Conversation
Signed-off-by: Jian Qiu <jqiu@redhat.com>
…e scripts (open-cluster-management-io#369) * Replace deprecated kubebuilder-release-tools PR verifier with inline scripts. Signed-off-by: Zhiwei Yin <zyin@redhat.com> * upgrade the kind version and check the cluster status. Signed-off-by: Zhiwei Yin <zyin@redhat.com> --------- Signed-off-by: Zhiwei Yin <zyin@redhat.com>
…ement-io#371) Upgrade OpenTelemetry SDK from v1.37.0 to v1.42.0 (latest stable version) to address security vulnerability CVE-2026-24051. Changes: - go.opentelemetry.io/otel/sdk: v1.37.0 → v1.42.0 - go.opentelemetry.io/otel: v1.37.0 → v1.42.0 - go.opentelemetry.io/otel/metric: v1.37.0 → v1.42.0 - go.opentelemetry.io/otel/trace: v1.37.0 → v1.42.0 - go.opentelemetry.io/auto/sdk: v1.1.0 → v1.2.1 - golang.org/x/sys: v0.39.0 → v0.41.0 All tests pass after the upgrade. Fixes open-cluster-management-io#370 🤖 Generated with Claude Code https://claude.com/claude-code Signed-off-by: zhujian <jiazhu@redhat.com> Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
…#361) Signed-off-by: Thibault Mange <22740367+thibaultmg@users.noreply.github.com>
…en-cluster-management-io#378) * Add TLS ConfigMap watch-and-restart to helloworld agent example Use sdk-go's StartTLSConfigMapWatcher to watch the ocm-tls-profile ConfigMap in the addon agent namespace on the managed cluster. When the ConfigMap is created, updated, or deleted by the klusterlet-operator the agent process exits so Kubernetes restarts the pod with the new TLS settings. Signed-off-by: zhujian <zhujian@redhat.com> Signed-off-by: zhujian <jiazhu@redhat.com> * Add TLS ConfigMap watcher to hub-side addon manager example Watch the ocm-tls-profile ConfigMap in the addon manager namespace on the hub. When it changes the manager exits so Kubernetes restarts the pod with the new TLS settings. A new --addon-manager-namespace flag is added to tell the manager which namespace to watch. Signed-off-by: zhujian <zhujian@redhat.com> Signed-off-by: zhujian <jiazhu@redhat.com> --------- Signed-off-by: zhujian <zhujian@redhat.com> Signed-off-by: zhujian <jiazhu@redhat.com>
…o#380) Signed-off-by: Jian Qiu <gothicqiujian@gmail.com>
* use v1beta1 addon api Signed-off-by: Qing Hao <qhao@redhat.com> * use v1beta1 fields Signed-off-by: Qing Hao <qhao@redhat.com> * Update interface for v1beta1 Signed-off-by: Jian Qiu <jqiu@redhat.com> * add integration test for v1alpha1 Signed-off-by: Qing Hao <qhao@redhat.com> --------- Signed-off-by: Qing Hao <qhao@redhat.com> Signed-off-by: Jian Qiu <jqiu@redhat.com> Co-authored-by: Jian Qiu <jqiu@redhat.com>
- Pin every action ref to a full-length commit SHA with a trailing version comment, so floating tags like @v4 can't be re-pointed at malicious code. - Bump outdated actions/checkout@v1 to @v4.3.1 (where present). - Tag-triggered workflows now check out with fetch-depth: 1 and fetch-tags: true so the tag ref is available downstream. - release-tracker.yml grants contents: write at the job level so the default GITHUB_TOKEN can push commits/tags back to the repo. Signed-off-by: Tamal Saha <tamal@appscode.com>
Signed-off-by: Tamal Saha <tamal@appscode.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Tighten the GitHub Actions workflows in this repo so they no longer depend on a long-lived
LGTM_GITHUB_TOKENPAT, and bring them in line with GitHub's hardening guidance.GITHUB_TOKENinstead of a PAT for in-repo operations.GITHUB_USERswitches togithub.actor.GITHUB_TOKENto least privilege at the job level.release-tracker.ymlgetscontents: writeso the token can push commits/tags back to this repo.@v4can't be silently re-pointed.fetch-depth: 1+fetch-tags: trueso the tag ref resolves without a full clone.actions/checkout@v1to@v4.3.1where it appeared.Test plan
release-trackercontinues to push commits/tags on PR close.release.ymlstill functions on the next tag.🤖 Generated with Claude Code