From e2f514922f7574eac1e70195dc71136fb191302f Mon Sep 17 00:00:00 2001
From: Tamal Saha <tamal@appscode.com>
Date: Mon, 11 May 2026 23:54:37 +0600
Subject: [PATCH 01/16] Use dynamic github token

Signed-off-by: Tamal Saha <tamal@appscode.com>
---
 .github/workflows/release-tracker.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/release-tracker.yml b/.github/workflows/release-tracker.yml
index bf2db145d8..4bd1c17041 100644
--- a/.github/workflows/release-tracker.yml
+++ b/.github/workflows/release-tracker.yml
@@ -21,8 +21,8 @@ jobs:
 
       - name: Prepare git
         env:
-          GITHUB_USER: 1gtm
-          GITHUB_TOKEN: ${{ secrets.LGTM_GITHUB_TOKEN }}
+          GITHUB_USER: ${{ github.actor }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           git config --global user.name "${GITHUB_USER}"
           git config --global user.email "${GITHUB_USER}@appscode.com"
@@ -38,7 +38,7 @@ jobs:
           github.event.action == 'closed' &&
           github.event.pull_request.merged == true
         env:
-          GITHUB_USER: 1gtm
-          GITHUB_TOKEN: ${{ secrets.LGTM_GITHUB_TOKEN }}
+          GITHUB_USER: ${{ github.actor }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           ./hack/scripts/update-release-tracker.sh

From 8b628aff9548da1014b73ea0c0265f5001c82fcc Mon Sep 17 00:00:00 2001
From: Tamal Saha <tamal@appscode.com>
Date: Mon, 11 May 2026 23:54:38 +0600
Subject: [PATCH 02/16] Harden GitHub Actions workflows

- Pin every action ref to a full-length commit SHA with a trailing
  version comment, so floating tags like @v4 can't be re-pointed at
  malicious code.
- Bump outdated actions/checkout@v1 to @v4.3.1 (where present).
- Tag-triggered workflows now check out with fetch-depth: 1 and
  fetch-tags: true so the tag ref is available downstream.
- release-tracker.yml grants contents: write at the job level so the
  default GITHUB_TOKEN can push commits/tags back to the repo.

Signed-off-by: Tamal Saha <tamal@appscode.com>
---
 .github/workflows/ci.yml              | 4 ++--
 .github/workflows/preview-website.yml | 8 ++++----
 .github/workflows/release-tracker.yml | 4 +++-
 .github/workflows/release.yml         | 8 +++++---
 4 files changed, 14 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 46bafbe3e7..853df09a89 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -19,11 +19,11 @@ jobs:
     name: Build
     runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           submodules: true
 
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: '20'
           check-latest: true
diff --git a/.github/workflows/preview-website.yml b/.github/workflows/preview-website.yml
index d38f3d0108..ccfb78b420 100644
--- a/.github/workflows/preview-website.yml
+++ b/.github/workflows/preview-website.yml
@@ -16,18 +16,18 @@ jobs:
     name: Build
     runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           submodules: true
 
       - name: Set up Go 1.x
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0
         with:
           go-version: '1.25'
         id: go
 
       - name: Use Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: '20'
           check-latest: true
@@ -59,7 +59,7 @@ jobs:
           make docs
           make gen-prod
 
-      - uses: FirebaseExtended/action-hosting-deploy@v0
+      - uses: FirebaseExtended/action-hosting-deploy@092436dca3ec6dacb231d965ae56f7ff6c09f258 # v0
         with:
           repoToken: '${{ secrets.GITHUB_TOKEN }}'
           firebaseServiceAccount: '${{ secrets.FIREBASE_SERVICE_ACCOUNT_QA }}'
diff --git a/.github/workflows/release-tracker.yml b/.github/workflows/release-tracker.yml
index 4bd1c17041..616cd99825 100644
--- a/.github/workflows/release-tracker.yml
+++ b/.github/workflows/release-tracker.yml
@@ -13,9 +13,11 @@ concurrency:
 jobs:
   build:
     runs-on: ubuntu-24.04
+    permissions:
+      contents: write
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           submodules: true
 
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index e1ff1d1047..efce9b8c32 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -16,18 +16,20 @@ jobs:
     name: Build
     runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@v1
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
+          fetch-depth: 1
+          fetch-tags: true
           submodules: true
 
       - name: Set up Go 1.x
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0
         with:
           go-version: '1.25'
         id: go
 
       - name: Use Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: '20'
           check-latest: true

From 577fa8c05a7c3947a604143b5189427b0c705124 Mon Sep 17 00:00:00 2001
From: Tamal Saha <tamal@appscode.com>
Date: Tue, 12 May 2026 18:17:39 +0600
Subject: [PATCH 03/16] Migrate firebase-tools auth to service account

Signed-off-by: Tamal Saha <tamal@appscode.com>
---
 .github/workflows/release.yml | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index efce9b8c32..558a74c046 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -58,20 +58,22 @@ jobs:
 
       - name: QA
         env:
-          FIREBASE_TOKEN: ${{ secrets.FIREBASE_TOKEN }}
-          GOOGLE_CUSTOM_SEARCH_API_KEY: ${{ secrets.GOOGLE_CUSTOM_SEARCH_API_KEY }}
+          FIREBASE_SERVICE_ACCOUNT_KEY: ${{ secrets.FIREBASE_SERVICE_ACCOUNT_QA }}
         if: startsWith(github.event.ref, 'refs/tags/') && (contains(github.ref, '-alpha.') || contains(github.ref, '-beta.'))
         run: |
+          printf '%s' "$FIREBASE_SERVICE_ACCOUNT_KEY" > "$RUNNER_TEMP/firebase-key.json"
+          export GOOGLE_APPLICATION_CREDENTIALS="$RUNNER_TEMP/firebase-key.json"
           npm install
           make docs
           make qa
 
       - name: Release
         env:
-          FIREBASE_TOKEN: ${{ secrets.FIREBASE_TOKEN }}
-          GOOGLE_CUSTOM_SEARCH_API_KEY: ${{ secrets.GOOGLE_CUSTOM_SEARCH_API_KEY }}
+          FIREBASE_SERVICE_ACCOUNT_KEY: ${{ secrets.FIREBASE_SERVICE_ACCOUNT_PROD }}
         if: startsWith(github.event.ref, 'refs/tags/') && (contains(github.ref, '-alpha.') || contains(github.ref, '-beta.')) == false
         run: |
+          printf '%s' "$FIREBASE_SERVICE_ACCOUNT_KEY" > "$RUNNER_TEMP/firebase-key.json"
+          export GOOGLE_APPLICATION_CREDENTIALS="$RUNNER_TEMP/firebase-key.json"
           npm install
           make docs
           make release

From c8c4ff339483fd7c8ed9006c17f79feeaa5a4136 Mon Sep 17 00:00:00 2001
From: Tamal Saha <tamal@appscode.com>
Date: Tue, 12 May 2026 18:57:29 +0600
Subject: [PATCH 04/16] Grant preview-website job the permissions Firebase
 deploy needs

Signed-off-by: Tamal Saha <tamal@appscode.com>
---
 .github/workflows/preview-website.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/preview-website.yml b/.github/workflows/preview-website.yml
index ccfb78b420..8eff529e05 100644
--- a/.github/workflows/preview-website.yml
+++ b/.github/workflows/preview-website.yml
@@ -15,6 +15,10 @@ jobs:
   build:
     name: Build
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      checks: write
+      pull-requests: write
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:

From a2c3ad88bda9e4719d67f82ea870f55355ae0ebd Mon Sep 17 00:00:00 2001
From: Tamal Saha <tamal@appscode.com>
Date: Wed, 13 May 2026 14:49:18 +0600
Subject: [PATCH 05/16] Use GitHub App token for release tracker comments

Signed-off-by: Tamal Saha <tamal@appscode.com>
---
 .github/workflows/release-tracker.yml | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release-tracker.yml b/.github/workflows/release-tracker.yml
index 616cd99825..449917354b 100644
--- a/.github/workflows/release-tracker.yml
+++ b/.github/workflows/release-tracker.yml
@@ -35,12 +35,24 @@ jobs:
           curl -fsSL https://github.com/github/hub/raw/master/script/get | bash -s 2.14.1
           sudo mv bin/hub /usr/local/bin
 
+      - name: Generate GitHub App token
+        id: app-token
+        if: |
+          github.event.action == 'closed' &&
+          github.event.pull_request.merged == true
+        uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
+        with:
+          client-id: ${{ secrets.LGTM_APP_CLIENT_ID }}
+          private-key: ${{ secrets.LGTM_APP_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+          repositories: CHANGELOG
+
       - name: Update release tracker
         if: |
           github.event.action == 'closed' &&
           github.event.pull_request.merged == true
         env:
           GITHUB_USER: ${{ github.actor }}
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
         run: |
           ./hack/scripts/update-release-tracker.sh

From 7a32f32a6a759c11b9cb9f91eb42901c10f2b40a Mon Sep 17 00:00:00 2001
From: Tamal Saha <tamal@appscode.com>
Date: Wed, 13 May 2026 17:31:30 +0600
Subject: [PATCH 06/16] Apply kubedb/installer#2281: harden CI workflows

Signed-off-by: Tamal Saha <tamal@appscode.com>
---
 .github/workflows/release-tracker.yml  | 5 -----
 hack/scripts/update-release-tracker.sh | 2 +-
 2 files changed, 1 insertion(+), 6 deletions(-)

diff --git a/.github/workflows/release-tracker.yml b/.github/workflows/release-tracker.yml
index 449917354b..fcdec26e2a 100644
--- a/.github/workflows/release-tracker.yml
+++ b/.github/workflows/release-tracker.yml
@@ -30,11 +30,6 @@ jobs:
           git config --global user.email "${GITHUB_USER}@appscode.com"
           git remote set-url origin https://${GITHUB_USER}:${GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}.git
 
-      - name: Install GitHub CLI
-        run: |
-          curl -fsSL https://github.com/github/hub/raw/master/script/get | bash -s 2.14.1
-          sudo mv bin/hub /usr/local/bin
-
       - name: Generate GitHub App token
         id: app-token
         if: |
diff --git a/hack/scripts/update-release-tracker.sh b/hack/scripts/update-release-tracker.sh
index 7184cb6fe2..c8bfc4ff20 100755
--- a/hack/scripts/update-release-tracker.sh
+++ b/hack/scripts/update-release-tracker.sh
@@ -69,4 +69,4 @@ case $GITHUB_BASE_REF in
         ;;
 esac
 
-hub api "$api_url" -f body="$msg"
+gh api "$api_url" -f body="$msg"

From dbfc7946e1b3a379c9acd2b0c3762989012758b5 Mon Sep 17 00:00:00 2001
From: Tamal Saha <tamal@appscode.com>
Date: Wed, 13 May 2026 17:45:10 +0600
Subject: [PATCH 07/16] Remove Prepare git step from release-tracker.yml

Signed-off-by: Tamal Saha <tamal@appscode.com>
---
 .github/workflows/release-tracker.yml | 9 ---------
 1 file changed, 9 deletions(-)

diff --git a/.github/workflows/release-tracker.yml b/.github/workflows/release-tracker.yml
index fcdec26e2a..936a37c2c4 100644
--- a/.github/workflows/release-tracker.yml
+++ b/.github/workflows/release-tracker.yml
@@ -21,15 +21,6 @@ jobs:
         with:
           submodules: true
 
-      - name: Prepare git
-        env:
-          GITHUB_USER: ${{ github.actor }}
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          git config --global user.name "${GITHUB_USER}"
-          git config --global user.email "${GITHUB_USER}@appscode.com"
-          git remote set-url origin https://${GITHUB_USER}:${GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}.git
-
       - name: Generate GitHub App token
         id: app-token
         if: |

From 9b78c8c745c98e435a571d739f90733e42e9b20d Mon Sep 17 00:00:00 2001
From: Tamal Saha <tamal@appscode.com>
Date: Wed, 13 May 2026 18:10:35 +0600
Subject: [PATCH 08/16] Rename LGTM App token step id to lgtm-app-token

Signed-off-by: Tamal Saha <tamal@appscode.com>
---
 .github/workflows/release-tracker.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/release-tracker.yml b/.github/workflows/release-tracker.yml
index 936a37c2c4..2b4afbd2f6 100644
--- a/.github/workflows/release-tracker.yml
+++ b/.github/workflows/release-tracker.yml
@@ -21,8 +21,8 @@ jobs:
         with:
           submodules: true
 
-      - name: Generate GitHub App token
-        id: app-token
+      - name: Generate LGTM App token
+        id: lgtm-app-token
         if: |
           github.event.action == 'closed' &&
           github.event.pull_request.merged == true
@@ -39,6 +39,6 @@ jobs:
           github.event.pull_request.merged == true
         env:
           GITHUB_USER: ${{ github.actor }}
-          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
+          GITHUB_TOKEN: ${{ steps.lgtm-app-token.outputs.token }}
         run: |
           ./hack/scripts/update-release-tracker.sh

From c36388b7d10f8ba79db74a4bee00082038853356 Mon Sep 17 00:00:00 2001
From: Tamal Saha <tamal@appscode.com>
Date: Wed, 13 May 2026 18:20:34 +0600
Subject: [PATCH 09/16] release-tracker.yml: gate at job level with merged ==
 true

Signed-off-by: Tamal Saha <tamal@appscode.com>
---
 .github/workflows/release-tracker.yml | 7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

diff --git a/.github/workflows/release-tracker.yml b/.github/workflows/release-tracker.yml
index 2b4afbd2f6..8853106371 100644
--- a/.github/workflows/release-tracker.yml
+++ b/.github/workflows/release-tracker.yml
@@ -12,6 +12,7 @@ concurrency:
 
 jobs:
   build:
+    if: github.event.pull_request.merged == true
     runs-on: ubuntu-24.04
     permissions:
       contents: write
@@ -23,9 +24,6 @@ jobs:
 
       - name: Generate LGTM App token
         id: lgtm-app-token
-        if: |
-          github.event.action == 'closed' &&
-          github.event.pull_request.merged == true
         uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
         with:
           client-id: ${{ secrets.LGTM_APP_CLIENT_ID }}
@@ -34,9 +32,6 @@ jobs:
           repositories: CHANGELOG
 
       - name: Update release tracker
-        if: |
-          github.event.action == 'closed' &&
-          github.event.pull_request.merged == true
         env:
           GITHUB_USER: ${{ github.actor }}
           GITHUB_TOKEN: ${{ steps.lgtm-app-token.outputs.token }}

From 214bbc0ef8e84e91bde5f647ab550d528997072a Mon Sep 17 00:00:00 2001
From: Tamal Saha <tamal@appscode.com>
Date: Wed, 13 May 2026 18:55:40 +0600
Subject: [PATCH 10/16] release-tracker.yml: drop permissions block

Signed-off-by: Tamal Saha <tamal@appscode.com>
---
 .github/workflows/release-tracker.yml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/.github/workflows/release-tracker.yml b/.github/workflows/release-tracker.yml
index 8853106371..e3f0340c4e 100644
--- a/.github/workflows/release-tracker.yml
+++ b/.github/workflows/release-tracker.yml
@@ -14,8 +14,6 @@ jobs:
   build:
     if: github.event.pull_request.merged == true
     runs-on: ubuntu-24.04
-    permissions:
-      contents: write
 
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1

From acdf10cb892d4c564d587e3edf26e29be2160f62 Mon Sep 17 00:00:00 2001
From: Tamal Saha <tamal@appscode.com>
Date: Wed, 13 May 2026 19:04:00 +0600
Subject: [PATCH 11/16] release-tracker.yml: grant permission-pull-requests to
 LGTM App

Signed-off-by: Tamal Saha <tamal@appscode.com>
---
 .github/workflows/release-tracker.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/release-tracker.yml b/.github/workflows/release-tracker.yml
index e3f0340c4e..d3e53c82d8 100644
--- a/.github/workflows/release-tracker.yml
+++ b/.github/workflows/release-tracker.yml
@@ -28,6 +28,7 @@ jobs:
           private-key: ${{ secrets.LGTM_APP_PRIVATE_KEY }}
           owner: ${{ github.repository_owner }}
           repositories: CHANGELOG
+          permission-pull-requests: write
 
       - name: Update release tracker
         env:

From 560594ed475fdec17db8e2eccf76b48dc18d3c3c Mon Sep 17 00:00:00 2001
From: Tamal Saha <tamal@appscode.com>
Date: Wed, 13 May 2026 21:14:27 +0600
Subject: [PATCH 12/16] Use node-version: '22' in setup-node steps

Signed-off-by: Tamal Saha <tamal@appscode.com>
---
 .github/workflows/ci.yml              | 2 +-
 .github/workflows/preview-website.yml | 2 +-
 .github/workflows/release.yml         | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 853df09a89..2cd4176f30 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -25,7 +25,7 @@ jobs:
 
       - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
-          node-version: '20'
+          node-version: '22'
           check-latest: true
 
       - name: Install yq
diff --git a/.github/workflows/preview-website.yml b/.github/workflows/preview-website.yml
index 8eff529e05..32252d8201 100644
--- a/.github/workflows/preview-website.yml
+++ b/.github/workflows/preview-website.yml
@@ -33,7 +33,7 @@ jobs:
       - name: Use Node.js
         uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
-          node-version: '20'
+          node-version: '22'
           check-latest: true
 
       - name: Install yq
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 558a74c046..52202d2e2d 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -31,7 +31,7 @@ jobs:
       - name: Use Node.js
         uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
-          node-version: '20'
+          node-version: '22'
           check-latest: true
 
       - name: Install yq

From d291839ee93080696d56980c741f32aa83c82b59 Mon Sep 17 00:00:00 2001
From: Tamal Saha <tamal@appscode.com>
Date: Thu, 14 May 2026 10:36:29 +0600
Subject: [PATCH 13/16] Normalize Prepare git user, fetch-depth, drop
 permission-issues

Signed-off-by: Tamal Saha <tamal@appscode.com>
---
 .github/workflows/release.yml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 52202d2e2d..730c4ae6ed 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -18,8 +18,7 @@ jobs:
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
-          fetch-depth: 1
-          fetch-tags: true
+          fetch-depth: 0
           submodules: true
 
       - name: Set up Go 1.x

From 3faaeb12917ab12b8a3b04e058d6416a4e529000 Mon Sep 17 00:00:00 2001
From: Tamal Saha <tamal@appscode.com>
Date: Thu, 14 May 2026 14:08:03 +0600
Subject: [PATCH 14/16] Add 1gtm-app[bot] to kodiak auto_approve_usernames

Signed-off-by: Tamal Saha <tamal@appscode.com>
---
 .github/.kodiak.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/.kodiak.toml b/.github/.kodiak.toml
index ded81e43d9..e586458938 100644
--- a/.github/.kodiak.toml
+++ b/.github/.kodiak.toml
@@ -15,4 +15,4 @@ strip_html_comments = true # default: false
 always = true # default: false
 
 [approve]
-auto_approve_usernames = ["1gtm", "tamalsaha"]
+auto_approve_usernames = ["1gtm", "tamalsaha", "1gtm-app[bot]"]

From f9ac145c4e0e559d7e7f2283a15f15b0f70ec61b Mon Sep 17 00:00:00 2001
From: Tamal Saha <tamal@appscode.com>
Date: Thu, 14 May 2026 15:09:34 +0600
Subject: [PATCH 15/16] Normalize kodiak auto_approve_usernames

Signed-off-by: Tamal Saha <tamal@appscode.com>
---
 .github/.kodiak.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/.kodiak.toml b/.github/.kodiak.toml
index e586458938..b64a5f6fc7 100644
--- a/.github/.kodiak.toml
+++ b/.github/.kodiak.toml
@@ -15,4 +15,4 @@ strip_html_comments = true # default: false
 always = true # default: false
 
 [approve]
-auto_approve_usernames = ["1gtm", "tamalsaha", "1gtm-app[bot]"]
+auto_approve_usernames = ["tamalsaha", "1gtm", "1gtm-app[bot]"]
\ No newline at end of file

From 6051d42348b791bd08c675c9fab2dc8d9c19075c Mon Sep 17 00:00:00 2001
From: Tamal Saha <tamal@appscode.com>
Date: Thu, 14 May 2026 17:44:23 +0600
Subject: [PATCH 16/16] Bump softprops/action-gh-release to v2.6.2; add
 permissions

Signed-off-by: Tamal Saha <tamal@appscode.com>
---
 .github/workflows/release.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 730c4ae6ed..8418f85716 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -15,6 +15,8 @@ jobs:
   build:
     name: Build
     runs-on: ubuntu-24.04
+    permissions:
+      contents: write
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with: