From 435cde2df416c1ec54ac9537b1a766c64a11fb02 Mon Sep 17 00:00:00 2001
From: Tamal Saha <tamal@appscode.com>
Date: Mon, 11 May 2026 23:18:46 +0600
Subject: [PATCH 1/6] Use dynamic github token

Signed-off-by: Tamal Saha <tamal@appscode.com>
---
 .github/workflows/ci.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index e2f33759..71a97dd3 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -37,8 +37,8 @@ jobs:
 
       - name: Prepare git
         env:
-          GITHUB_USER: 1gtm
-          GITHUB_TOKEN: ${{ secrets.LGTM_GITHUB_TOKEN }}
+          GITHUB_USER: ${{ github.actor }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           set -x
           git config --global user.name "${GITHUB_USER}"

From 2fe5ed47c05f76bd4a4f1319a7a8fbbad10423d5 Mon Sep 17 00:00:00 2001
From: Tamal Saha <tamal@appscode.com>
Date: Mon, 11 May 2026 23:18:46 +0600
Subject: [PATCH 2/6] Harden GitHub Actions workflows

- Pin every action ref to a full-length commit SHA with a trailing
  version comment, so floating tags like @v4 can't be re-pointed at
  malicious code.
- Bump outdated actions/checkout@v1 to @v4.3.1 (where present).
- Tag-triggered workflows now check out with fetch-depth: 1 and
  fetch-tags: true so the tag ref is available downstream.
- release-tracker.yml grants contents: write at the job level so the
  default GITHUB_TOKEN can push commits/tags back to the repo.

Signed-off-by: Tamal Saha <tamal@appscode.com>
---
 .github/workflows/ci.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 71a97dd3..96258978 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -18,22 +18,22 @@ jobs:
     name: Build
     runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
       - name: Set up Go 1.25
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0
         with:
           go-version: '1.25'
         id: go
 
       - name: Set up QEMU
         id: qemu
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
         with:
           cache-image: false
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
 
       - name: Prepare git
         env:

From d35f69dc946618e8bfefdcfca628167405a5ccca Mon Sep 17 00:00:00 2001
From: Tamal Saha <tamal@appscode.com>
Date: Wed, 13 May 2026 17:26:53 +0600
Subject: [PATCH 3/6] Apply kubedb/installer#2281: harden CI workflows

Signed-off-by: Tamal Saha <tamal@appscode.com>
---
 hack/scripts/update-release-tracker.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hack/scripts/update-release-tracker.sh b/hack/scripts/update-release-tracker.sh
index 55be4c91..dee1e317 100755
--- a/hack/scripts/update-release-tracker.sh
+++ b/hack/scripts/update-release-tracker.sh
@@ -69,4 +69,4 @@ case $GITHUB_BASE_REF in
         ;;
 esac
 
-hub api "$api_url" -f body="$msg"
+gh api "$api_url" -f body="$msg"

From 8dc7e80ab3216f8b27971d6480ba4d8e49943c8b Mon Sep 17 00:00:00 2001
From: Tamal Saha <tamal@appscode.com>
Date: Thu, 14 May 2026 14:03:15 +0600
Subject: [PATCH 4/6] Add 1gtm-app[bot] to kodiak auto_approve_usernames

Signed-off-by: Tamal Saha <tamal@appscode.com>
---
 .github/.kodiak.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/.kodiak.toml b/.github/.kodiak.toml
index ded81e43..e5864589 100644
--- a/.github/.kodiak.toml
+++ b/.github/.kodiak.toml
@@ -15,4 +15,4 @@ strip_html_comments = true # default: false
 always = true # default: false
 
 [approve]
-auto_approve_usernames = ["1gtm", "tamalsaha"]
+auto_approve_usernames = ["1gtm", "tamalsaha", "1gtm-app[bot]"]

From 81f98425f571242448465c7c044f086e7b46ed71 Mon Sep 17 00:00:00 2001
From: Tamal Saha <tamal@appscode.com>
Date: Thu, 14 May 2026 15:05:14 +0600
Subject: [PATCH 5/6] Normalize kodiak auto_approve_usernames

Signed-off-by: Tamal Saha <tamal@appscode.com>
---
 .github/.kodiak.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/.kodiak.toml b/.github/.kodiak.toml
index e5864589..b64a5f6f 100644
--- a/.github/.kodiak.toml
+++ b/.github/.kodiak.toml
@@ -15,4 +15,4 @@ strip_html_comments = true # default: false
 always = true # default: false
 
 [approve]
-auto_approve_usernames = ["1gtm", "tamalsaha", "1gtm-app[bot]"]
+auto_approve_usernames = ["tamalsaha", "1gtm", "1gtm-app[bot]"]
\ No newline at end of file

From f613c9a002fcb3b07d553f594d9eb46b26cbfda0 Mon Sep 17 00:00:00 2001
From: Tamal Saha <tamal@appscode.com>
Date: Thu, 14 May 2026 17:53:06 +0600
Subject: [PATCH 6/6] Makefile: use --tags in git describe so lightweight tags
 resolve

Signed-off-by: Tamal Saha <tamal@appscode.com>
---
 Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Makefile b/Makefile
index a2ccd17d..b3d98dee 100644
--- a/Makefile
+++ b/Makefile
@@ -24,7 +24,7 @@ BIN      := fake-apiserver
 
 # This version-strategy uses git tags to set the version string
 git_branch       := $(shell git rev-parse --abbrev-ref HEAD)
-git_tag          := $(shell git describe --exact-match --abbrev=0 2>/dev/null || echo "")
+git_tag          := $(shell git describe --tags --exact-match --abbrev=0 2>/dev/null || echo "")
 commit_hash      := $(shell git rev-parse --verify HEAD)
 commit_timestamp := $(shell date --date="@$$(git show -s --format=%ct)" --utc +%FT%T)