From 43a0c22eb20b6ba4a109a69cb649433b15741a23 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Mon, 11 May 2026 23:52:13 +0600 Subject: [PATCH 01/18] Use dynamic github token Signed-off-by: Tamal Saha --- .github/workflows/cherry-pick.yml | 8 ++++---- .github/workflows/release-tracker.yml | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/cherry-pick.yml b/.github/workflows/cherry-pick.yml index baa002de7..8d3eb42bc 100644 --- a/.github/workflows/cherry-pick.yml +++ b/.github/workflows/cherry-pick.yml @@ -14,8 +14,8 @@ jobs: - name: Prepare git env: - GITHUB_USER: 1gtm - GITHUB_TOKEN: ${{ secrets.LGTM_GITHUB_TOKEN }} + GITHUB_USER: ${{ github.actor }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | git config --global user.name "${GITHUB_USER}" git config --global user.email "${GITHUB_USER}@appscode.com" @@ -28,7 +28,7 @@ jobs: - name: Update release branches env: - GITHUB_USER: 1gtm - GITHUB_TOKEN: ${{ secrets.LGTM_GITHUB_TOKEN }} + GITHUB_USER: ${{ github.actor }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | ./hack/scripts/cherry-pick.sh diff --git a/.github/workflows/release-tracker.yml b/.github/workflows/release-tracker.yml index 05e99410d..543abe1f5 100644 --- a/.github/workflows/release-tracker.yml +++ b/.github/workflows/release-tracker.yml @@ -13,8 +13,8 @@ jobs: - name: Prepare git env: - GITHUB_USER: 1gtm - GITHUB_TOKEN: ${{ secrets.LGTM_GITHUB_TOKEN }} + GITHUB_USER: ${{ github.actor }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | git config --global user.name "${GITHUB_USER}" git config --global user.email "${GITHUB_USER}@appscode.com" @@ -30,7 +30,7 @@ jobs: github.event.action == 'closed' && github.event.pull_request.merged == true env: - GITHUB_USER: 1gtm - GITHUB_TOKEN: ${{ secrets.LGTM_GITHUB_TOKEN }} + GITHUB_USER: ${{ github.actor }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | ./hack/scripts/update-release-tracker.sh From 32bfd5c274b0513d0a8d8ee4ca7ae3503cfec2e0 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Mon, 11 May 2026 23:52:14 +0600 Subject: [PATCH 02/18] Harden GitHub Actions workflows - Pin every action ref to a full-length commit SHA with a trailing version comment, so floating tags like @v4 can't be re-pointed at malicious code. - Bump outdated actions/checkout@v1 to @v4.3.1 (where present). - Tag-triggered workflows now check out with fetch-depth: 1 and fetch-tags: true so the tag ref is available downstream. - release-tracker.yml grants contents: write at the job level so the default GITHUB_TOKEN can push commits/tags back to the repo. Signed-off-by: Tamal Saha --- .github/workflows/cherry-pick.yml | 2 +- .github/workflows/ci.yml | 8 ++++---- .github/workflows/release-tracker.yml | 4 +++- .github/workflows/release.yml | 9 ++++++--- 4 files changed, 14 insertions(+), 9 deletions(-) diff --git a/.github/workflows/cherry-pick.yml b/.github/workflows/cherry-pick.yml index 8d3eb42bc..ac7e61d4d 100644 --- a/.github/workflows/cherry-pick.yml +++ b/.github/workflows/cherry-pick.yml @@ -10,7 +10,7 @@ jobs: runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v1 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Prepare git env: diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 56fc0fadf..285502cda 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -14,21 +14,21 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Set up Go 1.25 - uses: actions/setup-go@v5 + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0 with: go-version: '1.25' id: go - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Set up QEMU id: qemu - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 with: cache-image: false - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 - name: Run checks run: | diff --git a/.github/workflows/release-tracker.yml b/.github/workflows/release-tracker.yml index 543abe1f5..d366f9c30 100644 --- a/.github/workflows/release-tracker.yml +++ b/.github/workflows/release-tracker.yml @@ -7,9 +7,11 @@ on: jobs: build: runs-on: ubuntu-24.04 + permissions: + contents: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Prepare git env: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 444e9d170..854012332 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -11,7 +11,10 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Check out code into the Go module directory - uses: actions/checkout@v1 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + with: + fetch-depth: 1 + fetch-tags: true - name: Install GitHub CLI run: | @@ -25,12 +28,12 @@ jobs: - name: Set up QEMU id: qemu - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 with: cache-image: false - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 - name: Publish to GitHub Container Registry env: From 2fbfc3fb22f955bad0b1af43f4ca960b5066f091 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Wed, 13 May 2026 00:01:06 +0600 Subject: [PATCH 03/18] Push to ghcr.io/appscodeci with docker/login-action Signed-off-by: Tamal Saha --- .github/workflows/ci.yml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 285502cda..3a371c1eb 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -34,11 +34,15 @@ jobs: run: | make ci + - name: Login to GitHub Container Registry + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 + with: + registry: ghcr.io + username: 1gtm + password: ${{ secrets.LGTM_GITHUB_TOKEN }} + - name: Build env: REGISTRY: ghcr.io/appscodeci - DOCKER_TOKEN: ${{ secrets.LGTM_GITHUB_TOKEN }} - USERNAME: 1gtm run: | - docker login ghcr.io --username ${USERNAME} --password ${DOCKER_TOKEN} make push From 68f80884d9c3863acb72c931fd2d1a361748b655 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Wed, 13 May 2026 14:49:30 +0600 Subject: [PATCH 04/18] Use GitHub App token for release tracker comments Signed-off-by: Tamal Saha --- .github/workflows/release-tracker.yml | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release-tracker.yml b/.github/workflows/release-tracker.yml index d366f9c30..9f8c62224 100644 --- a/.github/workflows/release-tracker.yml +++ b/.github/workflows/release-tracker.yml @@ -27,12 +27,24 @@ jobs: curl -fsSL https://github.com/github/hub/raw/master/script/get | bash -s 2.14.1 sudo mv bin/hub /usr/local/bin + - name: Generate GitHub App token + id: app-token + if: | + github.event.action == 'closed' && + github.event.pull_request.merged == true + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 + with: + client-id: ${{ secrets.LGTM_APP_CLIENT_ID }} + private-key: ${{ secrets.LGTM_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} + repositories: CHANGELOG + - name: Update release tracker if: | github.event.action == 'closed' && github.event.pull_request.merged == true env: GITHUB_USER: ${{ github.actor }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} run: | ./hack/scripts/update-release-tracker.sh From 8ea67906eaf9aced633cd5ed69bcd154d3c29c80 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Wed, 13 May 2026 17:31:19 +0600 Subject: [PATCH 05/18] Apply kubedb/installer#2281: harden CI workflows Signed-off-by: Tamal Saha --- .github/workflows/cherry-pick.yml | 5 ----- .github/workflows/release-tracker.yml | 5 ----- .github/workflows/release.yml | 5 ----- hack/scripts/update-release-tracker.sh | 2 +- 4 files changed, 1 insertion(+), 16 deletions(-) diff --git a/.github/workflows/cherry-pick.yml b/.github/workflows/cherry-pick.yml index ac7e61d4d..1eed0a701 100644 --- a/.github/workflows/cherry-pick.yml +++ b/.github/workflows/cherry-pick.yml @@ -21,11 +21,6 @@ jobs: git config --global user.email "${GITHUB_USER}@appscode.com" git remote set-url origin https://${GITHUB_USER}:${GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}.git - - name: Install GitHub CLI - run: | - curl -fsSL https://github.com/github/hub/raw/master/script/get | bash -s 2.14.1 - sudo mv bin/hub /usr/local/bin - - name: Update release branches env: GITHUB_USER: ${{ github.actor }} diff --git a/.github/workflows/release-tracker.yml b/.github/workflows/release-tracker.yml index 9f8c62224..9837d664f 100644 --- a/.github/workflows/release-tracker.yml +++ b/.github/workflows/release-tracker.yml @@ -22,11 +22,6 @@ jobs: git config --global user.email "${GITHUB_USER}@appscode.com" git remote set-url origin https://${GITHUB_USER}:${GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}.git - - name: Install GitHub CLI - run: | - curl -fsSL https://github.com/github/hub/raw/master/script/get | bash -s 2.14.1 - sudo mv bin/hub /usr/local/bin - - name: Generate GitHub App token id: app-token if: | diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 854012332..0b7ca309b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -16,11 +16,6 @@ jobs: fetch-depth: 1 fetch-tags: true - - name: Install GitHub CLI - run: | - curl -fsSL https://github.com/github/hub/raw/master/script/get | bash -s 2.14.1 - sudo mv bin/hub /usr/local/bin - - name: Print version info id: semver run: | diff --git a/hack/scripts/update-release-tracker.sh b/hack/scripts/update-release-tracker.sh index 75234700b..693ed570f 100755 --- a/hack/scripts/update-release-tracker.sh +++ b/hack/scripts/update-release-tracker.sh @@ -69,4 +69,4 @@ case $GITHUB_BASE_REF in ;; esac -hub api "$api_url" -f body="$msg" +gh api "$api_url" -f body="$msg" From d5fa7111e901e5df5689723fe82037f17bc52eab Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Wed, 13 May 2026 17:44:58 +0600 Subject: [PATCH 06/18] Remove Prepare git step from release-tracker.yml Signed-off-by: Tamal Saha --- .github/workflows/release-tracker.yml | 9 --------- 1 file changed, 9 deletions(-) diff --git a/.github/workflows/release-tracker.yml b/.github/workflows/release-tracker.yml index 9837d664f..6ba54af61 100644 --- a/.github/workflows/release-tracker.yml +++ b/.github/workflows/release-tracker.yml @@ -13,15 +13,6 @@ jobs: steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - - name: Prepare git - env: - GITHUB_USER: ${{ github.actor }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - git config --global user.name "${GITHUB_USER}" - git config --global user.email "${GITHUB_USER}@appscode.com" - git remote set-url origin https://${GITHUB_USER}:${GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}.git - - name: Generate GitHub App token id: app-token if: | From f3f24dcd070ebfc49b21541884f99ae22a4a65a9 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Wed, 13 May 2026 18:10:24 +0600 Subject: [PATCH 07/18] Rename LGTM App token step id to lgtm-app-token Signed-off-by: Tamal Saha --- .github/workflows/release-tracker.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release-tracker.yml b/.github/workflows/release-tracker.yml index 6ba54af61..d784653ac 100644 --- a/.github/workflows/release-tracker.yml +++ b/.github/workflows/release-tracker.yml @@ -13,8 +13,8 @@ jobs: steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - - name: Generate GitHub App token - id: app-token + - name: Generate LGTM App token + id: lgtm-app-token if: | github.event.action == 'closed' && github.event.pull_request.merged == true @@ -31,6 +31,6 @@ jobs: github.event.pull_request.merged == true env: GITHUB_USER: ${{ github.actor }} - GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} + GITHUB_TOKEN: ${{ steps.lgtm-app-token.outputs.token }} run: | ./hack/scripts/update-release-tracker.sh From 9296f901b6bf84db8037b96aab019179d8060797 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Wed, 13 May 2026 18:20:24 +0600 Subject: [PATCH 08/18] release-tracker.yml: gate at job level with merged == true Signed-off-by: Tamal Saha --- .github/workflows/release-tracker.yml | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/.github/workflows/release-tracker.yml b/.github/workflows/release-tracker.yml index d784653ac..644cd2218 100644 --- a/.github/workflows/release-tracker.yml +++ b/.github/workflows/release-tracker.yml @@ -6,6 +6,7 @@ on: jobs: build: + if: github.event.pull_request.merged == true runs-on: ubuntu-24.04 permissions: contents: write @@ -15,9 +16,6 @@ jobs: - name: Generate LGTM App token id: lgtm-app-token - if: | - github.event.action == 'closed' && - github.event.pull_request.merged == true uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 with: client-id: ${{ secrets.LGTM_APP_CLIENT_ID }} @@ -26,9 +24,6 @@ jobs: repositories: CHANGELOG - name: Update release tracker - if: | - github.event.action == 'closed' && - github.event.pull_request.merged == true env: GITHUB_USER: ${{ github.actor }} GITHUB_TOKEN: ${{ steps.lgtm-app-token.outputs.token }} From a95caa5143c1d0eabb7fb4fb27406077669a3fcd Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Wed, 13 May 2026 18:55:33 +0600 Subject: [PATCH 09/18] release-tracker.yml: drop permissions block Signed-off-by: Tamal Saha --- .github/workflows/release-tracker.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/release-tracker.yml b/.github/workflows/release-tracker.yml index 644cd2218..a658b1715 100644 --- a/.github/workflows/release-tracker.yml +++ b/.github/workflows/release-tracker.yml @@ -8,8 +8,6 @@ jobs: build: if: github.event.pull_request.merged == true runs-on: ubuntu-24.04 - permissions: - contents: write steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 From dab61ff8ecbc58a9cc7475269733e3e010fbf58c Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Wed, 13 May 2026 19:03:52 +0600 Subject: [PATCH 10/18] release-tracker.yml: grant permission-pull-requests to LGTM App Signed-off-by: Tamal Saha --- .github/workflows/release-tracker.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/release-tracker.yml b/.github/workflows/release-tracker.yml index a658b1715..d50cefe2f 100644 --- a/.github/workflows/release-tracker.yml +++ b/.github/workflows/release-tracker.yml @@ -20,6 +20,7 @@ jobs: private-key: ${{ secrets.LGTM_APP_PRIVATE_KEY }} owner: ${{ github.repository_owner }} repositories: CHANGELOG + permission-pull-requests: write - name: Update release tracker env: From 420aaea30e790f2861fbd795288e7bda06ea7358 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Wed, 13 May 2026 19:41:25 +0600 Subject: [PATCH 11/18] Replace hub CLI with gh CLI Signed-off-by: Tamal Saha --- hack/scripts/cherry-pick.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/hack/scripts/cherry-pick.sh b/hack/scripts/cherry-pick.sh index 1cb19b6af..72a94c123 100755 --- a/hack/scripts/cherry-pick.sh +++ b/hack/scripts/cherry-pick.sh @@ -37,10 +37,10 @@ while IFS=/ read -r -u9 repo branch; do git checkout -b $pr_branch git cherry-pick --strategy=recursive -X theirs $GITHUB_SHA git push -u origin HEAD -f - hub pull-request \ + gh pr create \ --base $branch \ - --labels automerge \ - --message "[cherry-pick] $(git show -s --format=%s)" \ - --message "$(git show -s --format=%b | sed --expression='/\/cherry-pick/d')" || true + --label automerge \ + --title "[cherry-pick] $(git show -s --format=%s)" \ + --body "$(git show -s --format=%b | sed --expression='/\/cherry-pick/d')" || true sleep 15 done 9< <(git branch -r | grep release) From c54672334bc7ffafac8accd5487a0211b1a5fff3 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Thu, 14 May 2026 10:36:16 +0600 Subject: [PATCH 12/18] Normalize Prepare git user, fetch-depth, drop permission-issues Signed-off-by: Tamal Saha --- .github/workflows/release.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 0b7ca309b..b7ec12a30 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -13,8 +13,7 @@ jobs: - name: Check out code into the Go module directory uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: - fetch-depth: 1 - fetch-tags: true + fetch-depth: 0 - name: Print version info id: semver From 6252092e3c3bf5135f4cc109d645b11b1e96bf09 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Thu, 14 May 2026 11:49:43 +0600 Subject: [PATCH 13/18] Use docker/login-action; drop redundant docker hub steps Signed-off-by: Tamal Saha --- .github/workflows/release.yml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b7ec12a30..81b18f418 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -29,12 +29,16 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 + - name: Log in to the GitHub Container registry + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 + with: + registry: ghcr.io + username: 1gtm + password: ${{ secrets.LGTM_GITHUB_TOKEN }} + - name: Publish to GitHub Container Registry env: REGISTRY: ghcr.io/stashed - DOCKER_TOKEN: ${{ secrets.LGTM_GITHUB_TOKEN }} - USERNAME: 1gtm APPSCODE_ENV: prod run: | - docker login ghcr.io --username ${USERNAME} --password ${DOCKER_TOKEN} make release From 51a2d084285b5e51c22433457be5761fe6dd8aef Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Thu, 14 May 2026 14:07:55 +0600 Subject: [PATCH 14/18] Add 1gtm-app[bot] to kodiak auto_approve_usernames Signed-off-by: Tamal Saha --- .github/.kodiak.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/.kodiak.toml b/.github/.kodiak.toml index ded81e43d..e58645893 100644 --- a/.github/.kodiak.toml +++ b/.github/.kodiak.toml @@ -15,4 +15,4 @@ strip_html_comments = true # default: false always = true # default: false [approve] -auto_approve_usernames = ["1gtm", "tamalsaha"] +auto_approve_usernames = ["1gtm", "tamalsaha", "1gtm-app[bot]"] From 57074c6855f2cd8ce717ac4baa4d158b954d5c60 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Thu, 14 May 2026 15:09:25 +0600 Subject: [PATCH 15/18] Normalize kodiak auto_approve_usernames Signed-off-by: Tamal Saha --- .github/.kodiak.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/.kodiak.toml b/.github/.kodiak.toml index e58645893..b64a5f6fc 100644 --- a/.github/.kodiak.toml +++ b/.github/.kodiak.toml @@ -15,4 +15,4 @@ strip_html_comments = true # default: false always = true # default: false [approve] -auto_approve_usernames = ["1gtm", "tamalsaha", "1gtm-app[bot]"] +auto_approve_usernames = ["tamalsaha", "1gtm", "1gtm-app[bot]"] \ No newline at end of file From 56d5c1734f161507c5f4178e009ce1dfe5424290 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Thu, 14 May 2026 17:35:45 +0600 Subject: [PATCH 16/18] Pin docker/login-action to v4.1.0 Signed-off-by: Tamal Saha --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 81b18f418..bd50620ae 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -30,7 +30,7 @@ jobs: uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 - name: Log in to the GitHub Container registry - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 with: registry: ghcr.io username: 1gtm From a19721a847f4cc11683da0e7c81c307fb9f527a0 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Thu, 14 May 2026 17:44:15 +0600 Subject: [PATCH 17/18] Bump softprops/action-gh-release to v2.6.2; add permissions Signed-off-by: Tamal Saha --- .github/workflows/release.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index bd50620ae..676128b6d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -9,6 +9,8 @@ jobs: build: name: Build runs-on: ubuntu-24.04 + permissions: + contents: write steps: - name: Check out code into the Go module directory uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 From ead1e759aa6fcf6dec9f9b82dc7090ae179eb436 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Thu, 14 May 2026 17:57:49 +0600 Subject: [PATCH 18/18] Makefile: use --tags in git describe so lightweight tags resolve Signed-off-by: Tamal Saha --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 8eef91a86..7c47fc380 100644 --- a/Makefile +++ b/Makefile @@ -24,7 +24,7 @@ REGISTRY ?= stashed # This version-strategy uses git tags to set the version string git_branch := $(shell git rev-parse --abbrev-ref HEAD) -git_tag := $(shell git describe --exact-match --abbrev=0 2>/dev/null || echo "") +git_tag := $(shell git describe --tags --exact-match --abbrev=0 2>/dev/null || echo "") commit_hash := $(shell git rev-parse --verify HEAD) commit_timestamp := $(shell date --date="@$$(git show -s --format=%ct)" --utc +%FT%T)