github/workflows: disable persisting credentials for actions/checkout

Set `persist-credentials: false` for actions/checkout.

By default, using `actions/checkout` causes a credential to be persisted on
disk.  Subsequent steps may accidentally publicly persist the credential, e.g.
by including it in a publicly accessible artifact via actions/upload-artifact.
However, even without this, persisting the credential on disk is non-ideal
unless actually needed.

Link: https://docs.zizmor.sh/audits/#artipacked

diff --git a/.github/workflows/build-test.yml b/.github/workflows/build-test.yml
index 06bff4bc74d50e41618444a0d4d059b975807179..4a99f9ece649efcd5718362bccf6a94971d7a784 100644 (file)
--- a/.github/workflows/build-test.yml
+++ b/.github/workflows/build-test.yml
@@ -52,6 +52,8 @@ jobs:
     steps:
       - name: Repository checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          persist-credentials: false
       - name: Setup python
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
         with:

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index d6f3a9b4704677b41b7d22a14fc6ed0936f95cd7..8432da069ff265f048da306216befb6adb3c7d87 100644 (file)
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -43,6 +43,8 @@ jobs:
     steps:
     - name: Checkout repository
       uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      with:
+        persist-credentials: false
 
     - name: Initialize CodeQL
       uses: github/codeql-action/init@b20883b0cd1f46c72ae0ba6d1090936928f9fa30

diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml
index 59b6df16dc3b20af658c35e70043d517145b2941..7ebb7491506a7ae94d3ff7c9a46860256869ec1b 100644 (file)
--- a/.github/workflows/coverage.yml
+++ b/.github/workflows/coverage.yml
@@ -25,6 +25,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          persist-credentials: false
       - uses: systemd/mkosi@66d51024b7149f40be4702e84275c936373ace97
 
       # Freeing up disk space with rm -rf can take multiple minutes. Since we don't need the extra free space

diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml
index 2ca2ac8a2663082a6d90e30ad996d93cfd699969..792cb916926ae264b5a7c384a165a81a0e005a67 100644 (file)
--- a/.github/workflows/coverity.yml
+++ b/.github/workflows/coverity.yml
@@ -23,6 +23,8 @@ jobs:
     steps:
       - name: Repository checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          persist-credentials: false
       # Reuse the setup phase of the unit test script to avoid code duplication
       - name: Install build dependencies
         run: |

diff --git a/.github/workflows/development-freeze.yml b/.github/workflows/development-freeze.yml
index c1d7ba76c4162941cfc199cec495f0b5961885e4..be75a2c421c58fcce3532133a5e10b1cb59bc1cc 100644 (file)
--- a/.github/workflows/development-freeze.yml
+++ b/.github/workflows/development-freeze.yml
@@ -33,6 +33,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Development Freezer
         uses: redhat-plumbers-in-action/devel-freezer@ad766eafd555b28d2cb8e27937835983f9c3d173

diff --git a/.github/workflows/differential-shellcheck.yml b/.github/workflows/differential-shellcheck.yml
index 8c0f2d573e3d7b6566756185ccdc20507500ec78..7d3dc5f9165bcf634e6eb949af65d605eff95e85 100644 (file)
--- a/.github/workflows/differential-shellcheck.yml
+++ b/.github/workflows/differential-shellcheck.yml
@@ -26,6 +26,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Differential ShellCheck
         uses: redhat-plumbers-in-action/differential-shellcheck@d965e66ec0b3b2f821f75c8eff9b12442d9a7d1e

diff --git a/.github/workflows/gather-pr-metadata.yml b/.github/workflows/gather-pr-metadata.yml
index d5471aa5856596224724df2441fb8576deb46858..f9cfd9154e61ce0b3353d2b5f6e0640bc1a5faea 100644 (file)
--- a/.github/workflows/gather-pr-metadata.yml
+++ b/.github/workflows/gather-pr-metadata.yml
@@ -17,6 +17,8 @@ jobs:
     steps:
       - name: Repository checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          persist-credentials: false
 
       - id: metadata
         name: Gather Pull Request Metadata

diff --git a/.github/workflows/issue-labeler.yml b/.github/workflows/issue-labeler.yml
index 0955af535c7e16c5bbbbb6e0ce135327ccf43330..a5f1fb07577f950d1820570b07c0009afef27836 100644 (file)
--- a/.github/workflows/issue-labeler.yml
+++ b/.github/workflows/issue-labeler.yml
@@ -21,6 +21,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          persist-credentials: false
 
       - name: Parse issue form
         uses: stefanbuck/github-issue-parser@1e5bdee70d4b3e066a33aa0669ab782943825f94

diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
index fd87a570bece6f94af2a9e4bae4f3582f9942eb8..49b6d1fb367345b5af1ea865fcf0e77063ed3a58 100644 (file)
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -32,6 +32,8 @@ jobs:
     - name: Repository checkout
       uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
       if: github.event_name == 'pull_request'
+      with:
+        persist-credentials: false
 
     - name: Label PR based on policy in labeler.yml
       uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b

diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml
index 52670eaa6bb04aa4026a0c6ef27a94122c7a9820..2264beb92f13b347a3012b73a00ab4fa5f46c5e2 100644 (file)
--- a/.github/workflows/linter.yml
+++ b/.github/workflows/linter.yml
@@ -27,6 +27,7 @@ jobs:
         with:
           # We need a full repo clone
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Lint Code Base
         uses: super-linter/super-linter/slim@12562e48d7059cf666c43a4ecb0d3b5a2b31bd9e

diff --git a/.github/workflows/mkosi.yml b/.github/workflows/mkosi.yml
index a44f667cec2fb24ff39981b225157c51d661bb93..e011c146231d96df98c93956643cdc22fdba6899 100644 (file)
--- a/.github/workflows/mkosi.yml
+++ b/.github/workflows/mkosi.yml
@@ -167,6 +167,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          persist-credentials: false
       - uses: systemd/mkosi@66d51024b7149f40be4702e84275c936373ace97
 
       # Freeing up disk space with rm -rf can take multiple minutes. Since we don't need the extra free space

diff --git a/.github/workflows/unit-tests-musl.yml b/.github/workflows/unit-tests-musl.yml
index aa77afb674b430a30506dfc495e42c06e50e3f68..2120eddeeb1dcd50a4808801d419f068d2c48099 100644 (file)
--- a/.github/workflows/unit-tests-musl.yml
+++ b/.github/workflows/unit-tests-musl.yml
@@ -21,6 +21,8 @@ jobs:
     steps:
       - name: Repository checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          persist-credentials: false
 
       - name: Install build dependencies
         uses: jirutka/setup-alpine@v1

diff --git a/.github/workflows/unit-tests.yml b/.github/workflows/unit-tests.yml
index 387ab8edd1aed19e0dcba97238b12eeb1cc4e659..799506401781c2ecacdfad75baab503be815b8fc 100644 (file)
--- a/.github/workflows/unit-tests.yml
+++ b/.github/workflows/unit-tests.yml
@@ -41,6 +41,8 @@ jobs:
     steps:
       - name: Repository checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          persist-credentials: false
       - name: Install build dependencies
         run: |
           # Drop XDG_* stuff from /etc/environment, so we don't get the user