From ea9acc168d5f5fd1c71aa5bbf272ee1ebd1cfff7 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Mon, 11 May 2026 23:48:06 +0600 Subject: [PATCH 01/13] Use dynamic github token Signed-off-by: Tamal Saha --- .github/workflows/preview-website.yml | 8 ++++---- .github/workflows/release-tracker.yml | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/preview-website.yml b/.github/workflows/preview-website.yml index 27d0f620..4c7d3eb0 100644 --- a/.github/workflows/preview-website.yml +++ b/.github/workflows/preview-website.yml @@ -49,8 +49,8 @@ jobs: - name: Clone website repository env: - GITHUB_USER: 1gtm - GITHUB_TOKEN: ${{ secrets.LGTM_GITHUB_TOKEN }} + GITHUB_USER: ${{ github.actor }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} WEBSITE_REPOSITORY: ${{ secrets.WEBSITE_REPOSITORY }} run: | url="https://${GITHUB_USER}:${GITHUB_TOKEN}@${WEBSITE_REPOSITORY}.git" @@ -62,8 +62,8 @@ jobs: - name: Update docs env: - GITHUB_USER: 1gtm - GITHUB_TOKEN: ${{ secrets.LGTM_GITHUB_TOKEN }} + GITHUB_USER: ${{ github.actor }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} WEBSITE_REPOSITORY: ${{ secrets.WEBSITE_REPOSITORY }} GOOGLE_CUSTOM_SEARCH_API_KEY: ${{ secrets.GOOGLE_CUSTOM_SEARCH_API_KEY }} run: | diff --git a/.github/workflows/release-tracker.yml b/.github/workflows/release-tracker.yml index 4b79b251..ddf30b2a 100644 --- a/.github/workflows/release-tracker.yml +++ b/.github/workflows/release-tracker.yml @@ -18,8 +18,8 @@ jobs: - name: Prepare git env: - GITHUB_USER: 1gtm - GITHUB_TOKEN: ${{ secrets.LGTM_GITHUB_TOKEN }} + GITHUB_USER: ${{ github.actor }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | git config --global user.name "${GITHUB_USER}" git config --global user.email "${GITHUB_USER}@appscode.com" @@ -35,7 +35,7 @@ jobs: github.event.action == 'closed' && github.event.pull_request.merged == true env: - GITHUB_USER: 1gtm - GITHUB_TOKEN: ${{ secrets.LGTM_GITHUB_TOKEN }} + GITHUB_USER: ${{ github.actor }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | ./hack/scripts/update-release-tracker.sh From 00c74f3bcfe83440de27e9004a010db2458d08d0 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Mon, 11 May 2026 23:48:06 +0600 Subject: [PATCH 02/13] Harden GitHub Actions workflows - Pin every action ref to a full-length commit SHA with a trailing version comment, so floating tags like @v4 can't be re-pointed at malicious code. - Bump outdated actions/checkout@v1 to @v4.3.1 (where present). - Tag-triggered workflows now check out with fetch-depth: 1 and fetch-tags: true so the tag ref is available downstream. - release-tracker.yml grants contents: write at the job level so the default GITHUB_TOKEN can push commits/tags back to the repo. Signed-off-by: Tamal Saha --- .github/workflows/ci.yml | 4 ++-- .github/workflows/preview-website.yml | 8 ++++---- .github/workflows/release-tracker.yml | 4 +++- 3 files changed, 9 insertions(+), 7 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4d0c8402..7019e7ee 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -18,7 +18,7 @@ jobs: name: Build runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Install link checker run: | @@ -38,7 +38,7 @@ jobs: - name: Create Kubernetes cluster id: kind - uses: engineerd/setup-kind@v0.5.0 + uses: engineerd/setup-kind@aa272fe2a7309878ffc2a81c56cfe3ef108ae7d0 # v0.5.0 with: version: v0.29.0 diff --git a/.github/workflows/preview-website.yml b/.github/workflows/preview-website.yml index 4c7d3eb0..16e89808 100644 --- a/.github/workflows/preview-website.yml +++ b/.github/workflows/preview-website.yml @@ -15,16 +15,16 @@ jobs: name: Build runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Set up Go 1.x - uses: actions/setup-go@v5 + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0 with: go-version: '1.25' id: go - name: Use Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: '18' @@ -76,7 +76,7 @@ jobs: make docs-skip-assets make gen-prod - - uses: FirebaseExtended/action-hosting-deploy@v0 + - uses: FirebaseExtended/action-hosting-deploy@092436dca3ec6dacb231d965ae56f7ff6c09f258 # v0 with: repoToken: '${{ secrets.GITHUB_TOKEN }}' firebaseServiceAccount: '${{ secrets.FIREBASE_SERVICE_ACCOUNT_QA }}' diff --git a/.github/workflows/release-tracker.yml b/.github/workflows/release-tracker.yml index ddf30b2a..3bbd8b29 100644 --- a/.github/workflows/release-tracker.yml +++ b/.github/workflows/release-tracker.yml @@ -12,9 +12,11 @@ concurrency: jobs: build: runs-on: ubuntu-24.04 + permissions: + contents: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Prepare git env: From 15db8eb3a89d6d499fd46f154c979646bfd9c749 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Tue, 12 May 2026 18:58:19 +0600 Subject: [PATCH 03/13] Grant preview-website job the permissions Firebase deploy needs Signed-off-by: Tamal Saha --- .github/workflows/preview-website.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/preview-website.yml b/.github/workflows/preview-website.yml index 16e89808..0bce0383 100644 --- a/.github/workflows/preview-website.yml +++ b/.github/workflows/preview-website.yml @@ -14,6 +14,10 @@ jobs: build: name: Build runs-on: ubuntu-24.04 + permissions: + contents: read + checks: write + pull-requests: write steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 From ea102f02428a878e3f65c4cb974853a3ecfa75c6 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Wed, 13 May 2026 14:49:24 +0600 Subject: [PATCH 04/13] Use GitHub App token for release tracker comments Signed-off-by: Tamal Saha --- .github/workflows/release-tracker.yml | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release-tracker.yml b/.github/workflows/release-tracker.yml index 3bbd8b29..0c59d75f 100644 --- a/.github/workflows/release-tracker.yml +++ b/.github/workflows/release-tracker.yml @@ -32,12 +32,24 @@ jobs: curl -fsSL https://github.com/github/hub/raw/master/script/get | bash -s 2.14.1 sudo mv bin/hub /usr/local/bin + - name: Generate GitHub App token + id: app-token + if: | + github.event.action == 'closed' && + github.event.pull_request.merged == true + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 + with: + client-id: ${{ secrets.LGTM_APP_CLIENT_ID }} + private-key: ${{ secrets.LGTM_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} + repositories: CHANGELOG + - name: Update release tracker if: | github.event.action == 'closed' && github.event.pull_request.merged == true env: GITHUB_USER: ${{ github.actor }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} run: | ./hack/scripts/update-release-tracker.sh From fe870cf93f4a3c907fb41b252ad9bbf76a10052b Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Wed, 13 May 2026 17:31:05 +0600 Subject: [PATCH 05/13] Apply kubedb/installer#2281: harden CI workflows Signed-off-by: Tamal Saha --- .github/workflows/ci.yml | 2 +- .github/workflows/release-tracker.yml | 5 ----- hack/scripts/open-pr.sh | 8 ++++---- hack/scripts/update-release-tracker.sh | 2 +- 4 files changed, 6 insertions(+), 11 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7019e7ee..ef248e2f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -38,7 +38,7 @@ jobs: - name: Create Kubernetes cluster id: kind - uses: engineerd/setup-kind@aa272fe2a7309878ffc2a81c56cfe3ef108ae7d0 # v0.5.0 + uses: helm/kind-action@ef37e7f390d99f746eb8b610417061a60e82a6cc # v1.14.0 with: version: v0.29.0 diff --git a/.github/workflows/release-tracker.yml b/.github/workflows/release-tracker.yml index 0c59d75f..f2cd0588 100644 --- a/.github/workflows/release-tracker.yml +++ b/.github/workflows/release-tracker.yml @@ -27,11 +27,6 @@ jobs: git config --global user.email "${GITHUB_USER}@appscode.com" git remote set-url origin https://${GITHUB_USER}:${GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}.git - - name: Install GitHub CLI - run: | - curl -fsSL https://github.com/github/hub/raw/master/script/get | bash -s 2.14.1 - sudo mv bin/hub /usr/local/bin - - name: Generate GitHub App token id: app-token if: | diff --git a/hack/scripts/open-pr.sh b/hack/scripts/open-pr.sh index 0baf2b80..fcc71231 100755 --- a/hack/scripts/open-pr.sh +++ b/hack/scripts/open-pr.sh @@ -36,7 +36,7 @@ pr_branch=${GITHUB_REPOSITORY}@${GITHUB_SHA:0:8} git checkout -b $pr_branch git commit -a -s -m "Update docs for $pr_branch" git push -u origin HEAD -hub pull-request \ - --labels automerge \ - --message "Update docs for $pr_branch" \ - --message "$(git show -s --format=%b)" +gh pr create \ + --label automerge \ + --title "Update docs for $pr_branch" \ + --body "$(git show -s --format=%b)" diff --git a/hack/scripts/update-release-tracker.sh b/hack/scripts/update-release-tracker.sh index 7184cb6f..c8bfc4ff 100755 --- a/hack/scripts/update-release-tracker.sh +++ b/hack/scripts/update-release-tracker.sh @@ -69,4 +69,4 @@ case $GITHUB_BASE_REF in ;; esac -hub api "$api_url" -f body="$msg" +gh api "$api_url" -f body="$msg" From 3e21b760dd7ec016dbcf3435038b03c93f7f34c9 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Wed, 13 May 2026 17:44:45 +0600 Subject: [PATCH 06/13] Remove Prepare git step from release-tracker.yml Signed-off-by: Tamal Saha --- .github/workflows/release-tracker.yml | 9 --------- 1 file changed, 9 deletions(-) diff --git a/.github/workflows/release-tracker.yml b/.github/workflows/release-tracker.yml index f2cd0588..b5246389 100644 --- a/.github/workflows/release-tracker.yml +++ b/.github/workflows/release-tracker.yml @@ -18,15 +18,6 @@ jobs: steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - - name: Prepare git - env: - GITHUB_USER: ${{ github.actor }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - git config --global user.name "${GITHUB_USER}" - git config --global user.email "${GITHUB_USER}@appscode.com" - git remote set-url origin https://${GITHUB_USER}:${GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}.git - - name: Generate GitHub App token id: app-token if: | From a7d100795ca7216bc5ce61f1a473e260a53cfd6d Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Wed, 13 May 2026 18:10:09 +0600 Subject: [PATCH 07/13] Rename LGTM App token step id to lgtm-app-token Signed-off-by: Tamal Saha --- .github/workflows/release-tracker.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release-tracker.yml b/.github/workflows/release-tracker.yml index b5246389..96fd05c9 100644 --- a/.github/workflows/release-tracker.yml +++ b/.github/workflows/release-tracker.yml @@ -18,8 +18,8 @@ jobs: steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - - name: Generate GitHub App token - id: app-token + - name: Generate LGTM App token + id: lgtm-app-token if: | github.event.action == 'closed' && github.event.pull_request.merged == true @@ -36,6 +36,6 @@ jobs: github.event.pull_request.merged == true env: GITHUB_USER: ${{ github.actor }} - GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} + GITHUB_TOKEN: ${{ steps.lgtm-app-token.outputs.token }} run: | ./hack/scripts/update-release-tracker.sh From 4ff29b11425527fb48f1915248d96e796fb2d83d Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Wed, 13 May 2026 18:20:13 +0600 Subject: [PATCH 08/13] release-tracker.yml: gate at job level with merged == true Signed-off-by: Tamal Saha --- .github/workflows/release-tracker.yml | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/.github/workflows/release-tracker.yml b/.github/workflows/release-tracker.yml index 96fd05c9..d6971e41 100644 --- a/.github/workflows/release-tracker.yml +++ b/.github/workflows/release-tracker.yml @@ -11,6 +11,7 @@ concurrency: jobs: build: + if: github.event.pull_request.merged == true runs-on: ubuntu-24.04 permissions: contents: write @@ -20,9 +21,6 @@ jobs: - name: Generate LGTM App token id: lgtm-app-token - if: | - github.event.action == 'closed' && - github.event.pull_request.merged == true uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 with: client-id: ${{ secrets.LGTM_APP_CLIENT_ID }} @@ -31,9 +29,6 @@ jobs: repositories: CHANGELOG - name: Update release tracker - if: | - github.event.action == 'closed' && - github.event.pull_request.merged == true env: GITHUB_USER: ${{ github.actor }} GITHUB_TOKEN: ${{ steps.lgtm-app-token.outputs.token }} From 684e5afb95af2bd36915011869578df8b8d5bdeb Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Wed, 13 May 2026 18:55:14 +0600 Subject: [PATCH 09/13] release-tracker.yml: drop permissions block Signed-off-by: Tamal Saha --- .github/workflows/release-tracker.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/release-tracker.yml b/.github/workflows/release-tracker.yml index d6971e41..1e11e07d 100644 --- a/.github/workflows/release-tracker.yml +++ b/.github/workflows/release-tracker.yml @@ -13,8 +13,6 @@ jobs: build: if: github.event.pull_request.merged == true runs-on: ubuntu-24.04 - permissions: - contents: write steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 From 62bec7f44cab8f58d2d8359eda945056329117c1 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Wed, 13 May 2026 19:03:37 +0600 Subject: [PATCH 10/13] release-tracker.yml: grant permission-pull-requests to LGTM App Signed-off-by: Tamal Saha --- .github/workflows/release-tracker.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/release-tracker.yml b/.github/workflows/release-tracker.yml index 1e11e07d..6be6c21e 100644 --- a/.github/workflows/release-tracker.yml +++ b/.github/workflows/release-tracker.yml @@ -25,6 +25,7 @@ jobs: private-key: ${{ secrets.LGTM_APP_PRIVATE_KEY }} owner: ${{ github.repository_owner }} repositories: CHANGELOG + permission-pull-requests: write - name: Update release tracker env: From ee6e244ddab7c1b75cf183b57fc76c2de4a58d7a Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Wed, 13 May 2026 21:14:22 +0600 Subject: [PATCH 11/13] Use node-version: '22' in setup-node steps Signed-off-by: Tamal Saha --- .github/workflows/preview-website.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/preview-website.yml b/.github/workflows/preview-website.yml index 0bce0383..36be55fd 100644 --- a/.github/workflows/preview-website.yml +++ b/.github/workflows/preview-website.yml @@ -30,7 +30,7 @@ jobs: - name: Use Node.js uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: - node-version: '18' + node-version: '22' - name: Install yq run: | From 589766a35bb581bfa602c42bfc4cca5fae2d15af Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Thu, 14 May 2026 14:07:36 +0600 Subject: [PATCH 12/13] Add 1gtm-app[bot] to kodiak auto_approve_usernames Signed-off-by: Tamal Saha --- .github/.kodiak.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/.kodiak.toml b/.github/.kodiak.toml index ded81e43..e5864589 100644 --- a/.github/.kodiak.toml +++ b/.github/.kodiak.toml @@ -15,4 +15,4 @@ strip_html_comments = true # default: false always = true # default: false [approve] -auto_approve_usernames = ["1gtm", "tamalsaha"] +auto_approve_usernames = ["1gtm", "tamalsaha", "1gtm-app[bot]"] From 0acebc9e78af0a80b5e5dfe29427f5932347daed Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Thu, 14 May 2026 15:09:13 +0600 Subject: [PATCH 13/13] Normalize kodiak auto_approve_usernames Signed-off-by: Tamal Saha --- .github/.kodiak.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/.kodiak.toml b/.github/.kodiak.toml index e5864589..b64a5f6f 100644 --- a/.github/.kodiak.toml +++ b/.github/.kodiak.toml @@ -15,4 +15,4 @@ strip_html_comments = true # default: false always = true # default: false [approve] -auto_approve_usernames = ["1gtm", "tamalsaha", "1gtm-app[bot]"] +auto_approve_usernames = ["tamalsaha", "1gtm", "1gtm-app[bot]"] \ No newline at end of file