ci: Never persist credentials after calling `checkout`

diff --git a/.github/workflows/build-and-test-all.yml b/.github/workflows/build-and-test-all.yml
index 7c594ec327e2bb39d894aca78e1cfd83edea16d0..c53d14ebf7e23150e1ed1345b55665cd27915735 100644 (file)
--- a/.github/workflows/build-and-test-all.yml
+++ b/.github/workflows/build-and-test-all.yml
@@ -74,6 +74,7 @@ jobs:
           fetch-depth: 5
           submodules: recursive
           ref: ${{ inputs.branch-name }}
+          persist-credentials: false
       - name: get timestamp for cache
         id: get-stamp
         run: |
@@ -165,6 +166,7 @@ jobs:
           fetch-depth: 5
           submodules: recursive
           ref: ${{ inputs.branch-name }}
+          persist-credentials: false
       - name: get timestamp for cache
         id: get-stamp
         run: |
@@ -252,6 +254,7 @@ jobs:
           fetch-depth: 5
           submodules: recursive
           ref: ${{ inputs.branch-name }}
+          persist-credentials: false
       - name: get timestamp for cache
         id: get-stamp
         run: |
@@ -358,6 +361,7 @@ jobs:
           fetch-depth: 5
           submodules: recursive
           ref: ${{ inputs.branch-name }}
+          persist-credentials: false
       - run: echo "normalized-branch-name=${{ inputs.branch-name || github.ref_name }}" | tr "/" "-" >> "$GITHUB_ENV"
       - name: Fetch the binaries
         uses: actions/download-artifact@v4
@@ -489,6 +493,7 @@ jobs:
           fetch-depth: 5
           submodules: recursive
           ref: ${{ inputs.branch-name }}
+          persist-credentials: false
       - run: echo "normalized-branch-name=${{ inputs.branch-name || github.ref_name }}" | tr "/" "-" >> "$GITHUB_ENV"
       - name: Fetch the binaries
         uses: actions/download-artifact@v4
@@ -532,6 +537,7 @@ jobs:
           fetch-depth: 5
           submodules: recursive
           ref: ${{ inputs.branch-name }}
+          persist-credentials: false
       - run: echo "normalized-branch-name=${{ inputs.branch-name || github.ref_name }}" | tr "/" "-" >> "$GITHUB_ENV"
       - name: Fetch the binaries
         uses: actions/download-artifact@v4
@@ -581,6 +587,7 @@ jobs:
           fetch-depth: 5
           submodules: recursive
           ref: ${{ inputs.branch-name }}
+          persist-credentials: false
       - run: echo "normalized-branch-name=${{ inputs.branch-name || github.ref_name }}" | tr "/" "-" >> "$GITHUB_ENV"
       - name: Fetch the binaries
         uses: actions/download-artifact@v4
@@ -634,6 +641,7 @@ jobs:
           fetch-depth: 5
           submodules: recursive
           ref: ${{ inputs.branch-name }}
+          persist-credentials: false
       - run: echo "normalized-branch-name=${{ inputs.branch-name || github.ref_name }}" | tr "/" "-" >> "$GITHUB_ENV"
       - name: Fetch the binaries
         uses: actions/download-artifact@v4
@@ -688,6 +696,7 @@ jobs:
           fetch-depth: 5
           submodules: recursive
           ref: ${{ inputs.branch-name }}
+          persist-credentials: false
       - run: echo "normalized-branch-name=${{ inputs.branch-name || github.ref_name }}" | tr "/" "-" >> "$GITHUB_ENV"
       - name: Fetch the binaries
         uses: actions/download-artifact@v4
@@ -733,6 +742,7 @@ jobs:
           fetch-depth: 5
           submodules: recursive
           ref: ${{ inputs.branch-name }}
+          persist-credentials: false
       - run: echo "normalized-branch-name=${{ inputs.branch-name || github.ref_name }}" | tr "/" "-" >> "$GITHUB_ENV"
       - name: Fetch the binaries
         uses: actions/download-artifact@v4
@@ -793,6 +803,7 @@ jobs:
           fetch-depth: 5
           submodules: recursive
           ref: ${{ inputs.branch-name }}
+          persist-credentials: false
       - run: echo "normalized-branch-name=${{ inputs.branch-name || github.ref_name }}" | tr "/" "-" >> "$GITHUB_ENV"
       - name: Fetch the binaries
         uses: actions/download-artifact@v4
@@ -830,6 +841,7 @@ jobs:
           fetch-depth: 5
           submodules: recursive
           ref: ${{ inputs.branch-name }}
+          persist-credentials: false
       - name: install pip build dependencies
         run: |
           python3 -m venv ${REPO_HOME}/.venv
@@ -869,6 +881,7 @@ jobs:
           fetch-depth: 5
           submodules: recursive
           ref: ${{ inputs.branch-name }}
+          persist-credentials: false
       - name: Get list of jobs in the workflow
         run: "cat .github/workflows/build-and-test-all.yml | jc --yaml | jq -rS '.[].jobs | keys | .[]' | grep -vE 'collect|get-runner-container-image' | tee /tmp/workflow-jobs-list.yml"
       - name: Get list of prerequisite jobs

diff --git a/.github/workflows/build-docker-images.yml b/.github/workflows/build-docker-images.yml
index 3ce2b98aadc36cdf9ce291c826f9050db5029736..18097d7667bc425d38ced9347a74b1035dc040be 100644 (file)
--- a/.github/workflows/build-docker-images.yml
+++ b/.github/workflows/build-docker-images.yml
@@ -60,6 +60,7 @@ jobs:
           fetch-depth: 0
           submodules: recursive
           ref: ${{ inputs.ref }}
+          persist-credentials: false
       - name: validate reference only if image will be pushed
         if: ${{ inputs.push }}
         run: |
@@ -77,6 +78,7 @@ jobs:
           fetch-depth: 0
           submodules: recursive
           ref: ${{ inputs.ref }}
+          persist-credentials: false
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
         with:

diff --git a/.github/workflows/build-packages.yml b/.github/workflows/build-packages.yml
index ad0755b3537d7e7f35cd2780375054c5aa585477..9610e7c86281e239720f8d362a7b9b79911d30c0 100644 (file)
--- a/.github/workflows/build-packages.yml
+++ b/.github/workflows/build-packages.yml
@@ -61,6 +61,7 @@ jobs:
           fetch-depth: 1
           submodules: recursive
           ref: ${{ inputs.ref }}
+          persist-credentials: false
       - id: get-oslist
         run: |
           available_targets=$(ls builder-support/dockerfiles/Dockerfile.target.* )
@@ -114,6 +115,7 @@ jobs:
           fetch-depth: 0 # for correct version numbers
           submodules: recursive
           ref: ${{ inputs.ref }}
+          persist-credentials: false
       # this builds packages and runs our unit tests (make check)
       - run: IS_RELEASE=${{ inputs.is_release}} builder/build.sh -v -m ${{ inputs.product }} ${{ matrix.os }}
       - name: Get version number

diff --git a/.github/workflows/builder.yml b/.github/workflows/builder.yml
index 2f5ec84603a5cff5504d32d948c1ddb5b3b3b7fd..690d426719950158747c914cdf217275d5d50de1 100644 (file)
--- a/.github/workflows/builder.yml
+++ b/.github/workflows/builder.yml
@@ -50,6 +50,7 @@ jobs:
           fetch-depth: 0  # for correct version numbers
           submodules: recursive
           ref: ${{ inputs.branch-name }}
+          persist-credentials: false
       # this builds packages and runs our unit test (make check)
       - run: builder/build.sh -v -m ${{ matrix.product }} ${{ matrix.os }}
       - name: Get version number

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 84f077eeeeb33e0828d676c601accdda182c67c8..5847eedb0833ed1c1b47d107076343bc783a883e 100644 (file)
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -66,6 +66,7 @@ jobs:
         # We must fetch at least the immediate parents so that if this is
         # a pull request then we can checkout the head.
         fetch-depth: 2
+        persist-credentials: false
     - uses: actions/setup-python@v5
       with:
         python-version: '3.11'
@@ -282,4 +283,5 @@ jobs:
       uses: actions/checkout@v4
       with:
         fetch-depth: 2
+        persist-credentials: false
     - run: if [[ "$(file -i --dereference $(git diff --name-only HEAD^..HEAD -- . :^fuzzing/corpus) | grep binary | grep -v 'image/' | grep -v 'inode/x-empty' | grep -v 'inode/directory' | grep -v '^modules/lmdbbackend/test-assets/' | grep -v '^website/docs.powerdns.com/website/fonts/' | grep -v '^website/docs.powerdns.com/website/img/' | grep -v '^modules/tinydnsbackend/data.cdb' | tee /dev/stderr)" != "" ]]; then exit 1; fi

diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml
index 4433da6badb5abab293ae7262a42f46c0cafaa52..bd0e432208b2165f59d8f332f43161d7410de47d 100644 (file)
--- a/.github/workflows/coverity.yml
+++ b/.github/workflows/coverity.yml
@@ -36,6 +36,7 @@ jobs:
         with:
           fetch-depth: 5
           submodules: recursive
+          persist-credentials: false
       - uses: actions/setup-python@v5
         with:
           python-version: '3.11'
@@ -65,6 +66,7 @@ jobs:
         with:
           fetch-depth: 5
           submodules: recursive
+          persist-credentials: false
       - uses: actions/setup-python@v5
         with:
           python-version: '3.11'
@@ -107,6 +109,7 @@ jobs:
         with:
           fetch-depth: 5
           submodules: recursive
+          persist-credentials: false
       - uses: actions/setup-python@v5
         with:
           python-version: '3.11'

diff --git a/.github/workflows/documentation.yml b/.github/workflows/documentation.yml
index 820c1624a7ae8255f4a6842ee1843b402cdd4784..9fe5cd6c67dcdf3e42ff4fea11eec617c2e770f3 100644 (file)
--- a/.github/workflows/documentation.yml
+++ b/.github/workflows/documentation.yml
@@ -54,6 +54,8 @@ jobs:
     steps:
       - uses: PowerDNS/pdns/set-ubuntu-mirror@meta
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions/setup-python@v5
         with:
           python-version: '3.11'
@@ -212,6 +214,8 @@ jobs:
           fi
       - uses: PowerDNS/pdns/set-ubuntu-mirror@meta
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - run: build-scripts/gh-actions-setup-inv-no-dist-upgrade
       - uses: actions/download-artifact@v4
         with:
@@ -268,6 +272,8 @@ jobs:
             exit 1
           fi
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: aws-actions/configure-aws-credentials@v4
         with:
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}

diff --git a/.github/workflows/formatting.yml b/.github/workflows/formatting.yml
index 1e3e7a5e9e91291baeff1b65a1c841e8e85d1272..05fd847f7dd787334b6fafee2a45362e610f7905 100644 (file)
--- a/.github/workflows/formatting.yml
+++ b/.github/workflows/formatting.yml
@@ -18,6 +18,7 @@ jobs:
         with:
           fetch-depth: 5
           submodules: recursive
+          persist-credentials: false
       - name: Update dependencies
         run: |
           sudo apt-get update

diff --git a/.github/workflows/fuzz.yml b/.github/workflows/fuzz.yml
index 182013c75ca6b2a33b38c0fca8166cc21519db59..e8c624edac9221d1bc0e0b42dd04b94e4fd6a6d0 100644 (file)
--- a/.github/workflows/fuzz.yml
+++ b/.github/workflows/fuzz.yml
@@ -12,6 +12,7 @@ jobs:
       with:
         fetch-depth: 5
         submodules: recursive
+        persist-credentials: false
     - run: docker build -t gcr.io/oss-fuzz-base/base-builder:latest -f Dockerfile-cifuzz .
     - name: Build Fuzzers
       uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master

diff --git a/.github/workflows/misc-dailies.yml b/.github/workflows/misc-dailies.yml
index e5341ffadbcff0d26178bd7d7e38f7294071240b..2bf15749ee43636bdd555e958d6dc151ad34b61f 100644 (file)
--- a/.github/workflows/misc-dailies.yml
+++ b/.github/workflows/misc-dailies.yml
@@ -35,6 +35,7 @@ jobs:
       with:
         fetch-depth: 5
         submodules: recursive
+        persist-credentials: false
 
     - name: Check if Debian is about to toss us off a balcony
       run: ./build-scripts/check-debian-autoremovals.py
@@ -90,6 +91,8 @@ jobs:
       req-files: ${{ steps.get-list-requirements.outputs.files }}
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - name: Get all requirements.txt files and export them as outputs
       id: get-list-requirements
       run: |
@@ -117,6 +120,8 @@ jobs:
       - run: echo "${{ matrix.requirements-file }}"
       - uses: PowerDNS/pdns/set-ubuntu-mirror@meta
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions/setup-python@v5
         with:
           python-version: '3.11'
@@ -148,6 +153,7 @@ jobs:
           fetch-depth: 5
           submodules: recursive
           ref: ${{ inputs.branch-name }}
+          persist-credentials: false
       - name: Add PowerDNS Repo
         run: echo 'deb [signed-by=/etc/apt/keyrings/rec-master-pub.asc] http://repo.powerdns.com/ubuntu noble-rec-master main' | sudo tee /etc/apt/sources.list.d/pdns.list
       - name: Add key

diff --git a/.github/workflows/secpoll.yml b/.github/workflows/secpoll.yml
index 8f9fbdd050b941e671edf23b1f4569645baf6adc..314daa2531154f24707a705da99427ce40ab483b 100644 (file)
--- a/.github/workflows/secpoll.yml
+++ b/.github/workflows/secpoll.yml
@@ -19,6 +19,7 @@ jobs:
         with:
           fetch-depth: 5
           submodules: recursive
+          persist-credentials: false
       - run: sh docs/secpoll-check.sh docs/secpoll.zone
       - run: echo 'deb [arch=amd64] http://repo.powerdns.com/ubuntu noble-auth-master main' | sudo tee /etc/apt/sources.list.d/pdns.list
       - run: "echo -ne 'Package: pdns-*\nPin: origin repo.powerdns.com\nPin-Priority: 600\n' | sudo tee /etc/apt/preferences.d/pdns"