Skip to content

Harden CI workflows#138

Merged
tamalsaha merged 5 commits into
masterfrom
harden-ci-workflows
May 20, 2026
Merged

Harden CI workflows#138
tamalsaha merged 5 commits into
masterfrom
harden-ci-workflows

Conversation

@tamalsaha
Copy link
Copy Markdown
Member

@tamalsaha tamalsaha commented May 20, 2026

Re-opening commit b7be922 as a pull request for review.

@tamalsaha
Harden CI workflows
b7be922 
/cherry-pick

Signed-off-by: Tamal Saha <tamal@appscode.com>
kodiakhq[bot]
kodiakhq Bot previously approved these changes May 20, 2026
View reviewed changes
@tamalsaha
cherry-pick: use LGTM App token
ce80563 
PRs opened via gh pr create now authenticate as 1gtm-app[bot], which is
in .github/.kodiak.toml auto_approve_usernames. Using the default
GITHUB_TOKEN would author PRs as github-actions[bot] and break the
kodiak auto-merge flow for cherry-pick PRs.

The token is scoped to the current repo with only contents:write and
pull-requests:write — what the cherry-pick script needs.

Signed-off-by: Tamal Saha <tamal@appscode.com>
kodiakhq[bot]
kodiakhq Bot previously approved these changes May 20, 2026
View reviewed changes
@tamalsaha
release: add packages: write permission
cfae833 
Signed-off-by: Tamal Saha <tamal@appscode.com>
kodiakhq[bot]
kodiakhq Bot previously approved these changes May 20, 2026
View reviewed changes
@tamalsaha
cherry-pick: fetch full history so release branches are visible
205c7f3 
actions/checkout@v4 defaults to fetch-depth: 1, so
`git branch -r | grep release` in hack/scripts/cherry-pick.sh
returned nothing and the loop body never executed.
kodiakhq[bot]
kodiakhq Bot previously approved these changes May 20, 2026
View reviewed changes
@tamalsaha
cherry-pick: persist-credentials false so LGTM token is used on push
dd88ad5 
actions/checkout defaults to persist-credentials: true, which leaves
an http.extraheader with the workflow's GITHUB_TOKEN in git config.
That overrides the LGTM token in the URL set by `git remote set-url`,
so `git push` fails with "Permission denied to github-actions[bot]"
when pushing the cherry-pick branch.
@tamalsaha tamalsaha merged commit 3e35a71 into master May 20, 2026
4 of 5 checks passed
tamalsaha added a commit that referenced this pull request May 20, 2026
@1gtm-app @tamalsaha
Harden CI workflows (#138) (#139)
c9953b6 
/cherry-pick

Signed-off-by: Tamal Saha <tamal@appscode.com>
Co-authored-by: Tamal Saha <tamal@appscode.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kodiakhq kodiakhq[bot] kodiakhq[bot] approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tamalsaha