Skip to content

Harden CI workflows#825

Open
tamalsaha wants to merge 17 commits into
masterfrom
nolgtm
Open

Harden CI workflows#825
tamalsaha wants to merge 17 commits into
masterfrom
nolgtm

Conversation

@tamalsaha
Copy link
Copy Markdown
Member

@tamalsaha tamalsaha commented May 9, 2026
edited
Loading

Summary

Tighten the GitHub Actions workflows in this repo so they no longer depend on a long-lived LGTM_GITHUB_TOKEN PAT, and bring them in line with GitHub's hardening guidance.

  • Use the default GITHUB_TOKEN instead of a PAT for in-repo operations. GITHUB_USER switches to github.actor.
  • Scope GITHUB_TOKEN to least privilege at the job level. release-tracker.yml gets contents: write so the token can push commits/tags back to this repo.
  • Pin every action to a full-length commit SHA with a trailing version comment, so floating tags like @v4 can't be silently re-pointed.
  • Tag-triggered workflows now check out with fetch-depth: 1 + fetch-tags: true so the tag ref resolves without a full clone.
  • Bump outdated actions/checkout@v1 to @v4.3.1 where it appeared.

Test plan

  • CI passes on this PR.
  • Confirm release-tracker continues to push commits/tags on PR close.
  • Confirm release.yml still functions on the next tag.

🤖 Generated with Claude Code

tamalsaha added 2 commits May 9, 2026 23:31
@tamalsaha
Use dynamic github token
4b60e19 
Signed-off-by: Tamal Saha <tamal@appscode.com>
@tamalsaha
Harden GitHub Actions workflows
6fa4707 
- Pin every action ref to a full-length commit SHA with a trailing
  version comment, so floating tags like @v4 can't be re-pointed at
  malicious code.
- Bump outdated actions/checkout@v1 to @v4.3.1 (where present).
- Tag-triggered workflows now check out with fetch-depth: 1 and
  fetch-tags: true so the tag ref is available downstream.
- release-tracker.yml grants contents: write at the job level so the
  default GITHUB_TOKEN can push commits/tags back to the repo.

Signed-off-by: Tamal Saha <tamal@appscode.com>
@tamalsaha tamalsaha changed the title Use dynamic github token Harden CI workflows May 11, 2026
tamalsaha added 9 commits May 13, 2026 09:48
@tamalsaha
Add job permissions for workflow
077dada 
Signed-off-by: Tamal Saha <tamal@appscode.com>
@tamalsaha
Use GitHub App token for release tracker comments
ef9d63b 
Signed-off-by: Tamal Saha <tamal@appscode.com>
@tamalsaha
Apply kubedb/installer#2281: harden CI workflows
83465c3 
Signed-off-by: Tamal Saha <tamal@appscode.com>
@tamalsaha
Remove Prepare git step from release-tracker.yml
b78a88e 
Signed-off-by: Tamal Saha <tamal@appscode.com>
@tamalsaha
Rename LGTM App token step id to lgtm-app-token
487102e 
Signed-off-by: Tamal Saha <tamal@appscode.com>
@tamalsaha
release-tracker.yml: gate at job level with merged == true
286ff0e 
Signed-off-by: Tamal Saha <tamal@appscode.com>
@tamalsaha
release-tracker.yml: drop permissions block
6b94b73 
Signed-off-by: Tamal Saha <tamal@appscode.com>
@tamalsaha
release-tracker.yml: grant permission-pull-requests to LGTM App
524ddfc 
Signed-off-by: Tamal Saha <tamal@appscode.com>
@tamalsaha
release.yml: use LGTM App token to publish krew manifest
715fd13 
The default GITHUB_TOKEN is scoped to the current repo, so the
clone/push to appscode/krew-index cannot succeed with it. Mint an
installation token via the LGTM GitHub App (contents:write,
pull-requests:write on appscode/krew-index) and use it for both the
clone and the open-pr.sh invocation.

Factor the prerelease gate out into a single "Classify release" step
that reads GITHUB_REF (works for both push:tags and workflow_dispatch)
and exposes is_release as a step output. The token step and the two
krew steps now gate on that single output instead of repeating the
same long expression three times.

Signed-off-by: Tamal Saha <tamal@appscode.com>

update-docs.yml: use LGTM App token to push docs PR

The default GITHUB_TOKEN cannot push to the external docs repository
referenced by secrets.DOCS_REPOSITORY. Parse DOCS_REPOSITORY
(<host>/<owner>/<name>) into owner/name outputs and use them to mint
an installation token via the LGTM GitHub App (contents:write,
pull-requests:write). The clone and open-pr.sh steps now use that
token instead of GITHUB_TOKEN.

Signed-off-by: Tamal Saha <tamal@appscode.com>
tamalsaha added 6 commits May 14, 2026 10:32
@tamalsaha
Normalize Prepare git user, fetch-depth, drop permission-issues
7859b04 
Signed-off-by: Tamal Saha <tamal@appscode.com>
@tamalsaha
Add 1gtm-app[bot] to kodiak auto_approve_usernames
09b7ead 
Signed-off-by: Tamal Saha <tamal@appscode.com>
@tamalsaha
Normalize kodiak auto_approve_usernames
0244e9f 
Signed-off-by: Tamal Saha <tamal@appscode.com>
@tamalsaha
Bump softprops/action-gh-release to v2.6.2; add permissions
a0fe1c0 
Signed-off-by: Tamal Saha <tamal@appscode.com>
@tamalsaha
Makefile: use --tags in git describe so lightweight tags resolve
505079b 
Signed-off-by: Tamal Saha <tamal@appscode.com>
@tamalsaha
Pin git user to 1gtm in update-crds/update-docs workflows
6b79110 
Signed-off-by: Tamal Saha <tamal@appscode.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tamalsaha