From 2402d143407d97438fc6cb4d6c5f8d7bf6a48109 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Mon, 11 May 2026 22:44:31 +0600 Subject: [PATCH 1/5] Harden GitHub Actions workflows - Pin every action ref to a full-length commit SHA with a trailing version comment, so floating tags like @v4 can't be re-pointed at malicious code. - Bump outdated actions/checkout@v1 to @v4.3.1 (where present). - Tag-triggered workflows now check out with fetch-depth: 1 and fetch-tags: true so the tag ref is available downstream. - release-tracker.yml grants contents: write at the job level so the default GITHUB_TOKEN can push commits/tags back to the repo. Signed-off-by: Tamal Saha --- .github/workflows/preview-website.yml | 6 +++--- .github/workflows/publish.yml | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/preview-website.yml b/.github/workflows/preview-website.yml index 1c4e917..7cd7826 100644 --- a/.github/workflows/preview-website.yml +++ b/.github/workflows/preview-website.yml @@ -7,11 +7,11 @@ jobs: name: Build runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: submodules: true - - uses: actions/setup-node@v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: '22' @@ -25,7 +25,7 @@ jobs: run: | make gen - - uses: FirebaseExtended/action-hosting-deploy@v0 + - uses: FirebaseExtended/action-hosting-deploy@092436dca3ec6dacb231d965ae56f7ff6c09f258 # v0 with: repoToken: '${{ secrets.GITHUB_TOKEN }}' firebaseServiceAccount: '${{ secrets.FIREBASE_SERVICE_ACCOUNT_APPSCODE_GOVANIURLS }}' diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 0905749..2736387 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -10,11 +10,11 @@ jobs: name: Build runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: submodules: true - - uses: actions/setup-node@v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: '22' @@ -31,7 +31,7 @@ jobs: run: | make gen - - uses: FirebaseExtended/action-hosting-deploy@v0 + - uses: FirebaseExtended/action-hosting-deploy@092436dca3ec6dacb231d965ae56f7ff6c09f258 # v0 with: repoToken: '${{ secrets.GITHUB_TOKEN }}' firebaseServiceAccount: '${{ secrets.FIREBASE_SERVICE_ACCOUNT_APPSCODE_GOVANIURLS }}' From 99a94eecb802bf25e79f8cf16a5326259bfb3a57 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Tue, 12 May 2026 18:59:59 +0600 Subject: [PATCH 2/5] Grant preview-website job the permissions Firebase deploy needs Signed-off-by: Tamal Saha --- .github/workflows/publish.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 2736387..1ef826a 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -9,6 +9,10 @@ jobs: build: name: Build runs-on: ubuntu-24.04 + permissions: + contents: read + checks: write + pull-requests: write steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: From 6170cc58b552b2434064913a448b953a04dbadec Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Tue, 12 May 2026 19:00:17 +0600 Subject: [PATCH 3/5] Grant preview-website job the permissions Firebase deploy needs Signed-off-by: Tamal Saha --- .github/workflows/preview-website.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/preview-website.yml b/.github/workflows/preview-website.yml index 7cd7826..d083129 100644 --- a/.github/workflows/preview-website.yml +++ b/.github/workflows/preview-website.yml @@ -6,6 +6,10 @@ jobs: build: name: Build runs-on: ubuntu-24.04 + permissions: + contents: read + checks: write + pull-requests: write steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: From f36a145cd13770891682a668a6a07b6cb077bc11 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Thu, 14 May 2026 14:00:35 +0600 Subject: [PATCH 4/5] Add 1gtm-app[bot] to kodiak auto_approve_usernames Signed-off-by: Tamal Saha --- .github/.kodiak.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/.kodiak.toml b/.github/.kodiak.toml index ded81e4..e586458 100644 --- a/.github/.kodiak.toml +++ b/.github/.kodiak.toml @@ -15,4 +15,4 @@ strip_html_comments = true # default: false always = true # default: false [approve] -auto_approve_usernames = ["1gtm", "tamalsaha"] +auto_approve_usernames = ["1gtm", "tamalsaha", "1gtm-app[bot]"] From 0e46d86c20f6fa403d9ebb599db5387f591f2bcc Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Thu, 14 May 2026 15:23:21 +0600 Subject: [PATCH 5/5] Normalize kodiak auto_approve_usernames Signed-off-by: Tamal Saha --- .github/.kodiak.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/.kodiak.toml b/.github/.kodiak.toml index e586458..b64a5f6 100644 --- a/.github/.kodiak.toml +++ b/.github/.kodiak.toml @@ -15,4 +15,4 @@ strip_html_comments = true # default: false always = true # default: false [approve] -auto_approve_usernames = ["1gtm", "tamalsaha", "1gtm-app[bot]"] +auto_approve_usernames = ["tamalsaha", "1gtm", "1gtm-app[bot]"] \ No newline at end of file