Set `persist-credentials: false` for actions/checkout.
By default, using `actions/checkout` causes a credential to be persisted on
disk. Subsequent steps may accidentally publicly persist the credential, e.g.
by including it in a publicly accessible artifact via actions/upload-artifact.
However, even without this, persisting the credential on disk is non-ideal
unless actually needed.
Link: https://docs.zizmor.sh/audits/#artipacked
steps:
- name: Repository checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+ with:
+ persist-credentials: false
- name: Setup python
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
with:
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+ with:
+ persist-credentials: false
- name: Initialize CodeQL
uses: github/codeql-action/init@b20883b0cd1f46c72ae0ba6d1090936928f9fa30
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+ with:
+ persist-credentials: false
- uses: systemd/mkosi@66d51024b7149f40be4702e84275c936373ace97
# Freeing up disk space with rm -rf can take multiple minutes. Since we don't need the extra free space
steps:
- name: Repository checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+ with:
+ persist-credentials: false
# Reuse the setup phase of the unit test script to avoid code duplication
- name: Install build dependencies
run: |
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
with:
fetch-depth: 0
+ persist-credentials: false
- name: Development Freezer
uses: redhat-plumbers-in-action/devel-freezer@ad766eafd555b28d2cb8e27937835983f9c3d173
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
with:
fetch-depth: 0
+ persist-credentials: false
- name: Differential ShellCheck
uses: redhat-plumbers-in-action/differential-shellcheck@d965e66ec0b3b2f821f75c8eff9b12442d9a7d1e
steps:
- name: Repository checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+ with:
+ persist-credentials: false
- id: metadata
name: Gather Pull Request Metadata
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+ with:
+ persist-credentials: false
- name: Parse issue form
uses: stefanbuck/github-issue-parser@1e5bdee70d4b3e066a33aa0669ab782943825f94
- name: Repository checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
if: github.event_name == 'pull_request'
+ with:
+ persist-credentials: false
- name: Label PR based on policy in labeler.yml
uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b
with:
# We need a full repo clone
fetch-depth: 0
+ persist-credentials: false
- name: Lint Code Base
uses: super-linter/super-linter/slim@12562e48d7059cf666c43a4ecb0d3b5a2b31bd9e
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+ with:
+ persist-credentials: false
- uses: systemd/mkosi@66d51024b7149f40be4702e84275c936373ace97
# Freeing up disk space with rm -rf can take multiple minutes. Since we don't need the extra free space
steps:
- name: Repository checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+ with:
+ persist-credentials: false
- name: Install build dependencies
uses: jirutka/setup-alpine@v1
steps:
- name: Repository checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+ with:
+ persist-credentials: false
- name: Install build dependencies
run: |
# Drop XDG_* stuff from /etc/environment, so we don't get the user