Tighten CI/release workflow secrets, perms, and release notes

tamalsaha · tamalsaha · commit a936042e3e70 · 2026-05-20T18:58:56.000+06:00
ci.yml:
- Drop `set -x` from the "Prepare git" step so the git config insteadOf
  URL (which embeds GITHUB_TOKEN) is not echoed by bash trace.

release.yml:
- Switch ghcr.io login from the bot user `1gtm` / `LGTM_GITHUB_TOKEN` PAT
  to `github.actor` / `GITHUB_TOKEN`, relying on the `packages: write`
  permission already declared on the build job.
- Drop the unused `contents: write` block from `label-detector`, which
  only runs a curl and emits a job output.
- Add `generate_release_notes: true` to `softprops/action-gh-release`
  so GitHub auto-populates the release notes from commit history.

Signed-off-by: Tamal Saha &lt;tamal@appscode.com&gt;
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -47,6 +47,7 @@ jobs:
         uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2.6.2
         if: startsWith(github.ref, 'refs/tags/')
         with:
+          generate_release_notes: true
           files: |
             bin/kubectl-dba-darwin-amd64.tar.gz
             bin/kubectl-dba-darwin-arm64.tar.gz
