From dcd21bcb8121811695f8db90651fd982f8e3af7f Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Mon, 11 May 2026 22:46:47 +0600 Subject: [PATCH 1/6] Harden GitHub Actions workflows - Pin every action ref to a full-length commit SHA with a trailing version comment, so floating tags like @v4 can't be re-pointed at malicious code. - Bump outdated actions/checkout@v1 to @v4.3.1 (where present). - Tag-triggered workflows now check out with fetch-depth: 1 and fetch-tags: true so the tag ref is available downstream. - release-tracker.yml grants contents: write at the job level so the default GITHUB_TOKEN can push commits/tags back to the repo. Signed-off-by: Tamal Saha --- .github/workflows/ci.yml | 4 ++-- .github/workflows/release.yml | 7 +++++-- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3b79d56..6f8a035 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -18,10 +18,10 @@ jobs: runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Use Node.js 22.x - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: 22.x diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d78872a..624de27 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -14,10 +14,13 @@ jobs: name: Build runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v1 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + with: + fetch-depth: 1 + fetch-tags: true - name: Use Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: 22.x From f7cda6cf89f2c5fc67b49e005ede76c2efb9b2d5 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Wed, 13 May 2026 21:12:43 +0600 Subject: [PATCH 2/6] Use node-version: '22' in setup-node steps Signed-off-by: Tamal Saha --- .github/workflows/ci.yml | 2 +- .github/workflows/release.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6f8a035..71a66d1 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -23,7 +23,7 @@ jobs: - name: Use Node.js 22.x uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: - node-version: 22.x + node-version: '22' - name: Build env: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 624de27..69dc893 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -22,7 +22,7 @@ jobs: - name: Use Node.js uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: - node-version: 22.x + node-version: '22' - name: Build run: | From 9e0ed2944102094297179954ee7618d01500d4e3 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Thu, 14 May 2026 10:29:21 +0600 Subject: [PATCH 3/6] Normalize Prepare git user, fetch-depth, drop permission-issues Signed-off-by: Tamal Saha --- .github/workflows/release.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 69dc893..7084dcf 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -16,8 +16,7 @@ jobs: steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: - fetch-depth: 1 - fetch-tags: true + fetch-depth: 0 - name: Use Node.js uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 From dda9b84d327c4ea843c2c78db552cebf4253e719 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Thu, 14 May 2026 14:00:40 +0600 Subject: [PATCH 4/6] Add 1gtm-app[bot] to kodiak auto_approve_usernames Signed-off-by: Tamal Saha --- .github/.kodiak.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/.kodiak.toml b/.github/.kodiak.toml index ded81e4..e586458 100644 --- a/.github/.kodiak.toml +++ b/.github/.kodiak.toml @@ -15,4 +15,4 @@ strip_html_comments = true # default: false always = true # default: false [approve] -auto_approve_usernames = ["1gtm", "tamalsaha"] +auto_approve_usernames = ["1gtm", "tamalsaha", "1gtm-app[bot]"] From eb9d8049ccb90a4af2307e2003cd960978c3da99 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Thu, 14 May 2026 15:02:09 +0600 Subject: [PATCH 5/6] Normalize kodiak auto_approve_usernames Signed-off-by: Tamal Saha --- .github/.kodiak.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/.kodiak.toml b/.github/.kodiak.toml index e586458..b64a5f6 100644 --- a/.github/.kodiak.toml +++ b/.github/.kodiak.toml @@ -15,4 +15,4 @@ strip_html_comments = true # default: false always = true # default: false [approve] -auto_approve_usernames = ["1gtm", "tamalsaha", "1gtm-app[bot]"] +auto_approve_usernames = ["tamalsaha", "1gtm", "1gtm-app[bot]"] \ No newline at end of file From c71fa5d115c8ec18c3994e62a7f8cbfb3356745c Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Thu, 14 May 2026 17:37:12 +0600 Subject: [PATCH 6/6] Bump softprops/action-gh-release to v2.6.2; add permissions Signed-off-by: Tamal Saha --- .github/workflows/release.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 7084dcf..e0fdc3b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -13,6 +13,8 @@ jobs: build: name: Build runs-on: ubuntu-24.04 + permissions: + contents: write steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: