Skip to content

Harden CI workflows#259

Merged
tamalsaha merged 21 commits into
masterfrom
nolgtm
May 15, 2026
Merged

Harden CI workflows#259
tamalsaha merged 21 commits into
masterfrom
nolgtm

Conversation

@tamalsaha

@tamalsaha tamalsaha commented May 11, 2026

Copy link
Copy Markdown
Member

Summary

Tighten the GitHub Actions workflows in this repo so they no longer depend on a long-lived LGTM_GITHUB_TOKEN PAT, and bring them in line with GitHub's hardening guidance.

  • Use the default GITHUB_TOKEN instead of a PAT for in-repo operations. GITHUB_USER switches to github.actor.
  • Scope GITHUB_TOKEN to least privilege at the job level. release-tracker.yml gets contents: write so the token can push commits/tags back to this repo.
  • Pin every action to a full-length commit SHA with a trailing version comment, so floating tags like @v4 can't be silently re-pointed.
  • Tag-triggered workflows now check out with fetch-depth: 1 + fetch-tags: true so the tag ref resolves without a full clone.
  • Bump outdated actions/checkout@v1 to @v4.3.1 where it appeared.

Test plan

  • CI passes on this PR.
  • Confirm release-tracker continues to push commits/tags on PR close.
  • Confirm release.yml still functions on the next tag.

🤖 Generated with Claude Code

tamalsaha added 2 commits May 11, 2026 23:46
@tamalsaha
Use dynamic github token
d2e6de3 
Signed-off-by: Tamal Saha <tamal@appscode.com>
@tamalsaha
Harden GitHub Actions workflows
a5792ca 
- Pin every action ref to a full-length commit SHA with a trailing
  version comment, so floating tags like @v4 can't be re-pointed at
  malicious code.
- Bump outdated actions/checkout@v1 to @v4.3.1 (where present).
- Tag-triggered workflows now check out with fetch-depth: 1 and
  fetch-tags: true so the tag ref is available downstream.
- release-tracker.yml grants contents: write at the job level so the
  default GITHUB_TOKEN can push commits/tags back to the repo.

Signed-off-by: Tamal Saha <tamal@appscode.com>
kodiakhq[bot]
kodiakhq Bot previously approved these changes May 11, 2026
View reviewed changes
@tamalsaha
Push to ghcr.io/appscodeci with docker/login-action
df639b5 
Signed-off-by: Tamal Saha <tamal@appscode.com>
kodiakhq[bot]
kodiakhq Bot previously approved these changes May 12, 2026
View reviewed changes
@tamalsaha
Use GitHub App token for release tracker comments
880fa1f 
Signed-off-by: Tamal Saha <tamal@appscode.com>
kodiakhq[bot]
kodiakhq Bot previously approved these changes May 13, 2026
View reviewed changes
@tamalsaha
Apply kubedb/installer#2281: harden CI workflows
200e4cb 
Signed-off-by: Tamal Saha <tamal@appscode.com>
kodiakhq[bot]
kodiakhq Bot previously approved these changes May 13, 2026
View reviewed changes
@tamalsaha
Remove Prepare git step from release-tracker.yml
1047d68 
Signed-off-by: Tamal Saha <tamal@appscode.com>
kodiakhq[bot]
kodiakhq Bot previously approved these changes May 13, 2026
View reviewed changes
@tamalsaha
Rename LGTM App token step id to lgtm-app-token
1f9e845 
Signed-off-by: Tamal Saha <tamal@appscode.com>
kodiakhq[bot]
kodiakhq Bot previously approved these changes May 13, 2026
View reviewed changes
@tamalsaha
release-tracker.yml: gate at job level with merged == true
6a4ff4d 
Signed-off-by: Tamal Saha <tamal@appscode.com>
kodiakhq[bot]
kodiakhq Bot previously approved these changes May 13, 2026
View reviewed changes
@tamalsaha
release-tracker.yml: drop permissions block
6d59b4a 
Signed-off-by: Tamal Saha <tamal@appscode.com>
kodiakhq[bot]
kodiakhq Bot previously approved these changes May 13, 2026
View reviewed changes
@tamalsaha
release-tracker.yml: grant permission-pull-requests to LGTM App
164b9dd 
Signed-off-by: Tamal Saha <tamal@appscode.com>
kodiakhq[bot]
kodiakhq Bot previously approved these changes May 13, 2026
View reviewed changes
@tamalsaha
Normalize Prepare git user, fetch-depth, drop permission-issues
08e6ab6 
Signed-off-by: Tamal Saha <tamal@appscode.com>
kodiakhq[bot]
kodiakhq Bot previously approved these changes May 14, 2026
View reviewed changes
@tamalsaha
Use docker/login-action; drop redundant docker hub steps
f021042 
Signed-off-by: Tamal Saha <tamal@appscode.com>
kodiakhq[bot]
kodiakhq Bot previously approved these changes May 14, 2026
View reviewed changes
@tamalsaha
Add 1gtm-app[bot] to kodiak auto_approve_usernames
6290779 
Signed-off-by: Tamal Saha <tamal@appscode.com>
kodiakhq[bot]
kodiakhq Bot previously approved these changes May 14, 2026
View reviewed changes
@tamalsaha
Normalize kodiak auto_approve_usernames
e6d25c8 
Signed-off-by: Tamal Saha <tamal@appscode.com>
kodiakhq[bot]
kodiakhq Bot previously approved these changes May 14, 2026
View reviewed changes
@tamalsaha
Pin docker/login-action to v4.1.0
944a3ff 
Signed-off-by: Tamal Saha <tamal@appscode.com>
kodiakhq[bot]
kodiakhq Bot previously approved these changes May 14, 2026
View reviewed changes
@tamalsaha
Bump softprops/action-gh-release to v2.6.2; add permissions
96f34eb 
Signed-off-by: Tamal Saha <tamal@appscode.com>
kodiakhq[bot]
kodiakhq Bot previously approved these changes May 14, 2026
View reviewed changes
@tamalsaha
Makefile: use --tags in git describe so lightweight tags resolve
781a08b 
Signed-off-by: Tamal Saha <tamal@appscode.com>
kodiakhq[bot]
kodiakhq Bot previously approved these changes May 14, 2026
View reviewed changes
@tamalsaha
Rename .yaml workflow files to .yml for consistency
57d6117 
Signed-off-by: Tamal Saha <tamal@appscode.com>
kodiakhq[bot]
kodiakhq Bot previously approved these changes May 14, 2026
View reviewed changes
@tamalsaha
Pin git user to 1gtm in update-crds/update-docs workflows
27574f5 
Signed-off-by: Tamal Saha <tamal@appscode.com>
kodiakhq[bot]
kodiakhq Bot previously approved these changes May 14, 2026
View reviewed changes
tamalsaha added 2 commits May 15, 2026 11:45
@tamalsaha
ci.yml: drop redundant apt-get update step
0912507 
The Run checks step does not install any apt packages; kubectl is
fetched via curl. Removing the no-op apt-get update tightens the
workflow.

Signed-off-by: Tamal Saha <tamal@appscode.com>
@tamalsaha
update-crds.yml: use LGTM App token; drop unused Go setup
089ae9a 
- Generate a scoped LGTM App token (contents+pull-requests write)
  instead of using the default GITHUB_TOKEN, which lacks cross-repo
  push access to the installer repository.
- Mask the parsed owner/name derived from the INSTALLER_REPOSITORY
  secret so they do not leak into logs.
- Set http.extraheader via git config before cloning so the token is
  never baked into the remote URL or .git/config.
- Pin GITHUB_USER to 1gtm for consistent attribution on manual
  workflow_dispatch runs.
- Drop the Set up Go step; neither import-crds.sh nor open-pr.sh
  invokes the Go toolchain.

Signed-off-by: Tamal Saha <tamal@appscode.com>
@tamalsaha tamalsaha merged commit c02a92d into master May 15, 2026
4 of 5 checks passed
@tamalsaha tamalsaha deleted the nolgtm branch May 15, 2026 05:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kodiakhq kodiakhq[bot] kodiakhq[bot] approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tamalsaha