From: Viktor Szakats Date: Sat, 14 Dec 2024 23:45:04 +0000 (+0100) Subject: GHA: set `persist-credentials: false` X-Git-Tag: curl-8_12_0~345 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ba9fe58d4331402a24495618668b2cc8afe9794e;p=thirdparty%2Fcurl.git GHA: set `persist-credentials: false` Suggested by zizmor GHA analysis tool. Also: - Move GH variables within single-quotes. - Prefer single-quotes in shell code. (tidy-up) Ref: https://github.com/actions/checkout/issues/485 Ref: https://github.com/actions/checkout/pull/1687 Ref: https://woodruffw.github.io/zizmor/ Closes #15746 --- diff --git a/.github/workflows/checkdocs.yml b/.github/workflows/checkdocs.yml index 8f74f463f8..e9037a50da 100644 --- a/.github/workflows/checkdocs.yml +++ b/.github/workflows/checkdocs.yml @@ -37,6 +37,8 @@ jobs: # runs-on: ubuntu-latest # steps: # - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4 + # with: + # persist-credentials: false # name: checkout # # - name: install prereqs @@ -89,6 +91,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + persist-credentials: false name: checkout - name: Run mdlinkcheck @@ -98,6 +102,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + persist-credentials: false name: checkout - name: trim all man page *.md files @@ -124,6 +130,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + persist-credentials: false name: checkout - name: badwords @@ -136,6 +144,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + persist-credentials: false name: checkout - name: render nroff versions @@ -149,6 +159,8 @@ jobs: timeout-minutes: 5 steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + persist-credentials: false name: checkout - name: spacecheck diff --git a/.github/workflows/checksrc.yml b/.github/workflows/checksrc.yml index 02c864b9bd..075bf50768 100644 --- a/.github/workflows/checksrc.yml +++ b/.github/workflows/checksrc.yml @@ -36,6 +36,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + persist-credentials: false name: checkout - name: check @@ -45,6 +47,8 @@ jobs: runs-on: ubuntu-24.04 steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + persist-credentials: false name: checkout - name: install @@ -81,6 +85,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + persist-credentials: false name: checkout - name: REUSE Compliance Check @@ -91,6 +97,8 @@ jobs: timeout-minutes: 5 steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + persist-credentials: false name: checkout - name: shellcheck diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 9a269cb9bc..d5cbc23541 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -48,6 +48,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + persist-credentials: false # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL diff --git a/.github/workflows/configure-vs-cmake.yml b/.github/workflows/configure-vs-cmake.yml index 57ec347b3f..e0a3086a0e 100644 --- a/.github/workflows/configure-vs-cmake.yml +++ b/.github/workflows/configure-vs-cmake.yml @@ -33,6 +33,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + persist-credentials: false - name: run configure --with-openssl run: | @@ -71,6 +73,8 @@ jobs: echo '::group::brew packages installed'; ls -l "$(brew --prefix)/opt"; echo '::endgroup::' - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + persist-credentials: false - name: run configure --with-openssl run: | @@ -108,6 +112,8 @@ jobs: run: sudo apt-get --quiet 2 --option Dpkg::Use-Pty=0 install mingw-w64 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + persist-credentials: false - name: run configure --with-schannel run: | diff --git a/.github/workflows/curl-for-win.yml b/.github/workflows/curl-for-win.yml index d844d414b4..8f3cbca5d8 100644 --- a/.github/workflows/curl-for-win.yml +++ b/.github/workflows/curl-for-win.yml @@ -48,6 +48,7 @@ jobs: steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: + persist-credentials: false path: 'curl' fetch-depth: 8 - name: 'build' @@ -75,6 +76,7 @@ jobs: steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: + persist-credentials: false path: 'curl' fetch-depth: 8 - name: 'build' @@ -101,6 +103,7 @@ jobs: steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: + persist-credentials: false path: 'curl' fetch-depth: 8 - name: 'build' @@ -116,6 +119,7 @@ jobs: steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: + persist-credentials: false path: 'curl' fetch-depth: 8 - name: 'build' diff --git a/.github/workflows/distcheck.yml b/.github/workflows/distcheck.yml index 8790157f9a..ed2076dda0 100644 --- a/.github/workflows/distcheck.yml +++ b/.github/workflows/distcheck.yml @@ -25,6 +25,8 @@ jobs: timeout-minutes: 15 steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + persist-credentials: false - run: sudo apt-get purge -y curl libcurl4 libcurl4-doc name: 'remove preinstalled curl libcurl4{-doc}' @@ -129,6 +131,8 @@ jobs: needs: maketgz-and-verify-in-tree steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + persist-credentials: false - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4 with: @@ -141,6 +145,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + persist-credentials: false - run: sudo apt-get purge -y curl libcurl4 libcurl4-doc name: 'remove preinstalled curl libcurl4{-doc}' diff --git a/.github/workflows/hacktoberfest-accepted.yml b/.github/workflows/hacktoberfest-accepted.yml index 2b8d0acb89..6b07f0be02 100644 --- a/.github/workflows/hacktoberfest-accepted.yml +++ b/.github/workflows/hacktoberfest-accepted.yml @@ -28,6 +28,7 @@ jobs: steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: + persist-credentials: false fetch-depth: 100 - name: Check whether repo participates in Hacktoberfest @@ -40,13 +41,13 @@ jobs: - name: Search relevant commit message lines starting with Closes/Merges run: | - git log --format=email ${{ github.event.before }}..${{ github.event.after }} | \ - grep -Ei "^Close[sd]? " | sort | uniq | tee log + git log --format=email '${{ github.event.before }}..${{ github.event.after }}' | \ + grep -Ei '^Close[sd]? ' | sort | uniq | tee log if: steps.check.outputs.label == 'hacktoberfest' - name: Search for Number-based PR references run: | - grep -Eo "#([0-9]+)" log | cut -d# -f2 | sort | uniq | xargs -t -n1 -I{} \ + grep -Eo '#([0-9]+)' log | cut -d# -f2 | sort | uniq | xargs -t -n1 -I{} \ gh pr view {} --json number,createdAt \ --jq '{number, opened: .createdAt} | [.number, .opened] | join(":")' | tee /dev/stderr | \ grep -Eo '^([0-9]+):[0-9]{4}-(09-30T|10-|11-01T)' | cut -d: -f1 | sort | uniq | xargs -t -n1 -I {} \ @@ -57,8 +58,8 @@ jobs: - name: Search for URL-based PR references run: | - grep -Eo "github.com/(.+)/(.+)/pull/([0-9]+)" log | sort | uniq | xargs -t -n1 -I{} \ - gh pr view "https://{}" --json number,createdAt \ + grep -Eo 'github.com/(.+)/(.+)/pull/([0-9]+)' log | sort | uniq | xargs -t -n1 -I{} \ + gh pr view 'https://{}' --json number,createdAt \ --jq '{number, opened: .createdAt} | [.number, .opened] | join(":")' | tee /dev/stderr | \ grep -Eo '^([0-9]+):[0-9]{4}-(09-30T|10-|11-01T)' | cut -d: -f1 | sort | uniq | xargs -t -n1 -I {} \ gh pr edit {} --add-label 'hacktoberfest-accepted' diff --git a/.github/workflows/http3-linux.yml b/.github/workflows/http3-linux.yml index c047857bab..6661faaee2 100644 --- a/.github/workflows/http3-linux.yml +++ b/.github/workflows/http3-linux.yml @@ -450,6 +450,8 @@ jobs: name: 'build quiche and boringssl' - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + persist-credentials: false - run: autoreconf -fi if: ${{ matrix.build.configure }} diff --git a/.github/workflows/linux-old.yml b/.github/workflows/linux-old.yml index a4adebbcce..b1cd59db0d 100644 --- a/.github/workflows/linux-old.yml +++ b/.github/workflows/linux-old.yml @@ -74,6 +74,8 @@ jobs: dpkg -i libc6_*_amd64.deb - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + persist-credentials: false - name: 'cmake build-only (out-of-tree, libssh2)' run: | diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml index ee06e069eb..3fcdfed4b3 100644 --- a/.github/workflows/linux.yml +++ b/.github/workflows/linux.yml @@ -320,6 +320,8 @@ jobs: name: 'install dependencies' - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + persist-credentials: false - name: 'Fix kernel mmap rnd bits' # Asan in llvm 14 provided in ubuntu 22.04 is incompatible with diff --git a/.github/workflows/macos.yml b/.github/workflows/macos.yml index e4a5b63cea..b6d3e909d4 100644 --- a/.github/workflows/macos.yml +++ b/.github/workflows/macos.yml @@ -208,6 +208,8 @@ jobs: fi - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + persist-credentials: false - name: 'toolchain versions' run: | @@ -416,6 +418,8 @@ jobs: while [[ $? == 0 ]]; do for i in 1 2 3; do brew update && brew bundle install --no-lock --file /tmp/Brewfile && break 2 || { echo Error: wait to try again; sleep 10; } done; false Too many retries; done - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + persist-credentials: false - name: 'toolchain versions' run: | diff --git a/.github/workflows/non-native.yml b/.github/workflows/non-native.yml index f3f5375282..e11bd086e0 100644 --- a/.github/workflows/non-native.yml +++ b/.github/workflows/non-native.yml @@ -45,6 +45,8 @@ jobs: arch: ['x86_64'] steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + persist-credentials: false - name: 'cmake' uses: cross-platform-actions/action@a0672d7f6de3a78e7784bbaf491c7303f68d94b3 # v0.26.0 with: @@ -83,6 +85,8 @@ jobs: arch: ['x86_64'] steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + persist-credentials: false - name: 'cmake' uses: cross-platform-actions/action@a0672d7f6de3a78e7784bbaf491c7303f68d94b3 # v0.26.0 with: @@ -126,6 +130,8 @@ jobs: fail-fast: false steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + persist-credentials: false - name: 'autotools' if: ${{ matrix.build == 'autotools' }} uses: cross-platform-actions/action@a0672d7f6de3a78e7784bbaf491c7303f68d94b3 # v0.26.0 @@ -193,6 +199,8 @@ jobs: timeout-minutes: 30 steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + persist-credentials: false - name: 'autotools' uses: vmactions/omnios-vm@16b5996777bc675acd3d537f13df536a526cd16d # v1 with: diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml index cdcdcfc443..a3c0bb7fc9 100644 --- a/.github/workflows/windows.yml +++ b/.github/workflows/windows.yml @@ -55,6 +55,8 @@ jobs: - run: git config --global core.autocrlf input shell: pwsh - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + persist-credentials: false - uses: cygwin/cygwin-install-action@006ad0b0946ca6d0a3ea2d4437677fa767392401 # v4 with: platform: ${{ matrix.platform }} @@ -187,6 +189,8 @@ jobs: shell: pwsh - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + persist-credentials: false - uses: msys2/setup-msys2@d44ca8e88d8b43d56cf5670f91747359d5537f97 # v2 if: ${{ matrix.sys == 'msys' }} @@ -409,6 +413,8 @@ jobs: - run: git config --global core.autocrlf input - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + persist-credentials: false - name: 'configure' timeout-minutes: 5 @@ -495,6 +501,8 @@ jobs: run: sudo apt-get --quiet 2 --option Dpkg::Use-Pty=0 install mingw-w64 ${{ matrix.build == 'cmake' && 'ninja-build' || '' }} - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + persist-credentials: false - name: 'autoreconf' if: ${{ matrix.build == 'autotools' }} @@ -662,6 +670,8 @@ jobs: fail-fast: false steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + persist-credentials: false - name: 'vcpkg cache setup' uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7