Harden CI workflows#209
Merged
Merged
Conversation
![kodiakhq[bot]](https://avatars.githubusercontent.com/in/29196?s=60&v=4){kind=small}
1 task
tamalsaha
changed the title
tamalsaha
force-pushed
the
switch-to-lgtm-app-token
branch
from
3d7a8ec to
0acff34
Compare
Mirror the image-packer template: drop the legacy PAT-based LGTM_GITHUB_TOKEN, prepare-git, and hub install steps. The update-release-tracker.sh script no longer needs to push, so git config is unnecessary; switched its hub api call to gh api, which is preinstalled on GitHub-hosted runners. Signed-off-by: Tamal Saha <tamal@appscode.com>
The release workflow installed the legacy hub CLI but nothing in the workflow, Makefile, or release scripts invokes hub. gh ships preinstalled on GitHub-hosted runners if a future step needs it. Signed-off-by: Tamal Saha <tamal@appscode.com>
Apply the appscode-cloud/installer#1252 hardening pattern. - Pin every action to a full-length commit SHA with a version comment (actions/checkout, actions/setup-node, actions/setup-python, actions/setup-go, docker/setup-qemu-action, docker/setup-buildx-action, FirebaseExtended/action-hosting-deploy). - release.yml: bump actions/checkout from v1 to v4.3.1; tag-triggered job now uses fetch-depth: 1 + fetch-tags: true so the tag ref resolves without a full clone; add least-privilege job-level permissions (contents: write, packages: write); drop the LGTM_GITHUB_TOKEN PAT for the Prepare git step and the in-repo git env in the Publish step (use github.actor + GITHUB_TOKEN). Keep LGTM_GITHUB_TOKEN as the ghcr.io docker password since publishing to the appscode org packages requires cross-org write access. Drop the unused hub CLI install step. - release_old.yml: fetch-depth: 1 + fetch-tags: true for the tag ref. Signed-off-by: Tamal Saha <tamal@appscode.com>
- Bump actions/setup-node to Node 22 across ci, deploy, preview-website, release, release_old. - release.yml: replace inline `docker login` + `LGTM_GITHUB_TOKEN` PAT with `docker/login-action@v4.1.0` using `github.actor` and the default `GITHUB_TOKEN` (job already has `packages: write`). - preview-website.yml: drop unused `GOOGLE_CUSTOM_SEARCH_API_KEY` env from the build step. Signed-off-by: Tamal Saha <tamal@appscode.com>
`make release` only does docker push (via docker/login-action) — no git operations need the user.name / insteadOf rewrite the step was setting up. Signed-off-by: Tamal Saha <tamal@appscode.com>
FirebaseExtended/action-hosting-deploy posts a check run + PR comment. With no job-level `permissions:` block the GITHUB_TOKEN inherits the repo's restricted default, so the action's `POST /check-runs` call returns 403 "Resource not accessible by integration" (x-accepted-github-permissions: checks=write). Signed-off-by: Tamal Saha <tamal@appscode.com>
tamalsaha
force-pushed
the
switch-to-lgtm-app-token
branch
from
e5e5199 to
40206dc
Compare
|
Visit the preview URL for this PR (updated for commit 40206dc): https://appscode-v3-hugo--pr209-switch-to-lgtm-app-t-4isdgl20.web.app (expires Tue, 26 May 2026 17:56:39 GMT) 🔥 via Firebase Hosting GitHub Action 🌎 Sign: 1720b7810a846fabdac7ca3b944d0f3a577e94de |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Apply the CI hardening pattern from appscode-cloud/installer#1252.
release-tracker.yml: switch to the LGTM GitHub App token (ownerappscode-cloud, repositoriesCHANGELOG). Drop the legacyPrepare git+Install hubsteps and theLGTM_GITHUB_TOKENPAT.hack/scripts/update-release-tracker.sh:hub api→gh api.release.yml:actions/checkoutfrom@v1to34e1148…(v4.3.1).permissions: { contents: write, packages: write }.actions/setup-node,actions/setup-python,docker/setup-qemu-action,docker/setup-buildx-action,docker/login-actionto commit SHAs.docker login+LGTM_GITHUB_TOKENPAT withdocker/login-action@v4.1.0usinggithub.actorand the defaultGITHUB_TOKEN.Prepare gitstep (make releaseonly does docker push, no git ops need the rewrite).Install GitHub CLI (hub)step (folded from Drop unused hub CLI install from release workflow #210).release_old.yml: SHA-pin actions;fetch-depth: 1+fetch-tags: trueon the tag-triggered checkout.ci.yml,deploy.yml,preview-website.yml: SHA-pin all actions (incl.FirebaseExtended/action-hosting-deploy@v0→e2eda2e…v0.10.0). Drop unusedGOOGLE_CUSTOM_SEARCH_API_KEYenv frompreview-website.yml.actions/setup-nodeto Node22acrossci.yml,deploy.yml,preview-website.yml,release.yml,release_old.yml(Node 20 is approaching EOL).Closes #210 (its commit was merged into this branch).
Test plan
release-trackerand the comment lands on the CHANGELOG release tracker.releaseandrelease_old; both succeed (ghcr.io push viaGITHUB_TOKEN, deploy-to-linode).preview-websiteand the Firebase preview lands.