From f710e25dc190a9fbfc9f3941e9f3874bc66e122d Mon Sep 17 00:00:00 2001
From: Tamal Saha <tamal@appscode.com>
Date: Mon, 11 May 2026 23:22:01 +0600
Subject: [PATCH 1/6] Harden GitHub Actions workflows

- Pin every action ref to a full-length commit SHA with a trailing
  version comment, so floating tags like @v4 can't be re-pointed at
  malicious code.
- Bump outdated actions/checkout@v1 to @v4.3.1 (where present).
- Tag-triggered workflows now check out with fetch-depth: 1 and
  fetch-tags: true so the tag ref is available downstream.
- release-tracker.yml grants contents: write at the job level so the
  default GITHUB_TOKEN can push commits/tags back to the repo.

Signed-off-by: Tamal Saha <tamal@appscode.com>
---
 .github/workflows/ci.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index e5fb06f..33b1f62 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -20,12 +20,12 @@ jobs:
     steps:
 
       - name: Set up Go 1.25
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0
         with:
           go-version: '1.25'
         id: go
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
       - name: Prepare Host
         run: |

From cdcc4be7ca44481b0387cc868a7aa85985d72f1d Mon Sep 17 00:00:00 2001
From: Tamal Saha <tamal@appscode.com>
Date: Thu, 14 May 2026 14:03:31 +0600
Subject: [PATCH 2/6] Add 1gtm-app[bot] to kodiak auto_approve_usernames

Signed-off-by: Tamal Saha <tamal@appscode.com>
---
 .github/.kodiak.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/.kodiak.toml b/.github/.kodiak.toml
index ded81e4..e586458 100644
--- a/.github/.kodiak.toml
+++ b/.github/.kodiak.toml
@@ -15,4 +15,4 @@ strip_html_comments = true # default: false
 always = true # default: false
 
 [approve]
-auto_approve_usernames = ["1gtm", "tamalsaha"]
+auto_approve_usernames = ["1gtm", "tamalsaha", "1gtm-app[bot]"]

From 44909059e2cd057b41ab3c223d4fc1b409ec0999 Mon Sep 17 00:00:00 2001
From: Tamal Saha <tamal@appscode.com>
Date: Thu, 14 May 2026 15:05:29 +0600
Subject: [PATCH 3/6] Normalize kodiak auto_approve_usernames

Signed-off-by: Tamal Saha <tamal@appscode.com>
---
 .github/.kodiak.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/.kodiak.toml b/.github/.kodiak.toml
index e586458..b64a5f6 100644
--- a/.github/.kodiak.toml
+++ b/.github/.kodiak.toml
@@ -15,4 +15,4 @@ strip_html_comments = true # default: false
 always = true # default: false
 
 [approve]
-auto_approve_usernames = ["1gtm", "tamalsaha", "1gtm-app[bot]"]
+auto_approve_usernames = ["tamalsaha", "1gtm", "1gtm-app[bot]"]
\ No newline at end of file

From f483acfcd6682aacbab20c79a1e6d68671ffff28 Mon Sep 17 00:00:00 2001
From: Tamal Saha <tamal@appscode.com>
Date: Thu, 14 May 2026 17:53:21 +0600
Subject: [PATCH 4/6] Makefile: use --tags in git describe so lightweight tags
 resolve

Signed-off-by: Tamal Saha <tamal@appscode.com>
---
 Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Makefile b/Makefile
index f76d44f..56ce232 100644
--- a/Makefile
+++ b/Makefile
@@ -26,7 +26,7 @@ API_GROUPS           ?= apps:v1 security:v1
 
 # This version-strategy uses git tags to set the version string
 git_branch       := $(shell git rev-parse --abbrev-ref HEAD)
-git_tag          := $(shell git describe --exact-match --abbrev=0 2>/dev/null || echo "")
+git_tag          := $(shell git describe --tags --exact-match --abbrev=0 2>/dev/null || echo "")
 commit_hash      := $(shell git rev-parse --verify HEAD)
 commit_timestamp := $(shell date --date="@$$(git show -s --format=%ct)" --utc +%FT%T)
 

From 9a374553c4fa08914c0d6274190f95ef2c821758 Mon Sep 17 00:00:00 2001
From: Tamal Saha <tamal@appscode.com>
Date: Thu, 14 May 2026 21:52:24 +0600
Subject: [PATCH 5/6] Remove bzr install from workflows

Signed-off-by: Tamal Saha <tamal@appscode.com>
---
 .github/workflows/ci.yml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 33b1f62..08ea68d 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -29,8 +29,6 @@ jobs:
 
       - name: Prepare Host
         run: |
-          sudo apt-get -qq update || true
-          sudo apt-get install -y bzr
           curl -LO https://storage.googleapis.com/kubernetes-release/release/v1.27.0/bin/linux/amd64/kubectl
           chmod +x ./kubectl
           sudo mv ./kubectl /usr/local/bin/kubectl

From 2bf1ed716cbb706e82b83e2b53d730fd284992c8 Mon Sep 17 00:00:00 2001
From: Tamal Saha <tamal@appscode.com>
Date: Fri, 15 May 2026 14:30:43 +0600
Subject: [PATCH 6/6] Makefile: use golangci-lint v1-compatible --skip-files
 flag

Signed-off-by: Tamal Saha <tamal@appscode.com>
---
 Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Makefile b/Makefile
index 56ce232..980f84d 100644
--- a/Makefile
+++ b/Makefile
@@ -215,7 +215,7 @@ lint: $(BUILD_DIRS)
 	    --env GO111MODULE=on                                    \
 	    --env GOFLAGS="-mod=vendor"                             \
 	    $(BUILD_IMAGE)                                          \
-	    golangci-lint run --enable $(ADDTL_LINTERS) --timeout=10m --exclude-files="generated.*\.go$\" --exclude-dirs-use-default --exclude-dirs=client,vendor
+	    golangci-lint run --enable $(ADDTL_LINTERS) --timeout=10m --skip-files="generated.*\.go$\" --exclude-dirs=client,vendor
 
 $(BUILD_DIRS):
 	@mkdir -p $@