Fix formatting for release candidate templates#380
Merged
Conversation
joestringer
force-pushed
the
pr/joe/fix-rc-instructions-20260108
branch
from
20a45bc to
375d28a
Compare
aanm
requested changes
Jan 16, 2026
There were some malformatted sections and improper links here, fix them up. Signed-off-by: Joe Stringer <joe@cilium.io>
This step is already in the relevant section under "pre-check" for RCs following branch creation. Signed-off-by: Joe Stringer <joe@cilium.io>
Tidy up some of these instructions to be clearer. Signed-off-by: Joe Stringer <joe@cilium.io>
Move the CI image creation to after the branch creation, as that's a more logical point to make the change. This should also mean that we can run the CI workflows for the PR targeted at main (next step). Signed-off-by: Joe Stringer <joe@cilium.io>
Recently GitHub changed workflow events to only use the default branch for the workflow source. This means that any workflow which exclusively uses pull_request_target will be ineffective on stable branches. Remove them. https://github.blog/changelog/2025-11-07-actions-pull_request_target-and-environment-branch-protections-changes/ > The pull_request_target event now always uses the default branch for > workflow source and reference: > > The workflow file and checkout commit will always be taken from the > repository’s default branch, regardless of the pull request’s base > branch. This prevents outdated—and potentially vulnerable—workflows on > other branches within the repository from being executed in these > events. GITHUB_REF for pull_request_target will resolve to the default > branch, and GITHUB_SHA will point to the latest commit on that branch. > This aligns ref semantics with the security model and closes a known > class of vulnerabilities where untrusted names or branches could > influence evaluation. Previously, any branch within the parent > repository set as the base branch of a pull request could have been used > as the source of the executed workflow (GITHUB_REF/GITHUB_SHA) and could > result in the execution of outdated workflows. Historically, this > behavior has led to the exploitation of outdated workflows that > contained vulnerabilities in pull_request_target workflows that were > presumed to be remediated since they were fixed in the default branch. > This change will ensure only the default branch of the repository can be > used as the workflow source that is executed for these events, enabling > remediation of vulnerabilities in pull_request_target workflows in a way > that better aligns with developers’ expectations on vulnerability > remediation and without the need to update all outdated branches in the > repository. > > While this change helps enable the remediation of vulnerabilities in > pull_request_target workflows in a repository, it is important to note > that the use of pull_request_target events in combination with pull > requests from forks has an increased risk. pull_request_target events > execute based on user-supplied pull requests, which can come from > external forks, and are executed with access to action secrets. Given > this attack surface, care should be taken to avoid action workflow > vulnerabilities and to ensure untrusted code or input is not being used > in a way that could influence execution. GitHub’s code scanning with > CodeQL can be used to identify vulnerabilities in action workflows and > is free for all public repositories. > > Another change is that environment branch protection rules for pull > request events evaluate against the executing reference: > > * To prevent unintended access to environment secrets during pull > request workflows, environment branch protection rules will evaluate > against the execution reference (GITHUB_REF), not the pull request > head (HEAD_REF). > * For pull_request, pull_request_review, and > pull_request_review_comment, environment rules evaluate against > refs/pull/number/merge. This matches the merge commit context those > events use during execution. > * For pull_request_target, environment rules evaluate against the > default branch. This is consistent with the updated GITHUB_REF and > ensures policy checks occur against a trusted ref. Signed-off-by: Joe Stringer <joe@cilium.io>
For easier review, break this down into three commits - the main stable branch prep parts, the github config deletion, and the CLI deletion. Signed-off-by: Joe Stringer <joe@cilium.io>
Signed-off-by: Joe Stringer <joe@cilium.io>
Previously there was a step here to ensure each branch used its own copy of the reuseable workflows. However, recent changes should have made these workflows reusable from the main branch for every stable branch. Remove the step that forces stable branches to use the stable branch copy of the reusable release workflow. Signed-off-by: Joe Stringer <joe@cilium.io>
This regex matched two references under .github, one that points towards
the community repository and the other which points to some code in the
same repo. We could fix this up to an expression like this:
$ sed -i 's;\(cilium/blob/\)main/;\1vX.Y);g'
However, it doesn't seem that critical to point to the same branch's
code in comments in GitHub workflows. We can instead simplify the steps by
just dropping this expression altogether.
Signed-off-by: Joe Stringer <joe@cilium.io>
Add 'base:main' to the search term for the link which is used to determine changes for the feature freeze. Signed-off-by: Joe Stringer <joe@cilium.io>
This referred to monthly cadence which isn't how we schedule RCs. Fix it. Signed-off-by: Joe Stringer <joe@cilium.io>
The reference did not match the URL definition, fix it. Signed-off-by: Joe Stringer <joe@cilium.io>
Fix up the golden copy of these so the tests pass. Signed-off-by: Joe Stringer <joe@cilium.io>
joestringer
force-pushed
the
pr/joe/fix-rc-instructions-20260108
branch
from
c1f781a to
b5e4e28
Compare
Member
Author
|
@aanm fixed in a new commit 🙏 |
aanm
approved these changes
Jan 19, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Update the stable branch creation steps and other RC preparation steps based on the learnings from branching for v1.19.