From 5a112165aa7afa578cc8c834ab81277527c353dd Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Mon, 11 May 2026 23:00:06 +0600 Subject: [PATCH 1/5] Use dynamic github token Signed-off-by: Tamal Saha --- .github/workflows/release-tracker.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release-tracker.yml b/.github/workflows/release-tracker.yml index bf2db14..4bd1c17 100644 --- a/.github/workflows/release-tracker.yml +++ b/.github/workflows/release-tracker.yml @@ -21,8 +21,8 @@ jobs: - name: Prepare git env: - GITHUB_USER: 1gtm - GITHUB_TOKEN: ${{ secrets.LGTM_GITHUB_TOKEN }} + GITHUB_USER: ${{ github.actor }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | git config --global user.name "${GITHUB_USER}" git config --global user.email "${GITHUB_USER}@appscode.com" @@ -38,7 +38,7 @@ jobs: github.event.action == 'closed' && github.event.pull_request.merged == true env: - GITHUB_USER: 1gtm - GITHUB_TOKEN: ${{ secrets.LGTM_GITHUB_TOKEN }} + GITHUB_USER: ${{ github.actor }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | ./hack/scripts/update-release-tracker.sh From b8017f7de05d710614d2cb7ad43e9bd88fead63c Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Mon, 11 May 2026 23:00:06 +0600 Subject: [PATCH 2/5] Harden GitHub Actions workflows - Pin every action ref to a full-length commit SHA with a trailing version comment, so floating tags like @v4 can't be re-pointed at malicious code. - Bump outdated actions/checkout@v1 to @v4.3.1 (where present). - Tag-triggered workflows now check out with fetch-depth: 1 and fetch-tags: true so the tag ref is available downstream. - release-tracker.yml grants contents: write at the job level so the default GITHUB_TOKEN can push commits/tags back to the repo. Signed-off-by: Tamal Saha --- .github/workflows/ci.yml | 4 ++-- .github/workflows/preview-website.yml | 8 ++++---- .github/workflows/release-tracker.yml | 4 +++- .github/workflows/release.yml | 8 +++++--- 4 files changed, 14 insertions(+), 10 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index dd184a9..d6deae0 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -19,11 +19,11 @@ jobs: name: Build runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: submodules: true - - uses: actions/setup-node@v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: '20' check-latest: true diff --git a/.github/workflows/preview-website.yml b/.github/workflows/preview-website.yml index 985a99a..e59203a 100644 --- a/.github/workflows/preview-website.yml +++ b/.github/workflows/preview-website.yml @@ -16,18 +16,18 @@ jobs: name: Build runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: submodules: true - name: Set up Go 1.x - uses: actions/setup-go@v5 + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0 with: go-version: '1.25' id: go - name: Use Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: '20' check-latest: true @@ -57,7 +57,7 @@ jobs: make docs make gen-prod - - uses: FirebaseExtended/action-hosting-deploy@v0 + - uses: FirebaseExtended/action-hosting-deploy@092436dca3ec6dacb231d965ae56f7ff6c09f258 # v0 with: repoToken: '${{ secrets.GITHUB_TOKEN }}' firebaseServiceAccount: '${{ secrets.FIREBASE_SERVICE_ACCOUNT_QA }}' diff --git a/.github/workflows/release-tracker.yml b/.github/workflows/release-tracker.yml index 4bd1c17..616cd99 100644 --- a/.github/workflows/release-tracker.yml +++ b/.github/workflows/release-tracker.yml @@ -13,9 +13,11 @@ concurrency: jobs: build: runs-on: ubuntu-24.04 + permissions: + contents: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: submodules: true diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 277b61d..7e4a984 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -16,18 +16,20 @@ jobs: name: Build runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v1 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: + fetch-depth: 1 + fetch-tags: true submodules: true - name: Set up Go 1.x - uses: actions/setup-go@v5 + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0 with: go-version: '1.25' id: go - name: Use Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: '20' check-latest: true From f84971be13e699296158b22318fdae5edf66a1e2 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Tue, 12 May 2026 18:17:22 +0600 Subject: [PATCH 3/5] Migrate firebase-tools auth to service account Signed-off-by: Tamal Saha --- .github/workflows/release.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 7e4a984..0ad638b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -58,18 +58,22 @@ jobs: - name: QA env: - FIREBASE_TOKEN: ${{ secrets.FIREBASE_TOKEN }} + FIREBASE_SERVICE_ACCOUNT_KEY: ${{ secrets.FIREBASE_SERVICE_ACCOUNT_QA }} if: startsWith(github.event.ref, 'refs/tags/') && (contains(github.ref, '-alpha.') || contains(github.ref, '-beta.')) run: | + printf '%s' "$FIREBASE_SERVICE_ACCOUNT_KEY" > "$RUNNER_TEMP/firebase-key.json" + export GOOGLE_APPLICATION_CREDENTIALS="$RUNNER_TEMP/firebase-key.json" npm install make docs make qa - name: Release env: - FIREBASE_TOKEN: ${{ secrets.FIREBASE_TOKEN }} + FIREBASE_SERVICE_ACCOUNT_KEY: ${{ secrets.FIREBASE_SERVICE_ACCOUNT_PROD }} if: startsWith(github.event.ref, 'refs/tags/') && (contains(github.ref, '-alpha.') || contains(github.ref, '-beta.')) == false run: | + printf '%s' "$FIREBASE_SERVICE_ACCOUNT_KEY" > "$RUNNER_TEMP/firebase-key.json" + export GOOGLE_APPLICATION_CREDENTIALS="$RUNNER_TEMP/firebase-key.json" npm install make docs make release From e93c87da0e4e059b92a2cfecea1a24df47e4f102 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Tue, 12 May 2026 18:56:38 +0600 Subject: [PATCH 4/5] Grant preview-website job the permissions Firebase deploy needs Signed-off-by: Tamal Saha --- .github/workflows/preview-website.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/preview-website.yml b/.github/workflows/preview-website.yml index e59203a..9e06f25 100644 --- a/.github/workflows/preview-website.yml +++ b/.github/workflows/preview-website.yml @@ -15,6 +15,10 @@ jobs: build: name: Build runs-on: ubuntu-24.04 + permissions: + contents: read + checks: write + pull-requests: write steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: From 59bf25085a3f2073679d335918cd7a1022f03945 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Wed, 13 May 2026 14:47:36 +0600 Subject: [PATCH 5/5] Use GitHub App token for release tracker comments Signed-off-by: Tamal Saha --- .github/workflows/release-tracker.yml | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release-tracker.yml b/.github/workflows/release-tracker.yml index 616cd99..4499173 100644 --- a/.github/workflows/release-tracker.yml +++ b/.github/workflows/release-tracker.yml @@ -35,12 +35,24 @@ jobs: curl -fsSL https://github.com/github/hub/raw/master/script/get | bash -s 2.14.1 sudo mv bin/hub /usr/local/bin + - name: Generate GitHub App token + id: app-token + if: | + github.event.action == 'closed' && + github.event.pull_request.merged == true + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 + with: + client-id: ${{ secrets.LGTM_APP_CLIENT_ID }} + private-key: ${{ secrets.LGTM_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} + repositories: CHANGELOG + - name: Update release tracker if: | github.event.action == 'closed' && github.event.pull_request.merged == true env: GITHUB_USER: ${{ github.actor }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} run: | ./hack/scripts/update-release-tracker.sh