From a5cdba3be94422d211591dbe8b710e442b8643ab Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Tue, 19 May 2026 22:21:56 +0600 Subject: [PATCH 1/6] Switch release-tracker to LGTM App token Mirror the image-packer template: drop the legacy PAT-based LGTM_GITHUB_TOKEN, prepare-git, and hub install steps. The update-release-tracker.sh script no longer needs to push, so git config is unnecessary; switched its hub api call to gh api, which is preinstalled on GitHub-hosted runners. Signed-off-by: Tamal Saha --- .github/workflows/release-tracker.yml | 34 +++++++++++--------------- hack/scripts/update-release-tracker.sh | 2 +- 2 files changed, 15 insertions(+), 21 deletions(-) diff --git a/.github/workflows/release-tracker.yml b/.github/workflows/release-tracker.yml index 78981f5e64..bb4cf40365 100644 --- a/.github/workflows/release-tracker.yml +++ b/.github/workflows/release-tracker.yml @@ -11,31 +11,25 @@ concurrency: jobs: build: - name: Build + if: github.event.pull_request.merged == true runs-on: ubuntu-24.04 - steps: - - uses: actions/checkout@v4 - - name: Prepare git - env: - GITHUB_USER: 1gtm - GITHUB_TOKEN: ${{ secrets.LGTM_GITHUB_TOKEN }} - run: | - git config --global user.name "${GITHUB_USER}" - git config --global user.email "${GITHUB_USER}@appscode.com" - git remote set-url origin https://${GITHUB_USER}:${GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}.git + steps: + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - - name: Install GitHub CLI - run: | - curl -fsSL https://github.com/github/hub/raw/master/script/get | bash -s 2.14.1 - sudo mv bin/hub /usr/local/bin + - name: Generate LGTM App token + id: lgtm-app-token + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 + with: + client-id: ${{ secrets.LGTM_APP_CLIENT_ID }} + private-key: ${{ secrets.LGTM_APP_PRIVATE_KEY }} + owner: appscode-cloud + repositories: CHANGELOG + permission-pull-requests: write - name: Update release tracker - if: | - github.event.action == 'closed' && - github.event.pull_request.merged == true env: - GITHUB_USER: 1gtm - GITHUB_TOKEN: ${{ secrets.LGTM_GITHUB_TOKEN }} + GITHUB_USER: ${{ github.actor }} + GITHUB_TOKEN: ${{ steps.lgtm-app-token.outputs.token }} run: | ./hack/scripts/update-release-tracker.sh diff --git a/hack/scripts/update-release-tracker.sh b/hack/scripts/update-release-tracker.sh index b25a250876..1ef717615c 100755 --- a/hack/scripts/update-release-tracker.sh +++ b/hack/scripts/update-release-tracker.sh @@ -69,4 +69,4 @@ case $GITHUB_BASE_REF in ;; esac -hub api "$api_url" -f body="$msg" +gh api "$api_url" -f body="$msg" From ba5d393208b48d48d55c8795f5036ce4a6d2d9e3 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Tue, 19 May 2026 22:57:11 +0600 Subject: [PATCH 2/6] Drop unused hub CLI install from release workflow (#210) The release workflow installed the legacy hub CLI but nothing in the workflow, Makefile, or release scripts invokes hub. gh ships preinstalled on GitHub-hosted runners if a future step needs it. Signed-off-by: Tamal Saha --- .github/workflows/release.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index a5baa122b2..248c70c06b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -61,11 +61,6 @@ jobs: url."https://${GITHUB_USER}:${GITHUB_TOKEN}@github.com".insteadOf \ "https://github.com" - - name: Install GitHub CLI - run: | - curl -fsSL https://github.com/github/hub/raw/master/script/get | bash -s 2.14.1 - sudo mv bin/hub /usr/local/bin - - name: Install yq run: | curl -fsSL -o yqq https://github.com/mikefarah/yq/releases/download/3.3.0/yq_linux_amd64 From 0bc01aa4c9f491e4b57010ef542d1892070a86c2 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Tue, 19 May 2026 23:03:02 +0600 Subject: [PATCH 3/6] Harden CI workflows Apply the appscode-cloud/installer#1252 hardening pattern. - Pin every action to a full-length commit SHA with a version comment (actions/checkout, actions/setup-node, actions/setup-python, actions/setup-go, docker/setup-qemu-action, docker/setup-buildx-action, FirebaseExtended/action-hosting-deploy). - release.yml: bump actions/checkout from v1 to v4.3.1; tag-triggered job now uses fetch-depth: 1 + fetch-tags: true so the tag ref resolves without a full clone; add least-privilege job-level permissions (contents: write, packages: write); drop the LGTM_GITHUB_TOKEN PAT for the Prepare git step and the in-repo git env in the Publish step (use github.actor + GITHUB_TOKEN). Keep LGTM_GITHUB_TOKEN as the ghcr.io docker password since publishing to the appscode org packages requires cross-org write access. Drop the unused hub CLI install step. - release_old.yml: fetch-depth: 1 + fetch-tags: true for the tag ref. Signed-off-by: Tamal Saha --- .github/workflows/ci.yml | 4 ++-- .github/workflows/deploy.yml | 6 +++--- .github/workflows/preview-website.yml | 8 ++++---- .github/workflows/release.yml | 24 +++++++++++++++--------- .github/workflows/release_old.yml | 9 ++++++--- 5 files changed, 30 insertions(+), 21 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d5dab8c846..fd909aaf4b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -18,12 +18,12 @@ jobs: name: Build runs-on: ubuntu-24.04 steps: - - uses: actions/setup-node@v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: '20' check-latest: true - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Install yq run: | diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index e52fe92791..216c197ccc 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -24,15 +24,15 @@ jobs: name: Build runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - - uses: actions/setup-node@v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: '20' check-latest: true - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: '3.x' diff --git a/.github/workflows/preview-website.yml b/.github/workflows/preview-website.yml index 2471459db4..50b83cfca8 100644 --- a/.github/workflows/preview-website.yml +++ b/.github/workflows/preview-website.yml @@ -15,15 +15,15 @@ jobs: name: Build runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Set up Go 1.x - uses: actions/setup-go@v5 + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0 with: go-version: '1.23' id: go - - uses: actions/setup-node@v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: '20' check-latest: true @@ -55,7 +55,7 @@ jobs: make assets make gen-prod - - uses: FirebaseExtended/action-hosting-deploy@v0 + - uses: FirebaseExtended/action-hosting-deploy@e2eda2e106cfa35cdbcf4ac9ddaf6c4756df2c8c # v0.10.0 with: repoToken: '${{ secrets.GITHUB_TOKEN }}' firebaseServiceAccount: '${{ secrets.FIREBASE_SERVICE_ACCOUNT_QA }}' diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 248c70c06b..f5093dc5f8 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -14,27 +14,33 @@ jobs: build: name: Build runs-on: ubuntu-24.04 + permissions: + contents: write + packages: write steps: - - uses: actions/checkout@v1 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + with: + fetch-depth: 1 + fetch-tags: true - - uses: actions/setup-node@v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: '20' check-latest: true - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: 3.x - name: Set up QEMU id: qemu - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 with: cache-image: false - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 - name: Install kubectl run: | @@ -51,8 +57,8 @@ jobs: - name: Prepare git env: - GITHUB_USER: 1gtm - GITHUB_TOKEN: ${{ secrets.LGTM_GITHUB_TOKEN }} + GITHUB_USER: ${{ github.actor }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | set -x git config --global user.name "${GITHUB_USER}" @@ -84,8 +90,8 @@ jobs: REGISTRY: ghcr.io/appscode DOCKER_TOKEN: ${{ secrets.LGTM_GITHUB_TOKEN }} USERNAME: 1gtm - GITHUB_USER: 1gtm - GITHUB_TOKEN: ${{ secrets.LGTM_GITHUB_TOKEN }} + GITHUB_USER: ${{ github.actor }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | docker login ghcr.io --username ${USERNAME} --password ${DOCKER_TOKEN} npm install diff --git a/.github/workflows/release_old.yml b/.github/workflows/release_old.yml index 5e0f75212e..20081db3e5 100644 --- a/.github/workflows/release_old.yml +++ b/.github/workflows/release_old.yml @@ -18,15 +18,18 @@ jobs: name: Build runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + with: + fetch-depth: 1 + fetch-tags: true - name: Set up Go 1.x - uses: actions/setup-go@v5 + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0 with: go-version: '1.23' id: go - - uses: actions/setup-node@v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: '20' check-latest: true From 7b0c356e1ddb02527d13ae50e751a4e2ab8bff7e Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Tue, 19 May 2026 23:43:22 +0600 Subject: [PATCH 4/6] Bump Node to 22, use GITHUB_TOKEN for ghcr.io login - Bump actions/setup-node to Node 22 across ci, deploy, preview-website, release, release_old. - release.yml: replace inline `docker login` + `LGTM_GITHUB_TOKEN` PAT with `docker/login-action@v4.1.0` using `github.actor` and the default `GITHUB_TOKEN` (job already has `packages: write`). - preview-website.yml: drop unused `GOOGLE_CUSTOM_SEARCH_API_KEY` env from the build step. Signed-off-by: Tamal Saha --- .github/workflows/ci.yml | 2 +- .github/workflows/deploy.yml | 2 +- .github/workflows/preview-website.yml | 4 +--- .github/workflows/release.yml | 17 +++++++++-------- .github/workflows/release_old.yml | 5 +---- 5 files changed, 13 insertions(+), 17 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index fd909aaf4b..a79ba43de2 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -20,7 +20,7 @@ jobs: steps: - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: - node-version: '20' + node-version: '22' check-latest: true - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 216c197ccc..6f7a36948c 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -28,7 +28,7 @@ jobs: - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: - node-version: '20' + node-version: '22' check-latest: true - name: Set up Python diff --git a/.github/workflows/preview-website.yml b/.github/workflows/preview-website.yml index 50b83cfca8..ae14a89915 100644 --- a/.github/workflows/preview-website.yml +++ b/.github/workflows/preview-website.yml @@ -25,7 +25,7 @@ jobs: - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: - node-version: '20' + node-version: '22' check-latest: true - name: Install yq @@ -48,8 +48,6 @@ jobs: sudo mv hugo-tools /usr/local/bin/hugo-tools - name: Update docs - env: - GOOGLE_CUSTOM_SEARCH_API_KEY: ${{ secrets.GOOGLE_CUSTOM_SEARCH_API_KEY }} run: | npm install make assets diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index f5093dc5f8..adace5d248 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -20,12 +20,11 @@ jobs: steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: - fetch-depth: 1 - fetch-tags: true + fetch-depth: 0 - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: - node-version: '20' + node-version: '22' check-latest: true - name: Set up Python @@ -85,15 +84,17 @@ jobs: chmod +x hugo-tools sudo mv hugo-tools /usr/local/bin/hugo-tools + - name: Log in to GitHub Container Registry + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Publish to GitHub Container Registry env: REGISTRY: ghcr.io/appscode - DOCKER_TOKEN: ${{ secrets.LGTM_GITHUB_TOKEN }} - USERNAME: 1gtm - GITHUB_USER: ${{ github.actor }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - docker login ghcr.io --username ${USERNAME} --password ${DOCKER_TOKEN} npm install make release diff --git a/.github/workflows/release_old.yml b/.github/workflows/release_old.yml index 20081db3e5..53710f5652 100644 --- a/.github/workflows/release_old.yml +++ b/.github/workflows/release_old.yml @@ -20,8 +20,7 @@ jobs: steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: - fetch-depth: 1 - fetch-tags: true + fetch-depth: 0 - name: Set up Go 1.x uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0 @@ -59,7 +58,6 @@ jobs: - name: QA env: FIREBASE_TOKEN: ${{ secrets.FIREBASE_TOKEN }} - GOOGLE_CUSTOM_SEARCH_API_KEY: ${{ secrets.GOOGLE_CUSTOM_SEARCH_API_KEY }} if: startsWith(github.event.ref, 'refs/tags/') && (contains(github.ref, '-alpha.') || contains(github.ref, '-beta.')) run: | npm install @@ -69,7 +67,6 @@ jobs: - name: Release env: FIREBASE_TOKEN: ${{ secrets.FIREBASE_TOKEN }} - GOOGLE_CUSTOM_SEARCH_API_KEY: ${{ secrets.GOOGLE_CUSTOM_SEARCH_API_KEY }} if: ${{ github.event_name == 'schedule' }} || (startsWith(github.event.ref, 'refs/tags/') && (contains(github.ref, '-alpha.') || contains(github.ref, '-beta.')) == false) run: | npm install From ece276e7a6d2e1193f2a89908d0a2eb7a05638e6 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Tue, 19 May 2026 23:45:19 +0600 Subject: [PATCH 5/6] Drop unused Prepare git step from release workflow MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit `make release` only does docker push (via docker/login-action) — no git operations need the user.name / insteadOf rewrite the step was setting up. Signed-off-by: Tamal Saha --- .github/workflows/release.yml | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index adace5d248..ec4447b533 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -54,18 +54,6 @@ jobs: pip install setuptools pip install linode-cli --upgrade - - name: Prepare git - env: - GITHUB_USER: ${{ github.actor }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - set -x - git config --global user.name "${GITHUB_USER}" - git config --global user.email "${GITHUB_USER}@appscode.com" - git config --global \ - url."https://${GITHUB_USER}:${GITHUB_TOKEN}@github.com".insteadOf \ - "https://github.com" - - name: Install yq run: | curl -fsSL -o yqq https://github.com/mikefarah/yq/releases/download/3.3.0/yq_linux_amd64 From 40206dc7a2583c50d8700606d69c9b3ef34eb381 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Tue, 19 May 2026 23:52:24 +0600 Subject: [PATCH 6/6] Grant preview-website token checks/PR write permissions FirebaseExtended/action-hosting-deploy posts a check run + PR comment. With no job-level `permissions:` block the GITHUB_TOKEN inherits the repo's restricted default, so the action's `POST /check-runs` call returns 403 "Resource not accessible by integration" (x-accepted-github-permissions: checks=write). Signed-off-by: Tamal Saha --- .github/workflows/preview-website.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/preview-website.yml b/.github/workflows/preview-website.yml index ae14a89915..d8bb7e3faa 100644 --- a/.github/workflows/preview-website.yml +++ b/.github/workflows/preview-website.yml @@ -14,6 +14,10 @@ jobs: build: name: Build runs-on: ubuntu-24.04 + permissions: + contents: read + checks: write + pull-requests: write steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1