write steps: - name: Check out code into the Go module directory uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 From 3bc6b4e1eaa1f597bc95ec6922b382ed955e845e Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Wed, 13 May 2026 14:49:24 +0600 Subject: [PATCH 04/19] Use GitHub App token for release tracker comments Signed-off-by: Tamal Saha --- .github/workflows/release-tracker.yml | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release-tracker.yml b/.github/workflows/release-tracker.yml index 3bbd8b29b..0c59d75fd 100644 --- a/.github/workflows/release-tracker.yml +++ b/.github/workflows/release-tracker.yml @@ -32,12 +32,24 @@ jobs: curl -fsSL https://github.com/github/hub/raw/master/script/get | bash -s 2.14.1 sudo mv bin/hub /usr/local/bin + - name: Generate GitHub App token + id: app-token + if: | + github.event.action == 'closed' && + github.event.pull_request.merged == true + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 + with: + client-id: ${{ secrets.LGTM_APP_CLIENT_ID }} + private-key: ${{ secrets.LGTM_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} + repositories: CHANGELOG + - name: Update release tracker if: | github.event.action == 'closed' && github.event.pull_request.merged == true env: GITHUB_USER: ${{ github.actor }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} run: | ./hack/scripts/update-release-tracker.sh From 23581817182779e720298e0febbabb1f342d6647 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Wed, 13 May 2026 17:31:05 +0600 Subject: [PATCH 05/19] Apply kubedb/installer#2281: harden CI workflows Signed-off-by: Tamal Saha --- .github/workflows/release-tracker.yml | 5 ----- .github/workflows/release.yml | 5 ----- .github/workflows/update-docs.yml | 5 ----- hack/scripts/update-release-tracker.sh | 2 +- 4 files changed, 1 insertion(+), 16 deletions(-) diff --git a/.github/workflows/release-tracker.yml b/.github/workflows/release-tracker.yml index 0c59d75fd..f2cd0588b 100644 --- a/.github/workflows/release-tracker.yml +++ b/.github/workflows/release-tracker.yml @@ -27,11 +27,6 @@ jobs: git config --global user.email "${GITHUB_USER}@appscode.com" git remote set-url origin https://${GITHUB_USER}:${GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}.git - - name: Install GitHub CLI - run: | - curl -fsSL https://github.com/github/hub/raw/master/script/get | bash -s 2.14.1 - sudo mv bin/hub /usr/local/bin - - name: Generate GitHub App token id: app-token if: | diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 7bddba850..527fad3b5 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -58,11 +58,6 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: Install GitHub CLI - run: | - curl -fsSL https://github.com/github/hub/raw/master/script/get | bash -s 2.14.1 - sudo mv bin/hub /usr/local/bin - - name: Clone krew-index repository env: GITHUB_USER: ${{ github.actor }} diff --git a/.github/workflows/update-docs.yml b/.github/workflows/update-docs.yml index 0f3140162..c91a48db6 100644 --- a/.github/workflows/update-docs.yml +++ b/.github/workflows/update-docs.yml @@ -23,11 +23,6 @@ jobs: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - - name: Install GitHub CLI - run: | - curl -fsSL https://github.com/github/hub/raw/master/script/get | bash -s 2.14.1 - sudo mv bin/hub /usr/local/bin - - name: Clone charts repository env: GITHUB_USER: ${{ github.actor }} diff --git a/hack/scripts/update-release-tracker.sh b/hack/scripts/update-release-tracker.sh index 181aebfca..12fee4000 100755 --- a/hack/scripts/update-release-tracker.sh +++ b/hack/scripts/update-release-tracker.sh @@ -69,4 +69,4 @@ case $GITHUB_BASE_REF in ;; esac -hub api "$api_url" -f body="$msg" +gh api "$api_url" -f body="$msg" From 13a69508799e2966abab6d7312bc8ce598c69509 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Wed, 13 May 2026 17:44:45 +0600 Subject: [PATCH 06/19] Remove Prepare git step from release-tracker.yml Signed-off-by: Tamal Saha --- .github/workflows/release-tracker.yml | 9 --------- 1 file changed, 9 deletions(-) diff --git a/.github/workflows/release-tracker.yml b/.github/workflows/release-tracker.yml index f2cd0588b..b52463897 100644 --- a/.github/workflows/release-tracker.yml +++ b/.github/workflows/release-tracker.yml @@ -18,15 +18,6 @@ jobs: steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - - name: Prepare git - env: - GITHUB_USER: ${{ github.actor }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - git config --global user.name "${GITHUB_USER}" - git config --global user.email "${GITHUB_USER}@appscode.com" - git remote set-url origin https://${GITHUB_USER}:${GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}.git - - name: Generate GitHub App token id: app-token if: | From 82b39e4f6a482142ce9eff6a9963535d43709667 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Wed, 13 May 2026 18:10:05 +0600 Subject: [PATCH 07/19] Rename LGTM App token step id to lgtm-app-token Signed-off-by: Tamal Saha --- .github/workflows/release-tracker.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release-tracker.yml b/.github/workflows/release-tracker.yml index b52463897..96fd05c95 100644 --- a/.github/workflows/release-tracker.yml +++ b/.github/workflows/release-tracker.yml @@ -18,8 +18,8 @@ jobs: steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - - name: Generate GitHub App token - id: app-token + - name: Generate LGTM App token + id: lgtm-app-token if: | github.event.action == 'closed' && github.event.pull_request.merged == true @@ -36,6 +36,6 @@ jobs: github.event.pull_request.merged == true env: GITHUB_USER: ${{ github.actor }} - GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} + GITHUB_TOKEN: ${{ steps.lgtm-app-token.outputs.token }} run: | ./hack/scripts/update-release-tracker.sh From 7a5fc55b7df9eb1f365739b8fe4374315dffaa83 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Wed, 13 May 2026 18:20:08 +0600 Subject: [PATCH 08/19] release-tracker.yml: gate at job level with merged == true Signed-off-by: Tamal Saha --- .github/workflows/release-tracker.yml | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/.github/workflows/release-tracker.yml b/.github/workflows/release-tracker.yml index 96fd05c95..d6971e418 100644 --- a/.github/workflows/release-tracker.yml +++ b/.github/workflows/release-tracker.yml @@ -11,6 +11,7 @@ concurrency: jobs: build: + if: github.event.pull_request.merged == true runs-on: ubuntu-24.04 permissions: contents: write @@ -20,9 +21,6 @@ jobs: - name: Generate LGTM App token id: lgtm-app-token - if: | - github.event.action == 'closed' && - github.event.pull_request.merged == true uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 with: client-id: ${{ secrets.LGTM_APP_CLIENT_ID }} @@ -31,9 +29,6 @@ jobs: repositories: CHANGELOG - name: Update release tracker - if: | - github.event.action == 'closed' && - github.event.pull_request.merged == true env: GITHUB_USER: ${{ github.actor }} GITHUB_TOKEN: ${{ steps.lgtm-app-token.outputs.token }} From 2cb4325614e2c4fa22b0dd7fc89b7ff6f435e21c Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Wed, 13 May 2026 18:55:14 +0600 Subject: [PATCH 09/19] release-tracker.yml: drop permissions block Signed-off-by: Tamal Saha --- .github/workflows/release-tracker.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/release-tracker.yml b/.github/workflows/release-tracker.yml index d6971e418..1e11e07df 100644 --- a/.github/workflows/release-tracker.yml +++ b/.github/workflows/release-tracker.yml @@ -13,8 +13,6 @@ jobs: build: if: github.event.pull_request.merged == true runs-on: ubuntu-24.04 - permissions: - contents: write steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 From 2fb00442b2d7ea8ce8a3b941d1b1dc809f0955f8 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Wed, 13 May 2026 19:03:37 +0600 Subject: [PATCH 10/19] release-tracker.yml: grant permission-pull-requests to LGTM App Signed-off-by: Tamal Saha --- .github/workflows/release-tracker.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/release-tracker.yml b/.github/workflows/release-tracker.yml index 1e11e07df..6be6c21ef 100644 --- a/.github/workflows/release-tracker.yml +++ b/.github/workflows/release-tracker.yml @@ -25,6 +25,7 @@ jobs: private-key: ${{ secrets.LGTM_APP_PRIVATE_KEY }} owner: ${{ github.repository_owner }} repositories: CHANGELOG + permission-pull-requests: write - name: Update release tracker env: From 6af83ce64bfa816eda851c8d17ba90797c4af9ff Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Wed, 13 May 2026 19:21:24 +0600 Subject: [PATCH 11/19] update-docs.yml: use LGTM App token Signed-off-by: Tamal Saha --- .github/workflows/update-docs.yml | 28 +++++++++++++++++++++++++--- 1 file changed, 25 insertions(+), 3 deletions(-) diff --git a/.github/workflows/update-docs.yml b/.github/workflows/update-docs.yml index c91a48db6..586924c91 100644 --- a/.github/workflows/update-docs.yml +++ b/.github/workflows/update-docs.yml @@ -23,13 +23,35 @@ jobs: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + + - name: Parse docs repository + id: docs-repo + env: + DOCS_REPOSITORY: ${{ secrets.DOCS_REPOSITORY }} + run: | + # DOCS_REPOSITORY is expected to be of the form: // + path="${DOCS_REPOSITORY#*/}" + echo "owner=${path%%/*}" >> "$GITHUB_OUTPUT" + echo "name=${path##*/}" >> "$GITHUB_OUTPUT" + + - name: Generate LGTM App token + id: lgtm-app-token + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 + with: + client-id: ${{ secrets.LGTM_APP_CLIENT_ID }} + private-key: ${{ secrets.LGTM_APP_PRIVATE_KEY }} + owner: ${{ steps.docs-repo.outputs.owner }} + repositories: ${{ steps.docs-repo.outputs.name }} + permission-contents: write + permission-pull-requests: write + - name: Clone charts repository env: GITHUB_USER: ${{ github.actor }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ steps.lgtm-app-token.outputs.token }} DOCS_REPOSITORY: ${{ secrets.DOCS_REPOSITORY }} run: | - url="https://${GITHUB_USER}:${GITHUB_TOKEN}@${DOCS_REPOSITORY}.git" + url="https://x-access-token:${GITHUB_TOKEN}@${DOCS_REPOSITORY}.git" cd $RUNNER_WORKSPACE git clone $url cd $(basename $DOCS_REPOSITORY) @@ -39,7 +61,7 @@ jobs: - name: Update docs env: GITHUB_USER: ${{ github.actor }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ steps.lgtm-app-token.outputs.token }} DOCS_REPOSITORY: ${{ secrets.DOCS_REPOSITORY }} run: | export DOCS_ROOT=$RUNNER_WORKSPACE/$(basename $DOCS_REPOSITORY) From b85a29e085d090113c75e25e3c04288424c5ef2c Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Wed, 13 May 2026 19:23:03 +0600 Subject: [PATCH 12/19] release.yml: use LGTM App token for krew-index publish Signed-off-by: Tamal Saha --- .github/workflows/release.yml | 34 ++++++++++++++++++++++++++++++---- 1 file changed, 30 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 527fad3b5..fd2d00790 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -58,13 +58,39 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Classify release + id: release-type + run: | + ref="${GITHUB_REF}" + if [[ "$ref" == refs/tags/* ]] \ + && [[ "$ref" != *-alpha.* ]] \ + && [[ "$ref" != *-beta.* ]] \ + && [[ "$ref" != *-rc.* ]]; then + echo "is_release=true" >> "$GITHUB_OUTPUT" + else + echo "is_release=false" >> "$GITHUB_OUTPUT" + fi + + - name: Generate LGTM App token + id: lgtm-app-token + if: steps.release-type.outputs.is_release == 'true' + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 + with: + client-id: ${{ secrets.LGTM_APP_CLIENT_ID }} + private-key: ${{ secrets.LGTM_APP_PRIVATE_KEY }} + owner: appscode + repositories: krew-index + permission-contents: write + permission-pull-requests: write + - name: Clone krew-index repository + if: steps.release-type.outputs.is_release == 'true' env: GITHUB_USER: ${{ github.actor }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ steps.lgtm-app-token.outputs.token }} run: | KREW_INDEX_REPOSITORY=github.com/appscode/krew-index - url="https://${GITHUB_USER}:${GITHUB_TOKEN}@${KREW_INDEX_REPOSITORY}.git" + url="https://x-access-token:${GITHUB_TOKEN}@${KREW_INDEX_REPOSITORY}.git" cd $RUNNER_WORKSPACE git clone $url cd $(basename $KREW_INDEX_REPOSITORY) @@ -74,8 +100,8 @@ jobs: - name: Publish krew manifest env: GITHUB_USER: ${{ github.actor }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - if: startsWith(github.event.ref, 'refs/tags/') && (contains(github.ref, '-alpha.') || contains(github.ref, '-beta.') || contains(github.ref, '-rc.')) == false + GITHUB_TOKEN: ${{ steps.lgtm-app-token.outputs.token }} + if: steps.release-type.outputs.is_release == 'true' run: | cd $RUNNER_WORKSPACE/krew-index ./hack/scripts/open-pr.sh $GITHUB_WORKSPACE stash From a24848fc5560e7b30476202f950ef6684a45db90 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Thu, 14 May 2026 10:36:02 +0600 Subject: [PATCH 13/19] Normalize Prepare git user, fetch-depth, drop permission-issues Signed-off-by: Tamal Saha --- .github/workflows/release.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index fd2d00790..313f45387 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -20,8 +20,7 @@ jobs: - name: Check out code into the Go module directory uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: - fetch-depth: 1 - fetch-tags: true + fetch-depth: 0 - name: Print version info id: semver From 655415914faea227a94d2b1903efc619af0574f3 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Thu, 14 May 2026 14:07:36 +0600 Subject: [PATCH 14/19] Add 1gtm-app[bot] to kodiak auto_approve_usernames Signed-off-by: Tamal Saha --- .github/.kodiak.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/.kodiak.toml b/.github/.kodiak.toml index ded81e43d..e58645893 100644 --- a/.github/.kodiak.toml +++ b/.github/.kodiak.toml @@ -15,4 +15,4 @@ strip_html_comments = true # default: false always = true # default: false [approve] -auto_approve_usernames = ["1gtm", "tamalsaha"] +auto_approve_usernames = ["1gtm", "tamalsaha", "1gtm-app[bot]"] From bd64e71bf3272c1fe941cc0cc050f47a87d94f32 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Thu, 14 May 2026 15:09:13 +0600 Subject: [PATCH 15/19] Normalize kodiak auto_approve_usernames Signed-off-by: Tamal Saha --- .github/.kodiak.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/.kodiak.toml b/.github/.kodiak.toml index e58645893..b64a5f6fc 100644 --- a/.github/.kodiak.toml +++ b/.github/.kodiak.toml @@ -15,4 +15,4 @@ strip_html_comments = true # default: false always = true # default: false [approve] -auto_approve_usernames = ["1gtm", "tamalsaha", "1gtm-app[bot]"] +auto_approve_usernames = ["tamalsaha", "1gtm", "1gtm-app[bot]"] \ No newline at end of file From b3acaed2c6c9f3228e05ffad6d54016f09e89473 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Thu, 14 May 2026 17:43:51 +0600 Subject: [PATCH 16/19] Bump softprops/action-gh-release to v2.6.2; add permissions Signed-off-by: Tamal Saha --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 313f45387..a66e4e5d0 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -43,7 +43,7 @@ jobs: make release COMPRESS=yes - name: Release - uses: softprops/action-gh-release@26994186c0ac3ef5cae75ac16aa32e8153525f77 # v1 + uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2.6.2 if: startsWith(github.ref, 'refs/tags/') with: files: | From ad23ebac1986c7a7fc4602ce2caa981c8d7d84f1 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Thu, 14 May 2026 17:57:30 +0600 Subject: [PATCH 17/19] Makefile: use --tags in git describe so lightweight tags resolve Signed-off-by: Tamal Saha --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 9e8004469..63715e2c7 100644 --- a/Makefile +++ b/Makefile @@ -21,7 +21,7 @@ COMPRESS ?= no # This version-strategy uses git tags to set the version string git_branch := $(shell git rev-parse --abbrev-ref HEAD) -git_tag := $(shell git describe --exact-match --abbrev=0 2>/dev/null || echo "") +git_tag := $(shell git describe --tags --exact-match --abbrev=0 2>/dev/null || echo "") commit_hash := $(shell git rev-parse --verify HEAD) commit_timestamp := $(shell date --date="@$$(git show -s --format=%ct)" --utc +%FT%T) From 7efeb31cff3d73a71da9789e2202d06382c2b60d Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Thu, 14 May 2026 21:52:55 +0600 Subject: [PATCH 18/19] Remove bzr install from workflows Signed-off-by: Tamal Saha --- .github/workflows/ci.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7f0d3203f..1708ea9ac 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -29,6 +29,4 @@ jobs: - name: Run checks run: | - sudo apt-get -qq update || true - sudo apt-get install -y bzr make ci From c15dca1488ea1225b57931fed3d5d9b10ad4f32d Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Thu, 14 May 2026 23:37:24 +0600 Subject: [PATCH 19/19] Pin git user to 1gtm in update-crds/update-docs workflows Signed-off-by: Tamal Saha --- .github/workflows/update-docs.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/update-docs.yml b/.github/workflows/update-docs.yml index 586924c91..0b41c40a0 100644 --- a/.github/workflows/update-docs.yml +++ b/.github/workflows/update-docs.yml @@ -55,8 +55,8 @@ jobs: cd $RUNNER_WORKSPACE git clone $url cd $(basename $DOCS_REPOSITORY) - git config user.name "${GITHUB_USER}" - git config user.email "${GITHUB_USER}@appscode.com" + git config user.name "1gtm" + git config user.email "1gtm@appscode.com" - name: Update docs env: