Skip to content

Harden CI workflows#1745

Merged
tamalsaha merged 3 commits into
masterfrom
harden-ci-workflows-v2
May 20, 2026
Merged

Harden CI workflows#1745
tamalsaha merged 3 commits into
masterfrom
harden-ci-workflows-v2

Conversation

@tamalsaha

Copy link
Copy Markdown
Member

Summary

  • Re-applies the Harden CI workflows change that originally landed as Harden CI workflows #1734 (commit 1d02711), which was force-reset off master because its cherry-pick workflow still couldn't push to release branches.
  • fetch-depth: 0 lets the script see release branches.
  • persist-credentials: false stops actions/checkout from leaving an http.extraheader with the workflow's GITHUB_TOKEN, which otherwise overrides the LGTM token in the remote URL and causes the push to fail with Permission denied to github-actions[bot].

Background

The hardened cherry-pick workflow switched to actions/checkout@v4.3.1, whose defaults broke the original cherry-pick.sh in two ways:

  1. fetch-depth: 1 hid all origin/release-* refs, so the loop body never ran (run 26143101071 — 12s, no script output).
  2. persist-credentials: true left a github-actions[bot] extraheader that overrode the LGTM token set via git remote set-url, so the push step 403'd (run 26143763790).

Both are addressed in this PR.

/cherry-pick

🤖 Generated with Claude Code

tamalsaha added 3 commits May 20, 2026 11:59
/cherry-pick

Signed-off-by: Tamal Saha <tamal@appscode.com>
The hardened workflow uses actions/checkout@v4 which defaults to
fetch-depth: 1, so `git branch -r | grep release` in
hack/scripts/cherry-pick.sh returned nothing and the loop body
never executed. Cherry-pick PRs stopped being created after #1732.

Signed-off-by: Tamal Saha <tamal@appscode.com>
actions/checkout defaults to persist-credentials: true, which leaves
an http.extraheader with the workflow's GITHUB_TOKEN in git config.
That overrides the LGTM token in the URL set by `git remote set-url`,
so `git push` fails with "Permission denied to github-actions[bot]"
when pushing the cherry-pick branch.

Signed-off-by: Tamal Saha <tamal@appscode.com>
@tamalsaha tamalsaha force-pushed the harden-ci-workflows-v2 branch from b63c876 to 04d810b Compare May 20, 2026 05:59
@tamalsaha tamalsaha merged commit 7ba3390 into master May 20, 2026
5 checks passed
@tamalsaha tamalsaha deleted the harden-ci-workflows-v2 branch May 20, 2026 06:00
tamalsaha added a commit that referenced this pull request May 20, 2026
/cherry-pick

Signed-off-by: Tamal Saha <tamal@appscode.com>
Co-authored-by: Tamal Saha <tamal@appscode.com>
tamalsaha added a commit that referenced this pull request May 20, 2026
/cherry-pick

Signed-off-by: Tamal Saha <tamal@appscode.com>
Co-authored-by: Tamal Saha <tamal@appscode.com>
tamalsaha added a commit that referenced this pull request May 20, 2026
/cherry-pick

Signed-off-by: Tamal Saha <tamal@appscode.com>
Co-authored-by: Tamal Saha <tamal@appscode.com>
tamalsaha added a commit that referenced this pull request May 20, 2026
/cherry-pick

Signed-off-by: Tamal Saha <tamal@appscode.com>
Co-authored-by: Tamal Saha <tamal@appscode.com>
tamalsaha added a commit that referenced this pull request May 20, 2026
/cherry-pick

Signed-off-by: Tamal Saha <tamal@appscode.com>
Co-authored-by: Tamal Saha <tamal@appscode.com>
tamalsaha added a commit that referenced this pull request May 20, 2026
/cherry-pick

Signed-off-by: Tamal Saha <tamal@appscode.com>
Co-authored-by: Tamal Saha <tamal@appscode.com>
tamalsaha added a commit that referenced this pull request May 20, 2026
/cherry-pick

Signed-off-by: Tamal Saha <tamal@appscode.com>
Co-authored-by: Tamal Saha <tamal@appscode.com>
tamalsaha added a commit that referenced this pull request May 20, 2026
/cherry-pick

Signed-off-by: Tamal Saha <tamal@appscode.com>
Co-authored-by: Tamal Saha <tamal@appscode.com>
tamalsaha added a commit that referenced this pull request May 20, 2026
/cherry-pick

Signed-off-by: Tamal Saha <tamal@appscode.com>
Co-authored-by: Tamal Saha <tamal@appscode.com>
tamalsaha added a commit that referenced this pull request May 20, 2026
/cherry-pick

Signed-off-by: Tamal Saha <tamal@appscode.com>
Co-authored-by: Tamal Saha <tamal@appscode.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant