From b4a965f3c569e2ba92a5e45a6205ed081fc7de8c Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Mon, 11 May 2026 23:20:21 +0600 Subject: [PATCH 1/9] Harden GitHub Actions workflows - Pin every action ref to a full-length commit SHA with a trailing version comment, so floating tags like @v4 can't be re-pointed at malicious code. - Bump outdated actions/checkout@v1 to @v4.3.1 (where present). - Tag-triggered workflows now check out with fetch-depth: 1 and fetch-tags: true so the tag ref is available downstream. - release-tracker.yml grants contents: write at the job level so the default GITHUB_TOKEN can push commits/tags back to the repo. Signed-off-by: Tamal Saha --- .github/workflows/ci.yml | 4 ++-- .github/workflows/release.yml | 11 +++++++---- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f0521e6..f403d1e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -20,13 +20,13 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Set up Go 1.19 - uses: actions/setup-go@v5 + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0 with: go-version: 1.19 id: go - name: Check out code into the Go module directory - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Run checks run: | diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 5836bb4..fc151fd 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -17,7 +17,10 @@ jobs: steps: - name: Check out code into the Go module directory - uses: actions/checkout@v1 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + with: + fetch-depth: 1 + fetch-tags: true - name: Print version info id: semver @@ -26,12 +29,12 @@ jobs: - name: Set up QEMU id: qemu - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 with: cache-image: false - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 - name: Build env: @@ -40,7 +43,7 @@ jobs: make release - name: Release - uses: softprops/action-gh-release@v1 + uses: softprops/action-gh-release@26994186c0ac3ef5cae75ac16aa32e8153525f77 # v1 if: startsWith(github.ref, 'refs/tags/') with: draft: true From 2c9e55458e70fc13bc79ff6909b14e54c0f1f013 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Wed, 13 May 2026 09:45:40 +0600 Subject: [PATCH 2/9] Add job permissions for workflow Signed-off-by: Tamal Saha --- .github/workflows/release.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index fc151fd..7cfa226 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -14,6 +14,8 @@ jobs: build: name: Build runs-on: ubuntu-24.04 + permissions: + contents: write steps: - name: Check out code into the Go module directory From d9b1567508232adc2a7997fa704a42d6422ae8eb Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Thu, 14 May 2026 10:31:47 +0600 Subject: [PATCH 3/9] Normalize Prepare git user, fetch-depth, drop permission-issues Signed-off-by: Tamal Saha --- .github/workflows/release.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 7cfa226..8bb49fe 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -21,8 +21,7 @@ jobs: - name: Check out code into the Go module directory uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: - fetch-depth: 1 - fetch-tags: true + fetch-depth: 0 - name: Print version info id: semver From 810253de95268094b06b4ede0bdabc5f3baa3459 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Thu, 14 May 2026 14:03:22 +0600 Subject: [PATCH 4/9] Add 1gtm-app[bot] to kodiak auto_approve_usernames Signed-off-by: Tamal Saha --- .github/.kodiak.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/.kodiak.toml b/.github/.kodiak.toml index ded81e4..e586458 100644 --- a/.github/.kodiak.toml +++ b/.github/.kodiak.toml @@ -15,4 +15,4 @@ strip_html_comments = true # default: false always = true # default: false [approve] -auto_approve_usernames = ["1gtm", "tamalsaha"] +auto_approve_usernames = ["1gtm", "tamalsaha", "1gtm-app[bot]"] From 77c7751fce8cd3d4e0af073cc2729cb0731ca8d9 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Thu, 14 May 2026 15:05:20 +0600 Subject: [PATCH 5/9] Normalize kodiak auto_approve_usernames Signed-off-by: Tamal Saha --- .github/.kodiak.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/.kodiak.toml b/.github/.kodiak.toml index e586458..b64a5f6 100644 --- a/.github/.kodiak.toml +++ b/.github/.kodiak.toml @@ -15,4 +15,4 @@ strip_html_comments = true # default: false always = true # default: false [approve] -auto_approve_usernames = ["1gtm", "tamalsaha", "1gtm-app[bot]"] +auto_approve_usernames = ["tamalsaha", "1gtm", "1gtm-app[bot]"] \ No newline at end of file From 7566091d2428981f55e964118b74457c06f68db3 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Thu, 14 May 2026 17:39:15 +0600 Subject: [PATCH 6/9] Bump softprops/action-gh-release to v2.6.2; add permissions Signed-off-by: Tamal Saha --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 8bb49fe..3a62744 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -44,7 +44,7 @@ jobs: make release - name: Release - uses: softprops/action-gh-release@26994186c0ac3ef5cae75ac16aa32e8153525f77 # v1 + uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2.6.2 if: startsWith(github.ref, 'refs/tags/') with: draft: true From 3beb1b61b35b02270e4ece3405d48c130a2a9b91 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Thu, 14 May 2026 17:53:12 +0600 Subject: [PATCH 7/9] Makefile: use --tags in git describe so lightweight tags resolve Signed-off-by: Tamal Saha --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 89ab51e..a86bb6a 100644 --- a/Makefile +++ b/Makefile @@ -21,7 +21,7 @@ COMPRESS ?= no # This version-strategy uses git tags to set the version string git_branch := $(shell git rev-parse --abbrev-ref HEAD) -git_tag := $(shell git describe --exact-match --abbrev=0 2>/dev/null || echo "") +git_tag := $(shell git describe --tags --exact-match --abbrev=0 2>/dev/null || echo "") commit_hash := $(shell git rev-parse --verify HEAD) commit_timestamp := $(shell date --date="@$$(git show -s --format=%ct)" --utc +%FT%T) From b7b8339ca529860817a31519352e9653ae0c5fd9 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Thu, 14 May 2026 21:52:13 +0600 Subject: [PATCH 8/9] Remove bzr install from workflows Signed-off-by: Tamal Saha --- .github/workflows/ci.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f403d1e..b4941a8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -30,6 +30,4 @@ jobs: - name: Run checks run: | - sudo apt-get -qq update || true - sudo apt-get install -y bzr make ci From ed615a07821e7216a44635bf3dba38655969bd71 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Fri, 15 May 2026 14:31:25 +0600 Subject: [PATCH 9/9] Makefile: use golangci-lint v1-compatible --skip-files flag Signed-off-by: Tamal Saha --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index a86bb6a..25edd63 100644 --- a/Makefile +++ b/Makefile @@ -218,7 +218,7 @@ lint: $(BUILD_DIRS) --env GO111MODULE=on \ --env GOFLAGS="-mod=vendor" \ $(BUILD_IMAGE) \ - golangci-lint run --enable $(ADDTL_LINTERS) --timeout=20m --exclude-files="generated.*\.go$\" --exclude-dirs-use-default + golangci-lint run --enable $(ADDTL_LINTERS) --timeout=20m --skip-files="generated.*\.go$\" $(BUILD_DIRS): @mkdir -p $@