Skip to content

Harden CI workflows#1624

Merged
tamalsaha merged 24 commits into
masterfrom
nolgtm
May 15, 2026
Merged

Harden CI workflows#1624
tamalsaha merged 24 commits into
masterfrom
nolgtm

Conversation

@tamalsaha
Copy link
Copy Markdown
Member

@tamalsaha tamalsaha commented May 11, 2026

Summary

Tighten the GitHub Actions workflows in this repo so they no longer depend on a long-lived LGTM_GITHUB_TOKEN PAT, and bring them in line with GitHub's hardening guidance.

  • Use the default GITHUB_TOKEN instead of a PAT for in-repo operations. GITHUB_USER switches to github.actor.
  • Scope GITHUB_TOKEN to least privilege at the job level. release-tracker.yml gets contents: write so the token can push commits/tags back to this repo.
  • Pin every action to a full-length commit SHA with a trailing version comment, so floating tags like @v4 can't be silently re-pointed.
  • Tag-triggered workflows now check out with fetch-depth: 1 + fetch-tags: true so the tag ref resolves without a full clone.
  • Bump outdated actions/checkout@v1 to @v4.3.1 where it appeared.

Test plan

  • CI passes on this PR.
  • Confirm release-tracker continues to push commits/tags on PR close.
  • Confirm release.yml still functions on the next tag.

🤖 Generated with Claude Code

tamalsaha added 2 commits May 11, 2026 23:53
@tamalsaha
Use dynamic github token
13e2c48 
Signed-off-by: Tamal Saha <tamal@appscode.com>
@tamalsaha
Harden GitHub Actions workflows
2e1006b 
- Pin every action ref to a full-length commit SHA with a trailing
  version comment, so floating tags like @v4 can't be re-pointed at
  malicious code.
- Bump outdated actions/checkout@v1 to @v4.3.1 (where present).
- Tag-triggered workflows now check out with fetch-depth: 1 and
  fetch-tags: true so the tag ref is available downstream.
- release-tracker.yml grants contents: write at the job level so the
  default GITHUB_TOKEN can push commits/tags back to the repo.

Signed-off-by: Tamal Saha <tamal@appscode.com>
kodiakhq[bot]
kodiakhq Bot previously approved these changes May 11, 2026
View reviewed changes
@tamalsaha
Restrict /ok-to-test to org members
bcf082c 
Signed-off-by: Tamal Saha <tamal@appscode.com>
kodiakhq[bot]
kodiakhq Bot previously approved these changes May 12, 2026
View reviewed changes
@tamalsaha
Push to ghcr.io/appscodeci with docker/login-action
ba0f908 
Signed-off-by: Tamal Saha <tamal@appscode.com>
kodiakhq[bot]
kodiakhq Bot previously approved these changes May 12, 2026
View reviewed changes
@tamalsaha
Add job permissions for workflow
c4262a0 
Signed-off-by: Tamal Saha <tamal@appscode.com>
kodiakhq[bot]
kodiakhq Bot previously approved these changes May 13, 2026
View reviewed changes
@tamalsaha
Use GitHub App token for release tracker comments
9be22af 
Signed-off-by: Tamal Saha <tamal@appscode.com>
kodiakhq[bot]
kodiakhq Bot previously approved these changes May 13, 2026
View reviewed changes
@tamalsaha
Apply kubedb/installer#2281: harden CI workflows
f51ef2a 
Signed-off-by: Tamal Saha <tamal@appscode.com>
kodiakhq[bot]
kodiakhq Bot previously approved these changes May 13, 2026
View reviewed changes
@tamalsaha
Remove Prepare git step from release-tracker.yml
876fba4 
Signed-off-by: Tamal Saha <tamal@appscode.com>
kodiakhq[bot]
kodiakhq Bot previously approved these changes May 13, 2026
View reviewed changes
@tamalsaha
Rename LGTM App token step id to lgtm-app-token
b70afcd 
Signed-off-by: Tamal Saha <tamal@appscode.com>
kodiakhq[bot]
kodiakhq Bot previously approved these changes May 13, 2026
View reviewed changes
@tamalsaha
release-tracker.yml: gate at job level with merged == true
b1ec07f 
Signed-off-by: Tamal Saha <tamal@appscode.com>
kodiakhq[bot]
kodiakhq Bot previously approved these changes May 13, 2026
View reviewed changes
@tamalsaha
release-tracker.yml: drop permissions block
c162c6f 
Signed-off-by: Tamal Saha <tamal@appscode.com>
kodiakhq[bot]
kodiakhq Bot previously approved these changes May 13, 2026
View reviewed changes
kodiakhq[bot]
kodiakhq Bot previously approved these changes May 14, 2026
View reviewed changes
@tamalsaha
Use docker/login-action; drop redundant docker hub steps
404c615 
Signed-off-by: Tamal Saha <tamal@appscode.com>
kodiakhq[bot]
kodiakhq Bot previously approved these changes May 14, 2026
View reviewed changes
@tamalsaha
Add 1gtm-app[bot] to kodiak auto_approve_usernames
ee5470c 
Signed-off-by: Tamal Saha <tamal@appscode.com>
kodiakhq[bot]
kodiakhq Bot previously approved these changes May 14, 2026
View reviewed changes
@tamalsaha
Normalize kodiak auto_approve_usernames
8139fe5 
Signed-off-by: Tamal Saha <tamal@appscode.com>
kodiakhq[bot]
kodiakhq Bot previously approved these changes May 14, 2026
View reviewed changes
@tamalsaha
Pin docker/login-action to v4.1.0
cff2473 
Signed-off-by: Tamal Saha <tamal@appscode.com>
kodiakhq[bot]
kodiakhq Bot previously approved these changes May 14, 2026
View reviewed changes
@tamalsaha
Bump softprops/action-gh-release to v2.6.2; add permissions
50b967f 
Signed-off-by: Tamal Saha <tamal@appscode.com>
kodiakhq[bot]
kodiakhq Bot previously approved these changes May 14, 2026
View reviewed changes
@tamalsaha
Makefile: use --tags in git describe so lightweight tags resolve
058edf9 
Signed-off-by: Tamal Saha <tamal@appscode.com>
kodiakhq[bot]
kodiakhq Bot previously approved these changes May 14, 2026
View reviewed changes
@tamalsaha
Remove bzr install from workflows
e56d9a9 
Signed-off-by: Tamal Saha <tamal@appscode.com>
kodiakhq[bot]
kodiakhq Bot previously approved these changes May 14, 2026
View reviewed changes
@tamalsaha
Pin git user to 1gtm in update-crds/update-docs workflows
a4db194 
Signed-off-by: Tamal Saha <tamal@appscode.com>
kodiakhq[bot]
kodiakhq Bot previously approved these changes May 14, 2026
View reviewed changes
@tamalsaha
Harden e2e workflow and simplify CI
2597336 
- e2e: gate config job with the same /ok-to-test + OWNER/MEMBER check
  and make kubernetes need both build and config so untrusted comments
  can't trigger the workflow.
- e2e: move github.event.comment.body into an env var to close a shell
  injection vector, and replace deprecated ::set-output with $GITHUB_OUTPUT.
- e2e: key concurrency on the PR/issue number so runs on different PRs
  no longer cancel each other.
- e2e: replace actions/checkout + gh pr checkout with a single checkout
  using refs/pull/<n>/merge.
- ci: drop unused setup-qemu-action / setup-buildx-action (make ci uses
  plain docker run, no buildx or multi-arch).
- ci: set persist-credentials: false on checkout.
- ci, update-docs: drop redundant -ci / -docs suffixes from concurrency
  groups since github.workflow is already unique.

Signed-off-by: Tamal Saha <tamal@appscode.com>
@tamalsaha tamalsaha merged commit 39eba5d into master May 15, 2026
5 checks passed
@tamalsaha tamalsaha deleted the nolgtm branch May 15, 2026 04:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kodiakhq kodiakhq[bot] kodiakhq[bot] approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tamalsaha