Skip to content

Commit

Permalink
Disable credentials persistence in Github checkout action
Browse files Browse the repository at this point in the history
According to a couple of articles, the default should be `false`, but
it's not, which makes the token exposed to actions that do not need it.
According to a linter I tried just for fun, we should enforce it to
close this hole.

[1] actions/checkout#485
[2] https://github.com/woodruffw/zizmor
  • Loading branch information
happz committed Oct 31, 2024
1 parent c1ac0ad commit 16d94b3
Show file tree
Hide file tree
Showing 4 changed files with 8 additions and 0 deletions.
2 changes: 2 additions & 0 deletions .github/workflows/doc-tests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,8 @@ jobs:

steps:
- uses: actions/checkout@v4
with:
persist-credentials: false

- uses: actions/setup-python@v5
with:
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/pre-commit.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,8 @@ jobs:
SKIP: no-commit-to-branch
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- uses: actions/setup-python@v5
with:
python-version: |
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,10 +22,13 @@ jobs:
# Check out the repo
- uses: actions/checkout@v4
if: ${{ github.event_name == 'release' }}
with:
persist-credentials: false
- uses: actions/checkout@v4
if: ${{ github.event_name == 'workflow_dispatch' }}
with:
ref: ${{ github.event.inputs.ref }}
persist-credentials: false

# Setup python
- uses: actions/setup-python@v5
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/shellcheck.yml
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ jobs:
uses: actions/checkout@v3
with:
fetch-depth: 0
persist-credentials: false

- id: ShellCheck
name: Differential ShellCheck
Expand Down

0 comments on commit 16d94b3

Please sign in to comment.