From 13e2c488e966222214ef64ef1ecd1102d7c11414 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Mon, 11 May 2026 23:53:33 +0600 Subject: [PATCH 01/24] Use dynamic github token Signed-off-by: Tamal Saha --- .github/workflows/release-tracker.yml | 8 ++++---- .github/workflows/update-docs.yml | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/release-tracker.yml b/.github/workflows/release-tracker.yml index 06bee2c04..84f420098 100644 --- a/.github/workflows/release-tracker.yml +++ b/.github/workflows/release-tracker.yml @@ -19,8 +19,8 @@ jobs: - name: Prepare git env: - GITHUB_USER: 1gtm - GITHUB_TOKEN: ${{ secrets.LGTM_GITHUB_TOKEN }} + GITHUB_USER: ${{ github.actor }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | git config --global user.name "${GITHUB_USER}" git config --global user.email "${GITHUB_USER}@appscode.com" @@ -36,7 +36,7 @@ jobs: github.event.action == 'closed' && github.event.pull_request.merged == true env: - GITHUB_USER: 1gtm - GITHUB_TOKEN: ${{ secrets.LGTM_GITHUB_TOKEN }} + GITHUB_USER: ${{ github.actor }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | ./hack/scripts/update-release-tracker.sh diff --git a/.github/workflows/update-docs.yml b/.github/workflows/update-docs.yml index 30a77ac37..dae114064 100644 --- a/.github/workflows/update-docs.yml +++ b/.github/workflows/update-docs.yml @@ -31,8 +31,8 @@ jobs: - name: Clone charts repository env: - GITHUB_USER: 1gtm - GITHUB_TOKEN: ${{ secrets.LGTM_GITHUB_TOKEN }} + GITHUB_USER: ${{ github.actor }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} DOCS_REPOSITORY: ${{ secrets.DOCS_REPOSITORY }} run: | url="https://${GITHUB_USER}:${GITHUB_TOKEN}@${DOCS_REPOSITORY}.git" @@ -44,8 +44,8 @@ jobs: - name: Update docs env: - GITHUB_USER: 1gtm - GITHUB_TOKEN: ${{ secrets.LGTM_GITHUB_TOKEN }} + GITHUB_USER: ${{ github.actor }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} DOCS_REPOSITORY: ${{ secrets.DOCS_REPOSITORY }} run: | export DOCS_ROOT=$RUNNER_WORKSPACE/$(basename $DOCS_REPOSITORY) From 2e1006b3736c1366de2a5cc2ddb357bf81810423 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Mon, 11 May 2026 23:53:34 +0600 Subject: [PATCH 02/24] Harden GitHub Actions workflows - Pin every action ref to a full-length commit SHA with a trailing version comment, so floating tags like @v4 can't be re-pointed at malicious code. - Bump outdated actions/checkout@v1 to @v4.3.1 (where present). - Tag-triggered workflows now check out with fetch-depth: 1 and fetch-tags: true so the tag ref is available downstream. - release-tracker.yml grants contents: write at the job level so the default GITHUB_TOKEN can push commits/tags back to the repo. Signed-off-by: Tamal Saha --- .github/workflows/ci.yml | 8 ++++---- .github/workflows/e2e.yml | 10 +++++----- .github/workflows/release-tracker.yml | 4 +++- .github/workflows/release.yml | 11 +++++++---- .github/workflows/update-docs.yml | 4 ++-- 5 files changed, 21 insertions(+), 16 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 706c8650a..55984ec14 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -20,22 +20,22 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Set up Go 1.25 - uses: actions/setup-go@v5 + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0 with: go-version: '1.25' id: go - name: Check out code into the Go module directory - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Set up QEMU id: qemu - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 with: cache-image: false - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 - name: Prepare Host run: | diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml index ad811677b..a9543d877 100644 --- a/.github/workflows/e2e.yml +++ b/.github/workflows/e2e.yml @@ -20,16 +20,16 @@ jobs: if: contains(github.event.issue.html_url, '/pull/') && startsWith(github.event.comment.body, '/ok-to-test') runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Set up QEMU id: qemu - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 with: cache-image: false - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 - name: Checkout pr env: @@ -90,7 +90,7 @@ jobs: strategy: matrix: ${{ fromJson(needs.config.outputs.matrix) }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Checkout pr env: @@ -103,7 +103,7 @@ jobs: - name: Create Kubernetes ${{ matrix.k8s }} cluster id: kind - uses: engineerd/setup-kind@v0.5.0 + uses: engineerd/setup-kind@aa272fe2a7309878ffc2a81c56cfe3ef108ae7d0 # v0.5.0 with: version: v0.29.0 config: hack/kubernetes/kind.yaml diff --git a/.github/workflows/release-tracker.yml b/.github/workflows/release-tracker.yml index 84f420098..6b545cd55 100644 --- a/.github/workflows/release-tracker.yml +++ b/.github/workflows/release-tracker.yml @@ -13,9 +13,11 @@ concurrency: jobs: build: runs-on: ubuntu-24.04 + permissions: + contents: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Prepare git env: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 4dc35dfa4..14d19e2c1 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -16,7 +16,10 @@ jobs: name: Build runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v1 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + with: + fetch-depth: 1 + fetch-tags: true - name: Print version info id: semver @@ -25,12 +28,12 @@ jobs: - name: Set up QEMU id: qemu - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 with: cache-image: false - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 - name: Publish to GitHub Container Registry env: @@ -43,7 +46,7 @@ jobs: make release - name: Release - uses: softprops/action-gh-release@v1 + uses: softprops/action-gh-release@26994186c0ac3ef5cae75ac16aa32e8153525f77 # v1 if: startsWith(github.ref, 'refs/tags/') env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/update-docs.yml b/.github/workflows/update-docs.yml index dae114064..817142446 100644 --- a/.github/workflows/update-docs.yml +++ b/.github/workflows/update-docs.yml @@ -17,12 +17,12 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Set up Go 1.25 - uses: actions/setup-go@v5 + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0 with: go-version: '1.25' id: go - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Install GitHub CLI run: | From bcf082cd64c94f0929655d0ea7e2f73c773a92ec Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Tue, 12 May 2026 19:27:58 +0600 Subject: [PATCH 03/24] Restrict /ok-to-test to org members Signed-off-by: Tamal Saha --- .github/workflows/e2e.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml index a9543d877..3a8388e6a 100644 --- a/.github/workflows/e2e.yml +++ b/.github/workflows/e2e.yml @@ -17,7 +17,10 @@ concurrency: jobs: build: - if: contains(github.event.issue.html_url, '/pull/') && startsWith(github.event.comment.body, '/ok-to-test') + if: | + contains(github.event.issue.html_url, '/pull/') && + startsWith(github.event.comment.body, '/ok-to-test') && + (github.event.comment.author_association == 'OWNER' || github.event.comment.author_association == 'MEMBER') runs-on: ubuntu-24.04 steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 From ba0f908194eebcce88a3d1e3f0fe5f012e73406a Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Wed, 13 May 2026 00:06:09 +0600 Subject: [PATCH 04/24] Push to ghcr.io/appscodeci with docker/login-action Signed-off-by: Tamal Saha --- .github/workflows/e2e.yml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml index 3a8388e6a..e2bdb9d3d 100644 --- a/.github/workflows/e2e.yml +++ b/.github/workflows/e2e.yml @@ -43,13 +43,17 @@ jobs: sudo mv bin/hub /usr/local/bin hub pr checkout $PR_NUMBER + - name: Login to GitHub Container Registry + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 + with: + registry: ghcr.io + username: 1gtm + password: ${{ secrets.LGTM_GITHUB_TOKEN }} + - name: Publish to GitHub Container Registry env: REGISTRY: ghcr.io/stashed - DOCKER_TOKEN: ${{ secrets.LGTM_GITHUB_TOKEN }} - USERNAME: 1gtm run: | - docker login ghcr.io --username ${USERNAME} --password ${DOCKER_TOKEN} make release - name: Build From c4262a002fa86dacbc057bb4a7a781b91016c7ad Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Wed, 13 May 2026 09:43:57 +0600 Subject: [PATCH 05/24] Add job permissions for workflow Signed-off-by: Tamal Saha --- .github/workflows/release.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 14d19e2c1..9e0f8af0d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -15,6 +15,8 @@ jobs: build: name: Build runs-on: ubuntu-24.04 + permissions: + contents: write steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: From 9be22af317bd221a03ada15b8da740d97fda0564 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Wed, 13 May 2026 14:49:33 +0600 Subject: [PATCH 06/24] Use GitHub App token for release tracker comments Signed-off-by: Tamal Saha --- .github/workflows/release-tracker.yml | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release-tracker.yml b/.github/workflows/release-tracker.yml index 6b545cd55..a86340be7 100644 --- a/.github/workflows/release-tracker.yml +++ b/.github/workflows/release-tracker.yml @@ -33,12 +33,24 @@ jobs: curl -fsSL https://github.com/github/hub/raw/master/script/get | bash -s 2.14.1 sudo mv bin/hub /usr/local/bin + - name: Generate GitHub App token + id: app-token + if: | + github.event.action == 'closed' && + github.event.pull_request.merged == true + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 + with: + client-id: ${{ secrets.LGTM_APP_CLIENT_ID }} + private-key: ${{ secrets.LGTM_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} + repositories: CHANGELOG + - name: Update release tracker if: | github.event.action == 'closed' && github.event.pull_request.merged == true env: GITHUB_USER: ${{ github.actor }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} run: | ./hack/scripts/update-release-tracker.sh From f51ef2a64c98dffaa3a60b0d0cddf12635f72093 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Wed, 13 May 2026 17:31:26 +0600 Subject: [PATCH 07/24] Apply kubedb/installer#2281: harden CI workflows Signed-off-by: Tamal Saha --- .github/workflows/e2e.yml | 4 ++-- .github/workflows/release-tracker.yml | 5 ----- .github/workflows/update-docs.yml | 5 ----- hack/scripts/update-release-tracker.sh | 2 +- 4 files changed, 3 insertions(+), 13 deletions(-) diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml index e2bdb9d3d..be3db70cd 100644 --- a/.github/workflows/e2e.yml +++ b/.github/workflows/e2e.yml @@ -110,11 +110,11 @@ jobs: - name: Create Kubernetes ${{ matrix.k8s }} cluster id: kind - uses: engineerd/setup-kind@aa272fe2a7309878ffc2a81c56cfe3ef108ae7d0 # v0.5.0 + uses: helm/kind-action@ef37e7f390d99f746eb8b610417061a60e82a6cc # v1.14.0 with: version: v0.29.0 config: hack/kubernetes/kind.yaml - image: kindest/node:${{ matrix.k8s }} + node_image: kindest/node:${{ matrix.k8s }} - name: Prepare cluster for testing id: local-path diff --git a/.github/workflows/release-tracker.yml b/.github/workflows/release-tracker.yml index a86340be7..7099df744 100644 --- a/.github/workflows/release-tracker.yml +++ b/.github/workflows/release-tracker.yml @@ -28,11 +28,6 @@ jobs: git config --global user.email "${GITHUB_USER}@appscode.com" git remote set-url origin https://${GITHUB_USER}:${GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}.git - - name: Install GitHub CLI - run: | - curl -fsSL https://github.com/github/hub/raw/master/script/get | bash -s 2.14.1 - sudo mv bin/hub /usr/local/bin - - name: Generate GitHub App token id: app-token if: | diff --git a/.github/workflows/update-docs.yml b/.github/workflows/update-docs.yml index 817142446..77ae573ab 100644 --- a/.github/workflows/update-docs.yml +++ b/.github/workflows/update-docs.yml @@ -24,11 +24,6 @@ jobs: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - - name: Install GitHub CLI - run: | - curl -fsSL https://github.com/github/hub/raw/master/script/get | bash -s 2.14.1 - sudo mv bin/hub /usr/local/bin - - name: Clone charts repository env: GITHUB_USER: ${{ github.actor }} diff --git a/hack/scripts/update-release-tracker.sh b/hack/scripts/update-release-tracker.sh index 181aebfca..12fee4000 100755 --- a/hack/scripts/update-release-tracker.sh +++ b/hack/scripts/update-release-tracker.sh @@ -69,4 +69,4 @@ case $GITHUB_BASE_REF in ;; esac -hub api "$api_url" -f body="$msg" +gh api "$api_url" -f body="$msg" From 876fba486e36661f373a07ca4fbc6d0fad6b3638 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Wed, 13 May 2026 17:44:58 +0600 Subject: [PATCH 08/24] Remove Prepare git step from release-tracker.yml Signed-off-by: Tamal Saha --- .github/workflows/release-tracker.yml | 9 --------- 1 file changed, 9 deletions(-) diff --git a/.github/workflows/release-tracker.yml b/.github/workflows/release-tracker.yml index 7099df744..20067da34 100644 --- a/.github/workflows/release-tracker.yml +++ b/.github/workflows/release-tracker.yml @@ -19,15 +19,6 @@ jobs: steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - - name: Prepare git - env: - GITHUB_USER: ${{ github.actor }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - git config --global user.name "${GITHUB_USER}" - git config --global user.email "${GITHUB_USER}@appscode.com" - git remote set-url origin https://${GITHUB_USER}:${GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}.git - - name: Generate GitHub App token id: app-token if: | From b70afcdfaf47167af54385bdbd320acc57189a06 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Wed, 13 May 2026 18:10:26 +0600 Subject: [PATCH 09/24] Rename LGTM App token step id to lgtm-app-token Signed-off-by: Tamal Saha --- .github/workflows/release-tracker.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release-tracker.yml b/.github/workflows/release-tracker.yml index 20067da34..8a510b970 100644 --- a/.github/workflows/release-tracker.yml +++ b/.github/workflows/release-tracker.yml @@ -19,8 +19,8 @@ jobs: steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - - name: Generate GitHub App token - id: app-token + - name: Generate LGTM App token + id: lgtm-app-token if: | github.event.action == 'closed' && github.event.pull_request.merged == true @@ -37,6 +37,6 @@ jobs: github.event.pull_request.merged == true env: GITHUB_USER: ${{ github.actor }} - GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} + GITHUB_TOKEN: ${{ steps.lgtm-app-token.outputs.token }} run: | ./hack/scripts/update-release-tracker.sh From b1ec07f15dc71abd67592ffe59f81b8a54fe030d Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Wed, 13 May 2026 18:20:24 +0600 Subject: [PATCH 10/24] release-tracker.yml: gate at job level with merged == true Signed-off-by: Tamal Saha --- .github/workflows/release-tracker.yml | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/.github/workflows/release-tracker.yml b/.github/workflows/release-tracker.yml index 8a510b970..0721e5df2 100644 --- a/.github/workflows/release-tracker.yml +++ b/.github/workflows/release-tracker.yml @@ -12,6 +12,7 @@ concurrency: jobs: build: + if: github.event.pull_request.merged == true runs-on: ubuntu-24.04 permissions: contents: write @@ -21,9 +22,6 @@ jobs: - name: Generate LGTM App token id: lgtm-app-token - if: | - github.event.action == 'closed' && - github.event.pull_request.merged == true uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 with: client-id: ${{ secrets.LGTM_APP_CLIENT_ID }} @@ -32,9 +30,6 @@ jobs: repositories: CHANGELOG - name: Update release tracker - if: | - github.event.action == 'closed' && - github.event.pull_request.merged == true env: GITHUB_USER: ${{ github.actor }} GITHUB_TOKEN: ${{ steps.lgtm-app-token.outputs.token }} From c162c6fcbd09f7cd832d20568f2ee0726561cbb0 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Wed, 13 May 2026 18:55:35 +0600 Subject: [PATCH 11/24] release-tracker.yml: drop permissions block Signed-off-by: Tamal Saha --- .github/workflows/release-tracker.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/release-tracker.yml b/.github/workflows/release-tracker.yml index 0721e5df2..ec7b274f4 100644 --- a/.github/workflows/release-tracker.yml +++ b/.github/workflows/release-tracker.yml @@ -14,8 +14,6 @@ jobs: build: if: github.event.pull_request.merged == true runs-on: ubuntu-24.04 - permissions: - contents: write steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 From e3f43f5fc45d68fecf01e3ce8414349cf2411a7e Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Wed, 13 May 2026 19:03:55 +0600 Subject: [PATCH 12/24] release-tracker.yml: grant permission-pull-requests to LGTM App Signed-off-by: Tamal Saha --- .github/workflows/release-tracker.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/release-tracker.yml b/.github/workflows/release-tracker.yml index ec7b274f4..428663041 100644 --- a/.github/workflows/release-tracker.yml +++ b/.github/workflows/release-tracker.yml @@ -26,6 +26,7 @@ jobs: private-key: ${{ secrets.LGTM_APP_PRIVATE_KEY }} owner: ${{ github.repository_owner }} repositories: CHANGELOG + permission-pull-requests: write - name: Update release tracker env: From 318e410d756e27dcc693c3bd8abd64e2f0fdfeb0 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Wed, 13 May 2026 19:21:24 +0600 Subject: [PATCH 13/24] update-docs.yml: use LGTM App token Signed-off-by: Tamal Saha --- .github/workflows/update-docs.yml | 28 +++++++++++++++++++++++++--- 1 file changed, 25 insertions(+), 3 deletions(-) diff --git a/.github/workflows/update-docs.yml b/.github/workflows/update-docs.yml index 77ae573ab..0b59822e7 100644 --- a/.github/workflows/update-docs.yml +++ b/.github/workflows/update-docs.yml @@ -24,13 +24,35 @@ jobs: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + + - name: Parse docs repository + id: docs-repo + env: + DOCS_REPOSITORY: ${{ secrets.DOCS_REPOSITORY }} + run: | + # DOCS_REPOSITORY is expected to be of the form: // + path="${DOCS_REPOSITORY#*/}" + echo "owner=${path%%/*}" >> "$GITHUB_OUTPUT" + echo "name=${path##*/}" >> "$GITHUB_OUTPUT" + + - name: Generate LGTM App token + id: lgtm-app-token + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 + with: + client-id: ${{ secrets.LGTM_APP_CLIENT_ID }} + private-key: ${{ secrets.LGTM_APP_PRIVATE_KEY }} + owner: ${{ steps.docs-repo.outputs.owner }} + repositories: ${{ steps.docs-repo.outputs.name }} + permission-contents: write + permission-pull-requests: write + - name: Clone charts repository env: GITHUB_USER: ${{ github.actor }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ steps.lgtm-app-token.outputs.token }} DOCS_REPOSITORY: ${{ secrets.DOCS_REPOSITORY }} run: | - url="https://${GITHUB_USER}:${GITHUB_TOKEN}@${DOCS_REPOSITORY}.git" + url="https://x-access-token:${GITHUB_TOKEN}@${DOCS_REPOSITORY}.git" cd $RUNNER_WORKSPACE git clone $url cd $(basename $DOCS_REPOSITORY) @@ -40,7 +62,7 @@ jobs: - name: Update docs env: GITHUB_USER: ${{ github.actor }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ steps.lgtm-app-token.outputs.token }} DOCS_REPOSITORY: ${{ secrets.DOCS_REPOSITORY }} run: | export DOCS_ROOT=$RUNNER_WORKSPACE/$(basename $DOCS_REPOSITORY) From a41cbc0cceda5f7d73a16653fb8c4211225fea9e Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Wed, 13 May 2026 19:41:26 +0600 Subject: [PATCH 14/24] Replace hub CLI with gh CLI Signed-off-by: Tamal Saha --- .github/workflows/e2e.yml | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml index be3db70cd..d734dc6c9 100644 --- a/.github/workflows/e2e.yml +++ b/.github/workflows/e2e.yml @@ -39,9 +39,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} PR_NUMBER: ${{ github.event.issue.number }} run: | - curl -fsSL https://github.com/github/hub/raw/master/script/get | bash -s 2.14.1 - sudo mv bin/hub /usr/local/bin - hub pr checkout $PR_NUMBER + gh pr checkout $PR_NUMBER - name: Login to GitHub Container Registry uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 @@ -104,9 +102,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} PR_NUMBER: ${{ github.event.issue.number }} run: | - curl -fsSL https://github.com/github/hub/raw/master/script/get | bash -s 2.14.1 - sudo mv bin/hub /usr/local/bin - hub pr checkout $PR_NUMBER + gh pr checkout $PR_NUMBER - name: Create Kubernetes ${{ matrix.k8s }} cluster id: kind From 74b500223f4a490bec2066d0fab97f481ea37949 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Thu, 14 May 2026 10:36:25 +0600 Subject: [PATCH 15/24] Normalize Prepare git user, fetch-depth, drop permission-issues Signed-off-by: Tamal Saha --- .github/workflows/release.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 9e0f8af0d..284767753 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -20,8 +20,7 @@ jobs: steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: - fetch-depth: 1 - fetch-tags: true + fetch-depth: 0 - name: Print version info id: semver From 404c6159e8f9899e0fb4931d8cd8e38465d717f9 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Thu, 14 May 2026 11:49:43 +0600 Subject: [PATCH 16/24] Use docker/login-action; drop redundant docker hub steps Signed-off-by: Tamal Saha --- .github/workflows/release.yml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 284767753..f8779d779 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -36,14 +36,18 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 + - name: Log in to the GitHub Container registry + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 + with: + registry: ghcr.io + username: 1gtm + password: ${{ secrets.LGTM_GITHUB_TOKEN }} + - name: Publish to GitHub Container Registry env: REGISTRY: ghcr.io/stashed - DOCKER_TOKEN: ${{ secrets.LGTM_GITHUB_TOKEN }} - USERNAME: 1gtm APPSCODE_ENV: prod run: | - docker login ghcr.io --username ${USERNAME} --password ${DOCKER_TOKEN} make release - name: Release From ee5470cba4ffd16494c27e45e93cd7f71c1f95f9 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Thu, 14 May 2026 14:07:59 +0600 Subject: [PATCH 17/24] Add 1gtm-app[bot] to kodiak auto_approve_usernames Signed-off-by: Tamal Saha --- .github/.kodiak.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/.kodiak.toml b/.github/.kodiak.toml index ded81e43d..e58645893 100644 --- a/.github/.kodiak.toml +++ b/.github/.kodiak.toml @@ -15,4 +15,4 @@ strip_html_comments = true # default: false always = true # default: false [approve] -auto_approve_usernames = ["1gtm", "tamalsaha"] +auto_approve_usernames = ["1gtm", "tamalsaha", "1gtm-app[bot]"] From 8139fe531a37ab5de4ce3593ec07cac3b37e96eb Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Thu, 14 May 2026 15:09:32 +0600 Subject: [PATCH 18/24] Normalize kodiak auto_approve_usernames Signed-off-by: Tamal Saha --- .github/.kodiak.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/.kodiak.toml b/.github/.kodiak.toml index e58645893..b64a5f6fc 100644 --- a/.github/.kodiak.toml +++ b/.github/.kodiak.toml @@ -15,4 +15,4 @@ strip_html_comments = true # default: false always = true # default: false [approve] -auto_approve_usernames = ["1gtm", "tamalsaha", "1gtm-app[bot]"] +auto_approve_usernames = ["tamalsaha", "1gtm", "1gtm-app[bot]"] \ No newline at end of file From cff2473e0ab9edb4fc15caf00591208c4a026b44 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Thu, 14 May 2026 17:35:48 +0600 Subject: [PATCH 19/24] Pin docker/login-action to v4.1.0 Signed-off-by: Tamal Saha --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index f8779d779..9033dd492 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -37,7 +37,7 @@ jobs: uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 - name: Log in to the GitHub Container registry - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 with: registry: ghcr.io username: 1gtm From 50b967f723762caa9fa79dd9e842960593044a59 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Thu, 14 May 2026 17:44:15 +0600 Subject: [PATCH 20/24] Bump softprops/action-gh-release to v2.6.2; add permissions Signed-off-by: Tamal Saha --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 9033dd492..afdac2273 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -51,7 +51,7 @@ jobs: make release - name: Release - uses: softprops/action-gh-release@26994186c0ac3ef5cae75ac16aa32e8153525f77 # v1 + uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2.6.2 if: startsWith(github.ref, 'refs/tags/') env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 058edf9f470e4125ba02da56caf18d9518858084 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Thu, 14 May 2026 17:57:50 +0600 Subject: [PATCH 21/24] Makefile: use --tags in git describe so lightweight tags resolve Signed-off-by: Tamal Saha --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index f25087c5c..319768c11 100644 --- a/Makefile +++ b/Makefile @@ -28,7 +28,7 @@ REGISTRY ?= stashed # This version-strategy uses git tags to set the version string git_branch := $(shell git rev-parse --abbrev-ref HEAD) -git_tag := $(shell git describe --exact-match --abbrev=0 2>/dev/null || echo "") +git_tag := $(shell git describe --tags --exact-match --abbrev=0 2>/dev/null || echo "") commit_hash := $(shell git rev-parse --verify HEAD) commit_timestamp := $(shell date --date="@$$(git show -s --format=%ct)" --utc +%FT%T) From e56d9a940b839802ca0f1269183019f20b23413b Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Thu, 14 May 2026 21:53:06 +0600 Subject: [PATCH 22/24] Remove bzr install from workflows Signed-off-by: Tamal Saha --- .github/workflows/ci.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 55984ec14..944134f09 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -39,8 +39,6 @@ jobs: - name: Prepare Host run: | - sudo apt-get -qq update || true - sudo apt-get install -y bzr curl -LO https://dl.k8s.io/release/v1.32.1/bin/linux/amd64/kubectl chmod +x ./kubectl sudo mv ./kubectl /usr/local/bin/kubectl From a4db194eceb3331704df9719ef05b68867830a53 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Thu, 14 May 2026 23:37:24 +0600 Subject: [PATCH 23/24] Pin git user to 1gtm in update-crds/update-docs workflows Signed-off-by: Tamal Saha --- .github/workflows/update-docs.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/update-docs.yml b/.github/workflows/update-docs.yml index 0b59822e7..a88070dae 100644 --- a/.github/workflows/update-docs.yml +++ b/.github/workflows/update-docs.yml @@ -56,8 +56,8 @@ jobs: cd $RUNNER_WORKSPACE git clone $url cd $(basename $DOCS_REPOSITORY) - git config user.name "${GITHUB_USER}" - git config user.email "${GITHUB_USER}@appscode.com" + git config user.name "1gtm" + git config user.email "1gtm@appscode.com" - name: Update docs env: From 259733623c49dd3e01ad012e0990f52dcfef8563 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Fri, 15 May 2026 10:16:58 +0600 Subject: [PATCH 24/24] Harden e2e workflow and simplify CI - e2e: gate config job with the same /ok-to-test + OWNER/MEMBER check and make kubernetes need both build and config so untrusted comments can't trigger the workflow. - e2e: move github.event.comment.body into an env var to close a shell injection vector, and replace deprecated ::set-output with $GITHUB_OUTPUT. - e2e: key concurrency on the PR/issue number so runs on different PRs no longer cancel each other. - e2e: replace actions/checkout + gh pr checkout with a single checkout using refs/pull//merge. - ci: drop unused setup-qemu-action / setup-buildx-action (make ci uses plain docker run, no buildx or multi-arch). - ci: set persist-credentials: false on checkout. - ci, update-docs: drop redundant -ci / -docs suffixes from concurrency groups since github.workflow is already unique. Signed-off-by: Tamal Saha --- .github/workflows/ci.yml | 11 ++--------- .github/workflows/e2e.yml | 32 ++++++++++++++----------------- .github/workflows/update-docs.yml | 2 +- 3 files changed, 17 insertions(+), 28 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 944134f09..759e0a614 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -11,7 +11,7 @@ on: workflow_dispatch: concurrency: - group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}-ci + group: ${{ github.workflow }}-${{ github.head_ref || github.ref }} cancel-in-progress: true jobs: @@ -27,15 +27,8 @@ jobs: - name: Check out code into the Go module directory uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - - - name: Set up QEMU - id: qemu - uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 with: - cache-image: false - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 + persist-credentials: false - name: Prepare Host run: | diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml index d734dc6c9..06f9ed09d 100644 --- a/.github/workflows/e2e.yml +++ b/.github/workflows/e2e.yml @@ -12,7 +12,7 @@ on: workflow_dispatch: concurrency: - group: ${{ github.workflow }}-${{ github.head_ref || github.ref }} + group: ${{ github.workflow }}-${{ github.event.issue.number || github.head_ref || github.ref }} cancel-in-progress: true jobs: @@ -24,6 +24,8 @@ jobs: runs-on: ubuntu-24.04 steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + with: + ref: refs/pull/${{ github.event.issue.number }}/merge - name: Set up QEMU id: qemu @@ -34,13 +36,6 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 - - name: Checkout pr - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - PR_NUMBER: ${{ github.event.issue.number }} - run: | - gh pr checkout $PR_NUMBER - - name: Login to GitHub Container Registry uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 with: @@ -61,6 +56,10 @@ jobs: make push config: + if: | + contains(github.event.issue.html_url, '/pull/') && + startsWith(github.event.comment.body, '/ok-to-test') && + (github.event.comment.author_association == 'OWNER' || github.event.comment.author_association == 'MEMBER') runs-on: ubuntu-24.04 needs: build outputs: @@ -68,11 +67,13 @@ jobs: steps: - id: set-matrix name: Generate test matrix + env: + COMMENT_BODY: ${{ github.event.comment.body }} run: | k8s=(v1.28.15 v1.34.0) IFS=' ' - read -ra COMMENT <<< "${{ github.event.comment.body }}" + read -ra COMMENT <<< "$COMMENT_BODY" if [ ! -z ${COMMENT[1]} ]; then k8s=(${COMMENT[1]}) fi @@ -86,23 +87,18 @@ jobs: function join { local IFS="$1"; shift; echo "$*"; } matrix=$(echo "{"include":[$(join , ${matrix[@]})]}") echo $matrix - echo "::set-output name=matrix::$matrix" + echo "matrix=$matrix" >> "$GITHUB_OUTPUT" kubernetes: name: Kubernetes - needs: config + needs: [build, config] runs-on: ubuntu-24.04 strategy: matrix: ${{ fromJson(needs.config.outputs.matrix) }} steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - - - name: Checkout pr - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - PR_NUMBER: ${{ github.event.issue.number }} - run: | - gh pr checkout $PR_NUMBER + with: + ref: refs/pull/${{ github.event.issue.number }}/merge - name: Create Kubernetes ${{ matrix.k8s }} cluster id: kind diff --git a/.github/workflows/update-docs.yml b/.github/workflows/update-docs.yml index a88070dae..ae79e5fee 100644 --- a/.github/workflows/update-docs.yml +++ b/.github/workflows/update-docs.yml @@ -8,7 +8,7 @@ on: workflow_dispatch: concurrency: - group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}-docs + group: ${{ github.workflow }}-${{ github.head_ref || github.ref }} cancel-in-progress: true jobs: