From 32db8f355af0393eefc3ca45cb59b4472d78e345 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Mon, 11 May 2026 22:45:56 +0600 Subject: [PATCH 1/3] Use dynamic github token Signed-off-by: Tamal Saha --- .github/workflows/cve-report.yml | 4 ++-- .github/workflows/publish-oci.yml | 8 ++++---- .github/workflows/release-tracker.yml | 8 ++++---- .github/workflows/release.yml | 8 ++++---- .github/workflows/update-local-repo.yaml | 8 ++++---- 5 files changed, 18 insertions(+), 18 deletions(-) diff --git a/.github/workflows/cve-report.yml b/.github/workflows/cve-report.yml index d5e3ae039..b3a790d62 100644 --- a/.github/workflows/cve-report.yml +++ b/.github/workflows/cve-report.yml @@ -23,8 +23,8 @@ jobs: - name: Prepare git env: - GITHUB_USER: 1gtm - GITHUB_TOKEN: ${{ secrets.LGTM_GITHUB_TOKEN }} + GITHUB_USER: ${{ github.actor }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | set -x git config --global user.name "1gtm" diff --git a/.github/workflows/publish-oci.yml b/.github/workflows/publish-oci.yml index 49e032682..09714d5da 100644 --- a/.github/workflows/publish-oci.yml +++ b/.github/workflows/publish-oci.yml @@ -40,8 +40,8 @@ jobs: - name: Clone charts repository env: - GITHUB_USER: 1gtm - GITHUB_TOKEN: ${{ secrets.LGTM_GITHUB_TOKEN }} + GITHUB_USER: ${{ github.actor }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} CHART_REPOSITORY: github.com/appscode/charts run: | url="https://${GITHUB_USER}:${GITHUB_TOKEN}@${CHART_REPOSITORY}.git" @@ -53,8 +53,8 @@ jobs: - name: Publish OCI charts env: - GITHUB_USER: 1gtm - GITHUB_TOKEN: ${{ secrets.LGTM_GITHUB_TOKEN }} + GITHUB_USER: ${{ github.actor }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} CHART_REPOSITORY: github.com/appscode/charts run: | export REGISTRY_0=oci://ghcr.io/appscode-charts diff --git a/.github/workflows/release-tracker.yml b/.github/workflows/release-tracker.yml index 4c599bd2e..30c31331e 100644 --- a/.github/workflows/release-tracker.yml +++ b/.github/workflows/release-tracker.yml @@ -17,8 +17,8 @@ jobs: - name: Prepare git env: - GITHUB_USER: 1gtm - GITHUB_TOKEN: ${{ secrets.LGTM_GITHUB_TOKEN }} + GITHUB_USER: ${{ github.actor }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | git config --global user.name "${GITHUB_USER}" git config --global user.email "${GITHUB_USER}@appscode.com" @@ -34,7 +34,7 @@ jobs: github.event.action == 'closed' && github.event.pull_request.merged == true env: - GITHUB_USER: 1gtm - GITHUB_TOKEN: ${{ secrets.LGTM_GITHUB_TOKEN }} + GITHUB_USER: ${{ github.actor }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | ./hack/scripts/update-release-tracker.sh diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 2c934edbc..e782ea6e7 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -30,8 +30,8 @@ jobs: - name: Clone charts repository env: - GITHUB_USER: 1gtm - GITHUB_TOKEN: ${{ secrets.LGTM_GITHUB_TOKEN }} + GITHUB_USER: ${{ github.actor }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} CHART_REPOSITORY: ${{ secrets.CHART_REPOSITORY }} run: | url="https://${GITHUB_USER}:${GITHUB_TOKEN}@${CHART_REPOSITORY}.git" @@ -43,8 +43,8 @@ jobs: - name: Package env: - GITHUB_USER: 1gtm - GITHUB_TOKEN: ${{ secrets.LGTM_GITHUB_TOKEN }} + GITHUB_USER: ${{ github.actor }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} CHART_REPOSITORY: ${{ secrets.CHART_REPOSITORY }} run: | ./hack/scripts/update-chart-dependencies.sh diff --git a/.github/workflows/update-local-repo.yaml b/.github/workflows/update-local-repo.yaml index ea5f7ce0c..57c15bde9 100644 --- a/.github/workflows/update-local-repo.yaml +++ b/.github/workflows/update-local-repo.yaml @@ -42,8 +42,8 @@ jobs: - name: Prepare git env: - GITHUB_USER: 1gtm - GITHUB_TOKEN: ${{ secrets.LGTM_GITHUB_TOKEN }} + GITHUB_USER: ${{ github.actor }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | echo $GITHUB_SERVER_URL git config user.name "${GITHUB_USER}" @@ -53,7 +53,7 @@ jobs: - name: Update Local Helm repo env: - GITHUB_USER: 1gtm - GITHUB_TOKEN: ${{ secrets.LGTM_GITHUB_TOKEN }} + GITHUB_USER: ${{ github.actor }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | ./hack/scripts/trigger.sh From 11e9da5f1efdfa5a8c9d84da43282eceed504638 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Mon, 11 May 2026 22:45:56 +0600 Subject: [PATCH 2/3] Harden GitHub Actions workflows - Pin every action ref to a full-length commit SHA with a trailing version comment, so floating tags like @v4 can't be re-pointed at malicious code. - Bump outdated actions/checkout@v1 to @v4.3.1 (where present). - Tag-triggered workflows now check out with fetch-depth: 1 and fetch-tags: true so the tag ref is available downstream. - release-tracker.yml grants contents: write at the job level so the default GITHUB_TOKEN can push commits/tags back to the repo. Signed-off-by: Tamal Saha --- .github/workflows/ci.yml | 8 ++++---- .github/workflows/cve-report.yml | 6 +++--- .github/workflows/publish-oci.yml | 11 +++++++---- .github/workflows/release-tracker.yml | 4 +++- .github/workflows/release.yml | 5 ++++- .github/workflows/sync-gcp-mp.yml | 6 +++--- .github/workflows/update-local-repo.yaml | 2 +- 7 files changed, 25 insertions(+), 17 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index aea77009a..9e7b915b3 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -18,9 +18,9 @@ jobs: name: Build runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - - uses: actions/setup-go@v5 + - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0 with: go-version: 'stable' cache: true @@ -50,7 +50,7 @@ jobs: matrix: k8s: [v1.29.14, v1.31.14, v1.33.7, v1.35.0] steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Install yq run: | @@ -60,7 +60,7 @@ jobs: - name: Create Kubernetes ${{ matrix.k8s }} cluster id: kind - uses: engineerd/setup-kind@v0.5.0 + uses: engineerd/setup-kind@aa272fe2a7309878ffc2a81c56cfe3ef108ae7d0 # v0.5.0 with: version: v0.31.0 config: hack/kubernetes/kind.yaml diff --git a/.github/workflows/cve-report.yml b/.github/workflows/cve-report.yml index b3a790d62..5e3d72c80 100644 --- a/.github/workflows/cve-report.yml +++ b/.github/workflows/cve-report.yml @@ -14,10 +14,10 @@ jobs: name: Report runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Set up Go - uses: actions/setup-go@v5 + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0 with: go-version: '1.25' @@ -64,7 +64,7 @@ jobs: git commit -s -a -m "Update cve report $(date --rfc-3339=date)" - name: Create Pull Request - uses: peter-evans/create-pull-request@v6 + uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6.1.0 with: token: ${{ secrets.LGTM_GITHUB_TOKEN }} title: Update cve report diff --git a/.github/workflows/publish-oci.yml b/.github/workflows/publish-oci.yml index 09714d5da..cb836268c 100644 --- a/.github/workflows/publish-oci.yml +++ b/.github/workflows/publish-oci.yml @@ -16,19 +16,22 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Check out code into the Go module directory - uses: actions/checkout@v1 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + with: + fetch-depth: 1 + fetch-tags: true - name: Set up QEMU id: qemu - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 with: cache-image: false - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 - name: Log in to the GitHub Container registry - uses: docker/login-action@v2 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 with: registry: ghcr.io username: 1gtm diff --git a/.github/workflows/release-tracker.yml b/.github/workflows/release-tracker.yml index 30c31331e..344877c38 100644 --- a/.github/workflows/release-tracker.yml +++ b/.github/workflows/release-tracker.yml @@ -12,8 +12,10 @@ concurrency: jobs: build: runs-on: ubuntu-24.04 + permissions: + contents: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Prepare git env: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e782ea6e7..e5bbdc26b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -17,7 +17,10 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Check out code into the Go module directory - uses: actions/checkout@v1 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + with: + fetch-depth: 1 + fetch-tags: true - name: Install GitHub CLI run: | diff --git a/.github/workflows/sync-gcp-mp.yml b/.github/workflows/sync-gcp-mp.yml index cfb9f3c19..2e602576e 100644 --- a/.github/workflows/sync-gcp-mp.yml +++ b/.github/workflows/sync-gcp-mp.yml @@ -16,10 +16,10 @@ jobs: build: runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Set up Go - uses: actions/setup-go@v5 + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0 with: go-version: '1.25' @@ -41,7 +41,7 @@ jobs: gcloud auth configure-docker us-docker.pkg.dev - name: Log into GHCR - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 with: registry: ghcr.io username: 1gtm diff --git a/.github/workflows/update-local-repo.yaml b/.github/workflows/update-local-repo.yaml index 57c15bde9..ecdcdd2ba 100644 --- a/.github/workflows/update-local-repo.yaml +++ b/.github/workflows/update-local-repo.yaml @@ -15,7 +15,7 @@ jobs: build: runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Prepare Host run: | From da4d140fc171c6f5038563a145f60e5b7f30bd15 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Wed, 13 May 2026 17:55:14 +0600 Subject: [PATCH 3/3] cve-report.yml: use LGTM App token Signed-off-by: Tamal Saha --- .github/workflows/cve-report.yml | 35 ++++++++++++++------------------ 1 file changed, 15 insertions(+), 20 deletions(-) diff --git a/.github/workflows/cve-report.yml b/.github/workflows/cve-report.yml index 5e3d72c80..3f431024a 100644 --- a/.github/workflows/cve-report.yml +++ b/.github/workflows/cve-report.yml @@ -16,23 +16,16 @@ jobs: steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - - name: Set up Go - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0 + - name: Generate LGTM App token + id: lgtm-app-token + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 with: - go-version: '1.25' - - - name: Prepare git - env: - GITHUB_USER: ${{ github.actor }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - set -x - git config --global user.name "1gtm" - git config --global user.email "1gtm@appscode.com" - git config --global \ - url."https://${GITHUB_USER}:${GITHUB_TOKEN}@github.com".insteadOf \ - "https://github.com" - # git remote set-url origin https://${GITHUB_USER}:${GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}.git + client-id: ${{ secrets.LGTM_APP_CLIENT_ID }} + private-key: ${{ secrets.LGTM_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} + repositories: installer + permission-contents: write + permission-pull-requests: write - name: Install trivy run: | @@ -60,13 +53,15 @@ jobs: --src=catalog/editor-charts.yaml \ --src=catalog/feature-charts.yaml \ --src=catalog/reusable-ui-charts.yaml - git add catalog/README.md || true - git commit -s -a -m "Update cve report $(date --rfc-3339=date)" - name: Create Pull Request - uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6.1.0 + uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676 # v7.0.11 with: - token: ${{ secrets.LGTM_GITHUB_TOKEN }} + token: ${{ steps.lgtm-app-token.outputs.token }} + commit-message: Update cve report + author: ${{ github.actor }} <${{ github.actor }}@appscode.com> + committer: ${{ github.actor }} <${{ github.actor }}@appscode.com> + signoff: true title: Update cve report branch: update-cve-report delete-branch: true