Cherry-pick cbf146b with conflicts

Author: vitess-bot[bot]

.github/workflows/assign_milestone.yml

@@ -4,7 +4,9 @@ on:
   pull_request_target:
     types: [opened]
 
-permissions: read-all
+permissions:
+  pull-requests: write
+  contents: read
 
 env:
   GH_TOKEN: ${{ github.token }}
@@ -13,18 +15,34 @@ jobs:
   build:
     name: Assign Milestone
     runs-on: ubuntu-24.04
-    permissions:
-      pull-requests: write
 
     steps:
+<<<<<<< HEAD
       - name: Set up Go
         uses: actions/setup-go@v5
         with:
           go-version: 1.22.10
 
       - name: Checkout code
         uses: actions/checkout@v4
+=======
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          # We must explicitly checkout the base's SHA to avoid executing any code coming from
+          # the PR's SHA - Which would be executed in the base branch's context.
+          # This is really important to limit any sort of pwn requests.
+          ref: ${{ github.base_ref }}
+          persist-credentials: 'false'
+>>>>>>> cbf146b5eb (Security improvements to GitHub Actions (#17520))
 
       - name: Assign Milestone
         run: |
-          gh pr edit ${{ github.event.number }} --milestone "v$(sed -n 's/.*versionName.*\"\([[:digit:]\.]*\).*\"/\1/p' ./go/vt/servenv/version.go)"
+          # Ensure the content we sed from version.go is sanitized and match the correct format
+          VERSION=$(sed -n 's/.*versionName.*\"\([[:digit:]\.]*\).*\"/\1/p' ./go/vt/servenv/version.go)
+          if [[ ! "$VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+            echo "Invalid version format: $VERSION"
+            exit 1
+          fi
+
+          gh pr edit ${{ github.event.number }} --milestone "v$VERSION"

.github/workflows/auto_approve_pr.yml

@@ -16,7 +16,14 @@ jobs:
 
     steps:
       - name: Checkout code
+<<<<<<< HEAD
         uses: actions/checkout@v4
+=======
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: 'false'
+
+>>>>>>> cbf146b5eb (Security improvements to GitHub Actions (#17520))
       - name: Auto Approve Pull Request
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/check_make_vtadmin_authz_testgen.yml

@@ -27,7 +27,13 @@ jobs:
 
     - name: Check out code
       if: steps.skip-workflow.outputs.skip-workflow == 'false'
+<<<<<<< HEAD
       uses: actions/checkout@v4
+=======
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        persist-credentials: 'false'
+>>>>>>> cbf146b5eb (Security improvements to GitHub Actions (#17520))
 
     - name: Check for changes in relevant files
       if: steps.skip-workflow.outputs.skip-workflow == 'false'

.github/workflows/check_make_vtadmin_web_proto.yml

@@ -27,7 +27,13 @@ jobs:
 
     - name: Check out code
       if: steps.skip-workflow.outputs.skip-workflow == 'false'
+<<<<<<< HEAD
       uses: actions/checkout@v4
+=======
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        persist-credentials: 'false'
+>>>>>>> cbf146b5eb (Security improvements to GitHub Actions (#17520))
 
     - name: Check for changes in relevant files
       if: steps.skip-workflow.outputs.skip-workflow == 'false'

.github/workflows/cluster_endtoend_12.yml

@@ -15,6 +15,7 @@ env:
 
 jobs:
   build:
+    timeout-minutes: 60
     name: Run endtoend tests on Cluster (12)
     runs-on: ubuntu-24.04
 
@@ -45,7 +46,13 @@ jobs:
 
     - name: Check out code
       if: steps.skip-workflow.outputs.skip-workflow == 'false'
+<<<<<<< HEAD
       uses: actions/checkout@v4
+=======
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        persist-credentials: 'false'
+>>>>>>> cbf146b5eb (Security improvements to GitHub Actions (#17520))
 
     - name: Check for changes in relevant files
       if: steps.skip-workflow.outputs.skip-workflow == 'false'
@@ -91,6 +98,7 @@ jobs:
 
     - name: Get dependencies
       if: steps.skip-workflow.outputs.skip-workflow == 'false' && steps.changes.outputs.end_to_end == 'true'
+      timeout-minutes: 10
       run: |
         
         # Get key to latest MySQL repo

.github/workflows/cluster_endtoend_13.yml

@@ -15,6 +15,7 @@ env:
 
 jobs:
   build:
+    timeout-minutes: 60
     name: Run endtoend tests on Cluster (13)
     runs-on: ubuntu-24.04
 
@@ -45,7 +46,13 @@ jobs:
 
     - name: Check out code
       if: steps.skip-workflow.outputs.skip-workflow == 'false'
+<<<<<<< HEAD
       uses: actions/checkout@v4
+=======
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        persist-credentials: 'false'
+>>>>>>> cbf146b5eb (Security improvements to GitHub Actions (#17520))
 
     - name: Check for changes in relevant files
       if: steps.skip-workflow.outputs.skip-workflow == 'false'
@@ -91,6 +98,7 @@ jobs:
 
     - name: Get dependencies
       if: steps.skip-workflow.outputs.skip-workflow == 'false' && steps.changes.outputs.end_to_end == 'true'
+      timeout-minutes: 10
       run: |
         
         # Get key to latest MySQL repo

.github/workflows/cluster_endtoend_15.yml

@@ -15,6 +15,7 @@ env:
 
 jobs:
   build:
+    timeout-minutes: 60
     name: Run endtoend tests on Cluster (15)
     runs-on: ubuntu-24.04
 
@@ -45,7 +46,13 @@ jobs:
 
     - name: Check out code
       if: steps.skip-workflow.outputs.skip-workflow == 'false'
+<<<<<<< HEAD
       uses: actions/checkout@v4
+=======
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        persist-credentials: 'false'
+>>>>>>> cbf146b5eb (Security improvements to GitHub Actions (#17520))
 
     - name: Check for changes in relevant files
       if: steps.skip-workflow.outputs.skip-workflow == 'false'
@@ -91,6 +98,7 @@ jobs:
 
     - name: Get dependencies
       if: steps.skip-workflow.outputs.skip-workflow == 'false' && steps.changes.outputs.end_to_end == 'true'
+      timeout-minutes: 10
       run: |
         
         # Get key to latest MySQL repo

.github/workflows/cluster_endtoend_18.yml

@@ -15,6 +15,7 @@ env:
 
 jobs:
   build:
+    timeout-minutes: 60
     name: Run endtoend tests on Cluster (18)
     runs-on: ubuntu-24.04
 
@@ -45,7 +46,13 @@ jobs:
 
     - name: Check out code
       if: steps.skip-workflow.outputs.skip-workflow == 'false'
+<<<<<<< HEAD
       uses: actions/checkout@v4
+=======
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        persist-credentials: 'false'
+>>>>>>> cbf146b5eb (Security improvements to GitHub Actions (#17520))
 
     - name: Check for changes in relevant files
       if: steps.skip-workflow.outputs.skip-workflow == 'false'
@@ -91,6 +98,7 @@ jobs:
 
     - name: Get dependencies
       if: steps.skip-workflow.outputs.skip-workflow == 'false' && steps.changes.outputs.end_to_end == 'true'
+      timeout-minutes: 10
       run: |
         
         # Get key to latest MySQL repo

.github/workflows/cluster_endtoend_21.yml

@@ -15,6 +15,7 @@ env:
 
 jobs:
   build:
+    timeout-minutes: 60
     name: Run endtoend tests on Cluster (21)
     runs-on: ubuntu-24.04
 
@@ -45,7 +46,13 @@ jobs:
 
     - name: Check out code
       if: steps.skip-workflow.outputs.skip-workflow == 'false'
+<<<<<<< HEAD
       uses: actions/checkout@v4
+=======
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        persist-credentials: 'false'
+>>>>>>> cbf146b5eb (Security improvements to GitHub Actions (#17520))
 
     - name: Check for changes in relevant files
       if: steps.skip-workflow.outputs.skip-workflow == 'false'
@@ -91,6 +98,7 @@ jobs:
 
     - name: Get dependencies
       if: steps.skip-workflow.outputs.skip-workflow == 'false' && steps.changes.outputs.end_to_end == 'true'
+      timeout-minutes: 10
       run: |
         
         # Get key to latest MySQL repo

.github/workflows/cluster_endtoend_22.yml

@@ -15,7 +15,12 @@ env:
 
 jobs:
   build:
+<<<<<<< HEAD:.github/workflows/cluster_endtoend_22.yml
     name: Run endtoend tests on Cluster (22)
+=======
+    timeout-minutes: 60
+    name: Run endtoend tests on Cluster (vtgate_plantests)
+>>>>>>> cbf146b5eb (Security improvements to GitHub Actions (#17520)):.github/workflows/cluster_endtoend_vtgate_plantests.yml
     runs-on: ubuntu-24.04
 
     steps:
@@ -45,7 +50,13 @@ jobs:
 
     - name: Check out code
       if: steps.skip-workflow.outputs.skip-workflow == 'false'
+<<<<<<< HEAD:.github/workflows/cluster_endtoend_22.yml
       uses: actions/checkout@v4
+=======
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        persist-credentials: 'false'
+>>>>>>> cbf146b5eb (Security improvements to GitHub Actions (#17520)):.github/workflows/cluster_endtoend_vtgate_plantests.yml
 
     - name: Check for changes in relevant files
       if: steps.skip-workflow.outputs.skip-workflow == 'false'
@@ -91,6 +102,7 @@ jobs:
 
     - name: Get dependencies
       if: steps.skip-workflow.outputs.skip-workflow == 'false' && steps.changes.outputs.end_to_end == 'true'
+      timeout-minutes: 10
       run: |
         
         # Get key to latest MySQL repo