From fd3298937b0bc466c78542fca9fad08878204876 Mon Sep 17 00:00:00 2001
From: Tamal Saha <tamal@appscode.com>
Date: Mon, 11 May 2026 22:58:08 +0600
Subject: [PATCH 1/7] Harden GitHub Actions workflows

- Pin every action ref to a full-length commit SHA with a trailing
  version comment, so floating tags like @v4 can't be re-pointed at
  malicious code.
- Bump outdated actions/checkout@v1 to @v4.3.1 (where present).
- Tag-triggered workflows now check out with fetch-depth: 1 and
  fetch-tags: true so the tag ref is available downstream.
- release-tracker.yml grants contents: write at the job level so the
  default GITHUB_TOKEN can push commits/tags back to the repo.

Signed-off-by: Tamal Saha <tamal@appscode.com>
---
 .github/workflows/ci.yml      | 4 ++--
 .github/workflows/release.yml | 7 +++++--
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 2de8d4c..e75c11d 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -18,10 +18,10 @@ jobs:
     runs-on: ubuntu-24.04
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
       - name: Use Node.js 22.x
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: 22.x
 
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 11e2ba2..679c906 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -14,10 +14,13 @@ jobs:
     name: Build
     runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@v1
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+        with:
+          fetch-depth: 1
+          fetch-tags: true
 
       - name: Use Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: 22.x
 

From 1afd0c519e865529c65f94962c6dd41a2253075d Mon Sep 17 00:00:00 2001
From: Tamal Saha <tamal@appscode.com>
Date: Tue, 12 May 2026 18:18:15 +0600
Subject: [PATCH 2/7] Migrate firebase-tools auth to service account

Signed-off-by: Tamal Saha <tamal@appscode.com>
---
 .github/workflows/release.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 679c906..59f859f 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -34,8 +34,10 @@ jobs:
 
       - name: Deploy
         env:
-          FIREBASE_TOKEN: ${{ secrets.FIREBASE_TOKEN }}
+          FIREBASE_SERVICE_ACCOUNT_KEY: ${{ secrets.FIREBASE_SERVICE_ACCOUNT_PROD }}
         run: |
+          printf '%s' "$FIREBASE_SERVICE_ACCOUNT_KEY" > "$RUNNER_TEMP/firebase-key.json"
+          export GOOGLE_APPLICATION_CREDENTIALS="$RUNNER_TEMP/firebase-key.json"
           npm run build
           npm run deploy
 

From e88c6038160b9b9cb85f4bf3832e4b56b34f53a9 Mon Sep 17 00:00:00 2001
From: Tamal Saha <tamal@appscode.com>
Date: Wed, 13 May 2026 21:13:13 +0600
Subject: [PATCH 3/7] Use node-version: '22' in setup-node steps

Signed-off-by: Tamal Saha <tamal@appscode.com>
---
 .github/workflows/ci.yml      | 2 +-
 .github/workflows/release.yml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index e75c11d..7143a4c 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -23,7 +23,7 @@ jobs:
       - name: Use Node.js 22.x
         uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
-          node-version: 22.x
+          node-version: '22'
 
       - name: Build
         env:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 59f859f..22ebad4 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -22,7 +22,7 @@ jobs:
       - name: Use Node.js
         uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
-          node-version: 22.x
+          node-version: '22'
 
       - name: Install Firebase CLI
         run: |

From 3a06c25721f6e511aff5eb98fb8d16118ed78453 Mon Sep 17 00:00:00 2001
From: Tamal Saha <tamal@appscode.com>
Date: Thu, 14 May 2026 10:29:57 +0600
Subject: [PATCH 4/7] Normalize Prepare git user, fetch-depth, drop
 permission-issues

Signed-off-by: Tamal Saha <tamal@appscode.com>
---
 .github/workflows/release.yml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 22ebad4..b248abf 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -16,8 +16,7 @@ jobs:
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
-          fetch-depth: 1
-          fetch-tags: true
+          fetch-depth: 0
 
       - name: Use Node.js
         uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0

From c771268a1b88e981f52a4af29c8797b2d3d2dab1 Mon Sep 17 00:00:00 2001
From: Tamal Saha <tamal@appscode.com>
Date: Thu, 14 May 2026 14:01:28 +0600
Subject: [PATCH 5/7] Add 1gtm-app[bot] to kodiak auto_approve_usernames

Signed-off-by: Tamal Saha <tamal@appscode.com>
---
 .github/.kodiak.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/.kodiak.toml b/.github/.kodiak.toml
index ded81e4..e586458 100644
--- a/.github/.kodiak.toml
+++ b/.github/.kodiak.toml
@@ -15,4 +15,4 @@ strip_html_comments = true # default: false
 always = true # default: false
 
 [approve]
-auto_approve_usernames = ["1gtm", "tamalsaha"]
+auto_approve_usernames = ["1gtm", "tamalsaha", "1gtm-app[bot]"]

From 7fb57da4d3318630b6b1069787db247adc7cdcd7 Mon Sep 17 00:00:00 2001
From: Tamal Saha <tamal@appscode.com>
Date: Thu, 14 May 2026 15:03:11 +0600
Subject: [PATCH 6/7] Normalize kodiak auto_approve_usernames

Signed-off-by: Tamal Saha <tamal@appscode.com>
---
 .github/.kodiak.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/.kodiak.toml b/.github/.kodiak.toml
index e586458..b64a5f6 100644
--- a/.github/.kodiak.toml
+++ b/.github/.kodiak.toml
@@ -15,4 +15,4 @@ strip_html_comments = true # default: false
 always = true # default: false
 
 [approve]
-auto_approve_usernames = ["1gtm", "tamalsaha", "1gtm-app[bot]"]
+auto_approve_usernames = ["tamalsaha", "1gtm", "1gtm-app[bot]"]
\ No newline at end of file

From 1d22601dadfcd5724e316a066748d3889dcd3fa2 Mon Sep 17 00:00:00 2001
From: Tamal Saha <tamal@appscode.com>
Date: Thu, 14 May 2026 17:37:56 +0600
Subject: [PATCH 7/7] Bump softprops/action-gh-release to v2.6.2; add
 permissions

Signed-off-by: Tamal Saha <tamal@appscode.com>
---
 .github/workflows/release.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index b248abf..921a698 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -13,6 +13,8 @@ jobs:
   build:
     name: Build
     runs-on: ubuntu-24.04
+    permissions:
+      contents: write
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with: