From 6375e674f53f60f766bb569527e1e51f3b26cc72 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Mon, 11 May 2026 22:58:48 +0600 Subject: [PATCH 01/21] Use dynamic github token Signed-off-by: Tamal Saha --- .github/workflows/release-tracker.yml | 8 ++++---- .github/workflows/release.yml | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/release-tracker.yml b/.github/workflows/release-tracker.yml index 4b79b251..ddf30b2a 100644 --- a/.github/workflows/release-tracker.yml +++ b/.github/workflows/release-tracker.yml @@ -18,8 +18,8 @@ jobs: - name: Prepare git env: - GITHUB_USER: 1gtm - GITHUB_TOKEN: ${{ secrets.LGTM_GITHUB_TOKEN }} + GITHUB_USER: ${{ github.actor }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | git config --global user.name "${GITHUB_USER}" git config --global user.email "${GITHUB_USER}@appscode.com" @@ -35,7 +35,7 @@ jobs: github.event.action == 'closed' && github.event.pull_request.merged == true env: - GITHUB_USER: 1gtm - GITHUB_TOKEN: ${{ secrets.LGTM_GITHUB_TOKEN }} + GITHUB_USER: ${{ github.actor }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | ./hack/scripts/update-release-tracker.sh diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 8f17983a..5be6b248 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -25,8 +25,8 @@ jobs: - name: Prepare git env: - GITHUB_USER: 1gtm - GITHUB_TOKEN: ${{ secrets.LGTM_GITHUB_TOKEN }} + GITHUB_USER: ${{ github.actor }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | set -x git config --global user.name "${GITHUB_USER}" From 2f789ef486bb188bcc0fce289cded64f011fda18 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Mon, 11 May 2026 22:58:48 +0600 Subject: [PATCH 02/21] Harden GitHub Actions workflows - Pin every action ref to a full-length commit SHA with a trailing version comment, so floating tags like @v4 can't be re-pointed at malicious code. - Bump outdated actions/checkout@v1 to @v4.3.1 (where present). - Tag-triggered workflows now check out with fetch-depth: 1 and fetch-tags: true so the tag ref is available downstream. - release-tracker.yml grants contents: write at the job level so the default GITHUB_TOKEN can push commits/tags back to the repo. Signed-off-by: Tamal Saha --- .github/workflows/ci.yml | 4 ++-- .github/workflows/release-tracker.yml | 4 +++- .github/workflows/release.yml | 13 ++++++++----- 3 files changed, 13 insertions(+), 8 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 09b691f8..858ebcae 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -19,12 +19,12 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Set up Go 1.25 - uses: actions/setup-go@v5 + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0 with: go-version: '1.25' id: go - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Build run: go build -v ./... diff --git a/.github/workflows/release-tracker.yml b/.github/workflows/release-tracker.yml index ddf30b2a..3bbd8b29 100644 --- a/.github/workflows/release-tracker.yml +++ b/.github/workflows/release-tracker.yml @@ -12,9 +12,11 @@ concurrency: jobs: build: runs-on: ubuntu-24.04 + permissions: + contents: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Prepare git env: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 5be6b248..25e3b249 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -15,10 +15,13 @@ jobs: name: Build runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v1 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + with: + fetch-depth: 1 + fetch-tags: true - name: Set up Go 1.24 - uses: actions/setup-go@v5 + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0 with: go-version: '1.24' id: go @@ -42,12 +45,12 @@ jobs: - name: Set up QEMU id: qemu - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 with: cache-image: false - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 - name: Publish to GitHub Container Registry env: @@ -70,7 +73,7 @@ jobs: make docker-certify-redhat - name: Release - uses: softprops/action-gh-release@v1 + uses: softprops/action-gh-release@26994186c0ac3ef5cae75ac16aa32e8153525f77 # v1 if: startsWith(github.ref, 'refs/tags/') with: files: | From 9123d9d92d1cfbcae993203ca482daf9648a2d26 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Wed, 13 May 2026 00:13:23 +0600 Subject: [PATCH 03/21] Authenticate to ghcr.io/appscode with GitHub App token Signed-off-by: Tamal Saha --- .github/workflows/release.yml | 31 ++++++++++++++++++++++++++++--- 1 file changed, 28 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 25e3b249..7ac8bb22 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -52,16 +52,41 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 + - uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3 + id: app-token + with: + client-id: ${{ secrets.GHCRX_APP_CLIENT_ID }} + private-key: ${{ secrets.GHCRX_APP_PRIVATE_KEY }} + owner: appscode + + - name: Login to GitHub Container Registry + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 + with: + registry: ghcr.io + username: ${{ steps.app-token.outputs.app-slug }}[bot] + password: ${{ steps.app-token.outputs.token }} + - name: Publish to GitHub Container Registry env: REGISTRY: ghcr.io/appscode - DOCKER_TOKEN: ${{ secrets.LGTM_GITHUB_TOKEN }} - USERNAME: 1gtm APPSCODE_ENV: prod run: | - docker login ghcr.io --username ${USERNAME} --password ${DOCKER_TOKEN} make release COMPRESS=yes + - uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3 + id: app-token + with: + client-id: ${{ secrets.GHCRX_APP_CLIENT_ID }} + private-key: ${{ secrets.GHCRX_APP_PRIVATE_KEY }} + owner: appscode + + - name: Login to GitHub Container Registry + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 + with: + registry: ghcr.io + username: ${{ steps.app-token.outputs.app-slug }}[bot] + password: ${{ steps.app-token.outputs.token }} + - name: Publish to Red Hat Ecosystem Catalog env: REGISTRY: ghcr.io/appscode From bb1ca6ad0ea40aa0668992d4f4617ca6c8161456 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Wed, 13 May 2026 00:25:16 +0600 Subject: [PATCH 04/21] Deduplicate app-token and ghcr login steps Signed-off-by: Tamal Saha --- .github/workflows/release.yml | 14 -------------- 1 file changed, 14 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 7ac8bb22..93c156d7 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -73,20 +73,6 @@ jobs: run: | make release COMPRESS=yes - - uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3 - id: app-token - with: - client-id: ${{ secrets.GHCRX_APP_CLIENT_ID }} - private-key: ${{ secrets.GHCRX_APP_PRIVATE_KEY }} - owner: appscode - - - name: Login to GitHub Container Registry - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 - with: - registry: ghcr.io - username: ${{ steps.app-token.outputs.app-slug }}[bot] - password: ${{ steps.app-token.outputs.token }} - - name: Publish to Red Hat Ecosystem Catalog env: REGISTRY: ghcr.io/appscode From 137300faa5e2cd8437a0618036b19a6ee3cb8622 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Wed, 13 May 2026 09:44:41 +0600 Subject: [PATCH 05/21] Add job permissions for workflow Signed-off-by: Tamal Saha --- .github/workflows/release.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 93c156d7..4af24748 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -14,6 +14,9 @@ jobs: build: name: Build runs-on: ubuntu-24.04 + permissions: + contents: write + packages: write steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: From 72b8a5bac7299d238c98afb400862372adc17ab8 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Wed, 13 May 2026 14:47:12 +0600 Subject: [PATCH 06/21] Use GitHub App token for release tracker comments Signed-off-by: Tamal Saha --- .github/workflows/release-tracker.yml | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release-tracker.yml b/.github/workflows/release-tracker.yml index 3bbd8b29..0c59d75f 100644 --- a/.github/workflows/release-tracker.yml +++ b/.github/workflows/release-tracker.yml @@ -32,12 +32,24 @@ jobs: curl -fsSL https://github.com/github/hub/raw/master/script/get | bash -s 2.14.1 sudo mv bin/hub /usr/local/bin + - name: Generate GitHub App token + id: app-token + if: | + github.event.action == 'closed' && + github.event.pull_request.merged == true + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 + with: + client-id: ${{ secrets.LGTM_APP_CLIENT_ID }} + private-key: ${{ secrets.LGTM_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} + repositories: CHANGELOG + - name: Update release tracker if: | github.event.action == 'closed' && github.event.pull_request.merged == true env: GITHUB_USER: ${{ github.actor }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} run: | ./hack/scripts/update-release-tracker.sh From 1d13e88d93c44d73d4a43e9d780d4f2ee0632cfc Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Wed, 13 May 2026 17:29:47 +0600 Subject: [PATCH 07/21] Apply kubedb/installer#2281: harden CI workflows Signed-off-by: Tamal Saha --- .github/workflows/release-tracker.yml | 5 ----- hack/scripts/update-release-tracker.sh | 2 +- 2 files changed, 1 insertion(+), 6 deletions(-) diff --git a/.github/workflows/release-tracker.yml b/.github/workflows/release-tracker.yml index 0c59d75f..f2cd0588 100644 --- a/.github/workflows/release-tracker.yml +++ b/.github/workflows/release-tracker.yml @@ -27,11 +27,6 @@ jobs: git config --global user.email "${GITHUB_USER}@appscode.com" git remote set-url origin https://${GITHUB_USER}:${GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}.git - - name: Install GitHub CLI - run: | - curl -fsSL https://github.com/github/hub/raw/master/script/get | bash -s 2.14.1 - sudo mv bin/hub /usr/local/bin - - name: Generate GitHub App token id: app-token if: | diff --git a/hack/scripts/update-release-tracker.sh b/hack/scripts/update-release-tracker.sh index 7184cb6f..c8bfc4ff 100755 --- a/hack/scripts/update-release-tracker.sh +++ b/hack/scripts/update-release-tracker.sh @@ -69,4 +69,4 @@ case $GITHUB_BASE_REF in ;; esac -hub api "$api_url" -f body="$msg" +gh api "$api_url" -f body="$msg" From e57d29c07b1ca77dd65b75a12b28100b7d4569f1 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Wed, 13 May 2026 17:41:02 +0600 Subject: [PATCH 08/21] Remove Prepare git step from release-tracker.yml Signed-off-by: Tamal Saha --- .github/workflows/release-tracker.yml | 9 --------- 1 file changed, 9 deletions(-) diff --git a/.github/workflows/release-tracker.yml b/.github/workflows/release-tracker.yml index f2cd0588..b5246389 100644 --- a/.github/workflows/release-tracker.yml +++ b/.github/workflows/release-tracker.yml @@ -18,15 +18,6 @@ jobs: steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - - name: Prepare git - env: - GITHUB_USER: ${{ github.actor }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - git config --global user.name "${GITHUB_USER}" - git config --global user.email "${GITHUB_USER}@appscode.com" - git remote set-url origin https://${GITHUB_USER}:${GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}.git - - name: Generate GitHub App token id: app-token if: | From 7cc563ecb744318332fb86d7c036f3baf832b5b6 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Wed, 13 May 2026 18:06:34 +0600 Subject: [PATCH 09/21] Rename LGTM App token step id to lgtm-app-token Signed-off-by: Tamal Saha --- .github/workflows/release-tracker.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release-tracker.yml b/.github/workflows/release-tracker.yml index b5246389..96fd05c9 100644 --- a/.github/workflows/release-tracker.yml +++ b/.github/workflows/release-tracker.yml @@ -18,8 +18,8 @@ jobs: steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - - name: Generate GitHub App token - id: app-token + - name: Generate LGTM App token + id: lgtm-app-token if: | github.event.action == 'closed' && github.event.pull_request.merged == true @@ -36,6 +36,6 @@ jobs: github.event.pull_request.merged == true env: GITHUB_USER: ${{ github.actor }} - GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} + GITHUB_TOKEN: ${{ steps.lgtm-app-token.outputs.token }} run: | ./hack/scripts/update-release-tracker.sh From 455ed47243492e30cf4d26ee0e382ebc083901d4 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Wed, 13 May 2026 18:16:24 +0600 Subject: [PATCH 10/21] release-tracker.yml: gate at job level with merged == true Signed-off-by: Tamal Saha --- .github/workflows/release-tracker.yml | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/.github/workflows/release-tracker.yml b/.github/workflows/release-tracker.yml index 96fd05c9..d6971e41 100644 --- a/.github/workflows/release-tracker.yml +++ b/.github/workflows/release-tracker.yml @@ -11,6 +11,7 @@ concurrency: jobs: build: + if: github.event.pull_request.merged == true runs-on: ubuntu-24.04 permissions: contents: write @@ -20,9 +21,6 @@ jobs: - name: Generate LGTM App token id: lgtm-app-token - if: | - github.event.action == 'closed' && - github.event.pull_request.merged == true uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 with: client-id: ${{ secrets.LGTM_APP_CLIENT_ID }} @@ -31,9 +29,6 @@ jobs: repositories: CHANGELOG - name: Update release tracker - if: | - github.event.action == 'closed' && - github.event.pull_request.merged == true env: GITHUB_USER: ${{ github.actor }} GITHUB_TOKEN: ${{ steps.lgtm-app-token.outputs.token }} From 4c1ee12c42ad9c963dc256722e799f51e49cdef8 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Wed, 13 May 2026 18:51:28 +0600 Subject: [PATCH 11/21] release-tracker.yml: drop permissions block Signed-off-by: Tamal Saha --- .github/workflows/release-tracker.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/release-tracker.yml b/.github/workflows/release-tracker.yml index d6971e41..1e11e07d 100644 --- a/.github/workflows/release-tracker.yml +++ b/.github/workflows/release-tracker.yml @@ -13,8 +13,6 @@ jobs: build: if: github.event.pull_request.merged == true runs-on: ubuntu-24.04 - permissions: - contents: write steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 From 6fe408482016c02f88065d5f7dc80acd9cfea7ed Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Wed, 13 May 2026 19:00:11 +0600 Subject: [PATCH 12/21] release-tracker.yml: grant permission-pull-requests to LGTM App Signed-off-by: Tamal Saha --- .github/workflows/release-tracker.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/release-tracker.yml b/.github/workflows/release-tracker.yml index 1e11e07d..6be6c21e 100644 --- a/.github/workflows/release-tracker.yml +++ b/.github/workflows/release-tracker.yml @@ -25,6 +25,7 @@ jobs: private-key: ${{ secrets.LGTM_APP_PRIVATE_KEY }} owner: ${{ github.repository_owner }} repositories: CHANGELOG + permission-pull-requests: write - name: Update release tracker env: From 0a48b9c7e1db3469e0eac9a2e38852633fe0835d Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Thu, 14 May 2026 10:34:48 +0600 Subject: [PATCH 13/21] Normalize Prepare git user, fetch-depth, drop permission-issues Signed-off-by: Tamal Saha --- .github/workflows/release.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 4af24748..ba3b3f0b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -20,8 +20,7 @@ jobs: steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: - fetch-depth: 1 - fetch-tags: true + fetch-depth: 0 - name: Set up Go 1.24 uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0 From 79804d0ebe7fd8b510a1359ee35bb7c63bdd8cc6 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Thu, 14 May 2026 11:47:24 +0600 Subject: [PATCH 14/21] Use docker/login-action; drop redundant docker hub steps Signed-off-by: Tamal Saha --- .github/workflows/release.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ba3b3f0b..4b920037 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -68,6 +68,13 @@ jobs: username: ${{ steps.app-token.outputs.app-slug }}[bot] password: ${{ steps.app-token.outputs.token }} + - name: Log in to the GitHub Container registry + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 + with: + registry: ghcr.io + username: 1gtm + password: ${{ secrets.LGTM_GITHUB_TOKEN }} + - name: Publish to GitHub Container Registry env: REGISTRY: ghcr.io/appscode From 48b6c1c22c32dffb1ba56f2b6b18998df8f2b5a5 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Thu, 14 May 2026 14:01:34 +0600 Subject: [PATCH 15/21] Add 1gtm-app[bot] to kodiak auto_approve_usernames Signed-off-by: Tamal Saha --- .github/.kodiak.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/.kodiak.toml b/.github/.kodiak.toml index ded81e43..e5864589 100644 --- a/.github/.kodiak.toml +++ b/.github/.kodiak.toml @@ -15,4 +15,4 @@ strip_html_comments = true # default: false always = true # default: false [approve] -auto_approve_usernames = ["1gtm", "tamalsaha"] +auto_approve_usernames = ["1gtm", "tamalsaha", "1gtm-app[bot]"] From 334561352b249fdb428dc66c329e05165a91b2b1 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Thu, 14 May 2026 14:06:23 +0600 Subject: [PATCH 16/21] Add 1gtm-app[bot] to kodiak auto_approve_usernames Signed-off-by: Tamal Saha --- .github/.kodiak.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/.kodiak.toml b/.github/.kodiak.toml index e5864589..b5aa723c 100644 --- a/.github/.kodiak.toml +++ b/.github/.kodiak.toml @@ -15,4 +15,4 @@ strip_html_comments = true # default: false always = true # default: false [approve] -auto_approve_usernames = ["1gtm", "tamalsaha", "1gtm-app[bot]"] +auto_approve_usernames = ["1gtm", "tamalsaha", "1gtm-app[bot, "1gtm-app[bot]"]"] From 8710336944266b33306430dbb5a22b8fe5225be0 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Thu, 14 May 2026 15:08:03 +0600 Subject: [PATCH 17/21] Normalize kodiak auto_approve_usernames Signed-off-by: Tamal Saha --- .github/.kodiak.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/.kodiak.toml b/.github/.kodiak.toml index b5aa723c..b64a5f6f 100644 --- a/.github/.kodiak.toml +++ b/.github/.kodiak.toml @@ -15,4 +15,4 @@ strip_html_comments = true # default: false always = true # default: false [approve] -auto_approve_usernames = ["1gtm", "tamalsaha", "1gtm-app[bot, "1gtm-app[bot]"]"] +auto_approve_usernames = ["tamalsaha", "1gtm", "1gtm-app[bot]"] \ No newline at end of file From d0cdfcc10506c39dc44e44037ac06b9034959bcf Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Thu, 14 May 2026 17:34:45 +0600 Subject: [PATCH 18/21] Pin docker/login-action to v4.1.0 Signed-off-by: Tamal Saha --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 4b920037..65b7e1fe 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -69,7 +69,7 @@ jobs: password: ${{ steps.app-token.outputs.token }} - name: Log in to the GitHub Container registry - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 with: registry: ghcr.io username: 1gtm From e2b892f6da8c6dd57135bf671fdc25e11790032e Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Thu, 14 May 2026 17:38:14 +0600 Subject: [PATCH 19/21] Bump softprops/action-gh-release to v2.6.2; add permissions Signed-off-by: Tamal Saha --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 65b7e1fe..f907d7d8 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -93,7 +93,7 @@ jobs: make docker-certify-redhat - name: Release - uses: softprops/action-gh-release@26994186c0ac3ef5cae75ac16aa32e8153525f77 # v1 + uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2.6.2 if: startsWith(github.ref, 'refs/tags/') with: files: | From 35a6e9de515ced1014099573ca719073bbf9bb08 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Thu, 14 May 2026 17:52:01 +0600 Subject: [PATCH 20/21] Makefile: use --tags in git describe so lightweight tags resolve Signed-off-by: Tamal Saha --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index eb7226d3..c47c8a0c 100644 --- a/Makefile +++ b/Makefile @@ -31,7 +31,7 @@ SRC_REG ?= # This version-strategy uses git tags to set the version string git_branch := $(shell git rev-parse --abbrev-ref HEAD) -git_tag := $(shell git describe --exact-match --abbrev=0 2>/dev/null || echo "") +git_tag := $(shell git describe --tags --exact-match --abbrev=0 2>/dev/null || echo "") commit_hash := $(shell git rev-parse --verify HEAD) commit_timestamp := $(shell date -u -r $$(git show -s --format=%ct) +%FT%T 2>/dev/null || date --date="@$$(git show -s --format=%ct)" --utc +%FT%T 2>/dev/null || echo "") From e1f58fa820b01a016e081d1454f50fdd4d890509 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Fri, 15 May 2026 12:15:56 +0600 Subject: [PATCH 21/21] Harden CI workflows; replace GHCRX app token with LGTM_GITHUB_TOKEN Signed-off-by: Tamal Saha --- .github/workflows/release.yml | 14 -------------- 1 file changed, 14 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index f907d7d8..58a0599c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -54,20 +54,6 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 - - uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3 - id: app-token - with: - client-id: ${{ secrets.GHCRX_APP_CLIENT_ID }} - private-key: ${{ secrets.GHCRX_APP_PRIVATE_KEY }} - owner: appscode - - - name: Login to GitHub Container Registry - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 - with: - registry: ghcr.io - username: ${{ steps.app-token.outputs.app-slug }}[bot] - password: ${{ steps.app-token.outputs.token }} - - name: Log in to the GitHub Container registry uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 with: