Harden CI workflows (#84)

* Harden GitHub Actions workflows

- Pin every action ref to a full-length commit SHA with a trailing
  version comment, so floating tags like @v4 can't be re-pointed at
  malicious code.
- Bump outdated actions/checkout@v1 to @v4.3.1 (where present).
- Tag-triggered workflows now check out with fetch-depth: 1 and
  fetch-tags: true so the tag ref is available downstream.
- release-tracker.yml grants contents: write at the job level so the
  default GITHUB_TOKEN can push commits/tags back to the repo.

Signed-off-by: Tamal Saha <tamal@appscode.com>

* Add job permissions for workflow

Signed-off-by: Tamal Saha <tamal@appscode.com>

* Normalize Prepare git user, fetch-depth, drop permission-issues

Signed-off-by: Tamal Saha <tamal@appscode.com>

* Add 1gtm-app[bot] to kodiak auto_approve_usernames

Signed-off-by: Tamal Saha <tamal@appscode.com>

* Normalize kodiak auto_approve_usernames

Signed-off-by: Tamal Saha <tamal@appscode.com>

* Bump softprops/action-gh-release to v2.6.2; add permissions

Signed-off-by: Tamal Saha <tamal@appscode.com>

* Makefile: use --tags in git describe so lightweight tags resolve

Signed-off-by: Tamal Saha <tamal@appscode.com>

---------

Signed-off-by: Tamal Saha <tamal@appscode.com>

Author: tamalsaha

.github/.kodiak.toml

@@ -15,4 +15,4 @@ strip_html_comments = true # default: false
 always = true # default: false
 
 [approve]
-auto_approve_usernames = ["1gtm", "tamalsaha"]
+auto_approve_usernames = ["tamalsaha", "1gtm", "1gtm-app[bot]"]

.github/workflows/ci.yml

@@ -19,13 +19,13 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: Set up Go 1.25
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0
         with:
           go-version: '1.25'
         id: go
 
       - name: Check out code into the Go module directory
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
       - name: Run checks
         run: |

.github/workflows/release.yml

@@ -14,9 +14,13 @@ jobs:
   build:
     name: Build
     runs-on: ubuntu-24.04
+    permissions:
+      contents: write
     steps:
       - name: Check out code into the Go module directory
-        uses: actions/checkout@v1
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+        with:
+          fetch-depth: 0
 
       - name: Print version info
         id: semver
@@ -25,12 +29,12 @@ jobs:
 
       - name: Set up QEMU
         id: qemu
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
         with:
           cache-image: false
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
 
       - name: Build
         env:
@@ -39,7 +43,7 @@ jobs:
           make release
 
       - name: Release
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2.6.2
         if: startsWith(github.ref, 'refs/tags/')
         with:
           files: |

Makefile

@@ -21,7 +21,7 @@ COMPRESS ?= no
 
 # This version-strategy uses git tags to set the version string
 git_branch       := $(shell git rev-parse --abbrev-ref HEAD)
-git_tag          := $(shell git describe --exact-match --abbrev=0 2>/dev/null || echo "")
+git_tag          := $(shell git describe --tags --exact-match --abbrev=0 2>/dev/null || echo "")
 commit_hash      := $(shell git rev-parse --verify HEAD)
 commit_timestamp := $(shell date --date="@$$(git show -s --format=%ct)" --utc +%FT%T)