From: Remi Gacogne Date: Tue, 27 May 2025 12:54:52 +0000 (+0200) Subject: ci: Never persist credentials after calling `checkout` X-Git-Tag: dnsdist-2.0.0-beta1~55^2~4 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4a35c114daea2ec85122f69ea503dc2bac7083bc;p=thirdparty%2Fpdns.git ci: Never persist credentials after calling `checkout` --- diff --git a/.github/workflows/build-and-test-all.yml b/.github/workflows/build-and-test-all.yml index 7c594ec327..c53d14ebf7 100644 --- a/.github/workflows/build-and-test-all.yml +++ b/.github/workflows/build-and-test-all.yml @@ -74,6 +74,7 @@ jobs: fetch-depth: 5 submodules: recursive ref: ${{ inputs.branch-name }} + persist-credentials: false - name: get timestamp for cache id: get-stamp run: | @@ -165,6 +166,7 @@ jobs: fetch-depth: 5 submodules: recursive ref: ${{ inputs.branch-name }} + persist-credentials: false - name: get timestamp for cache id: get-stamp run: | @@ -252,6 +254,7 @@ jobs: fetch-depth: 5 submodules: recursive ref: ${{ inputs.branch-name }} + persist-credentials: false - name: get timestamp for cache id: get-stamp run: | @@ -358,6 +361,7 @@ jobs: fetch-depth: 5 submodules: recursive ref: ${{ inputs.branch-name }} + persist-credentials: false - run: echo "normalized-branch-name=${{ inputs.branch-name || github.ref_name }}" | tr "/" "-" >> "$GITHUB_ENV" - name: Fetch the binaries uses: actions/download-artifact@v4 @@ -489,6 +493,7 @@ jobs: fetch-depth: 5 submodules: recursive ref: ${{ inputs.branch-name }} + persist-credentials: false - run: echo "normalized-branch-name=${{ inputs.branch-name || github.ref_name }}" | tr "/" "-" >> "$GITHUB_ENV" - name: Fetch the binaries uses: actions/download-artifact@v4 @@ -532,6 +537,7 @@ jobs: fetch-depth: 5 submodules: recursive ref: ${{ inputs.branch-name }} + persist-credentials: false - run: echo "normalized-branch-name=${{ inputs.branch-name || github.ref_name }}" | tr "/" "-" >> "$GITHUB_ENV" - name: Fetch the binaries uses: actions/download-artifact@v4 @@ -581,6 +587,7 @@ jobs: fetch-depth: 5 submodules: recursive ref: ${{ inputs.branch-name }} + persist-credentials: false - run: echo "normalized-branch-name=${{ inputs.branch-name || github.ref_name }}" | tr "/" "-" >> "$GITHUB_ENV" - name: Fetch the binaries uses: actions/download-artifact@v4 @@ -634,6 +641,7 @@ jobs: fetch-depth: 5 submodules: recursive ref: ${{ inputs.branch-name }} + persist-credentials: false - run: echo "normalized-branch-name=${{ inputs.branch-name || github.ref_name }}" | tr "/" "-" >> "$GITHUB_ENV" - name: Fetch the binaries uses: actions/download-artifact@v4 @@ -688,6 +696,7 @@ jobs: fetch-depth: 5 submodules: recursive ref: ${{ inputs.branch-name }} + persist-credentials: false - run: echo "normalized-branch-name=${{ inputs.branch-name || github.ref_name }}" | tr "/" "-" >> "$GITHUB_ENV" - name: Fetch the binaries uses: actions/download-artifact@v4 @@ -733,6 +742,7 @@ jobs: fetch-depth: 5 submodules: recursive ref: ${{ inputs.branch-name }} + persist-credentials: false - run: echo "normalized-branch-name=${{ inputs.branch-name || github.ref_name }}" | tr "/" "-" >> "$GITHUB_ENV" - name: Fetch the binaries uses: actions/download-artifact@v4 @@ -793,6 +803,7 @@ jobs: fetch-depth: 5 submodules: recursive ref: ${{ inputs.branch-name }} + persist-credentials: false - run: echo "normalized-branch-name=${{ inputs.branch-name || github.ref_name }}" | tr "/" "-" >> "$GITHUB_ENV" - name: Fetch the binaries uses: actions/download-artifact@v4 @@ -830,6 +841,7 @@ jobs: fetch-depth: 5 submodules: recursive ref: ${{ inputs.branch-name }} + persist-credentials: false - name: install pip build dependencies run: | python3 -m venv ${REPO_HOME}/.venv @@ -869,6 +881,7 @@ jobs: fetch-depth: 5 submodules: recursive ref: ${{ inputs.branch-name }} + persist-credentials: false - name: Get list of jobs in the workflow run: "cat .github/workflows/build-and-test-all.yml | jc --yaml | jq -rS '.[].jobs | keys | .[]' | grep -vE 'collect|get-runner-container-image' | tee /tmp/workflow-jobs-list.yml" - name: Get list of prerequisite jobs diff --git a/.github/workflows/build-docker-images.yml b/.github/workflows/build-docker-images.yml index 3ce2b98aad..18097d7667 100644 --- a/.github/workflows/build-docker-images.yml +++ b/.github/workflows/build-docker-images.yml @@ -60,6 +60,7 @@ jobs: fetch-depth: 0 submodules: recursive ref: ${{ inputs.ref }} + persist-credentials: false - name: validate reference only if image will be pushed if: ${{ inputs.push }} run: | @@ -77,6 +78,7 @@ jobs: fetch-depth: 0 submodules: recursive ref: ${{ inputs.ref }} + persist-credentials: false - name: Set up QEMU uses: docker/setup-qemu-action@v3 with: diff --git a/.github/workflows/build-packages.yml b/.github/workflows/build-packages.yml index ad0755b353..9610e7c862 100644 --- a/.github/workflows/build-packages.yml +++ b/.github/workflows/build-packages.yml @@ -61,6 +61,7 @@ jobs: fetch-depth: 1 submodules: recursive ref: ${{ inputs.ref }} + persist-credentials: false - id: get-oslist run: | available_targets=$(ls builder-support/dockerfiles/Dockerfile.target.* ) @@ -114,6 +115,7 @@ jobs: fetch-depth: 0 # for correct version numbers submodules: recursive ref: ${{ inputs.ref }} + persist-credentials: false # this builds packages and runs our unit tests (make check) - run: IS_RELEASE=${{ inputs.is_release}} builder/build.sh -v -m ${{ inputs.product }} ${{ matrix.os }} - name: Get version number diff --git a/.github/workflows/builder.yml b/.github/workflows/builder.yml index 2f5ec84603..690d426719 100644 --- a/.github/workflows/builder.yml +++ b/.github/workflows/builder.yml @@ -50,6 +50,7 @@ jobs: fetch-depth: 0 # for correct version numbers submodules: recursive ref: ${{ inputs.branch-name }} + persist-credentials: false # this builds packages and runs our unit test (make check) - run: builder/build.sh -v -m ${{ matrix.product }} ${{ matrix.os }} - name: Get version number diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 84f077eeee..5847eedb08 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -66,6 +66,7 @@ jobs: # We must fetch at least the immediate parents so that if this is # a pull request then we can checkout the head. fetch-depth: 2 + persist-credentials: false - uses: actions/setup-python@v5 with: python-version: '3.11' @@ -282,4 +283,5 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 2 + persist-credentials: false - run: if [[ "$(file -i --dereference $(git diff --name-only HEAD^..HEAD -- . :^fuzzing/corpus) | grep binary | grep -v 'image/' | grep -v 'inode/x-empty' | grep -v 'inode/directory' | grep -v '^modules/lmdbbackend/test-assets/' | grep -v '^website/docs.powerdns.com/website/fonts/' | grep -v '^website/docs.powerdns.com/website/img/' | grep -v '^modules/tinydnsbackend/data.cdb' | tee /dev/stderr)" != "" ]]; then exit 1; fi diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml index 4433da6bad..bd0e432208 100644 --- a/.github/workflows/coverity.yml +++ b/.github/workflows/coverity.yml @@ -36,6 +36,7 @@ jobs: with: fetch-depth: 5 submodules: recursive + persist-credentials: false - uses: actions/setup-python@v5 with: python-version: '3.11' @@ -65,6 +66,7 @@ jobs: with: fetch-depth: 5 submodules: recursive + persist-credentials: false - uses: actions/setup-python@v5 with: python-version: '3.11' @@ -107,6 +109,7 @@ jobs: with: fetch-depth: 5 submodules: recursive + persist-credentials: false - uses: actions/setup-python@v5 with: python-version: '3.11' diff --git a/.github/workflows/documentation.yml b/.github/workflows/documentation.yml index 820c1624a7..9fe5cd6c67 100644 --- a/.github/workflows/documentation.yml +++ b/.github/workflows/documentation.yml @@ -54,6 +54,8 @@ jobs: steps: - uses: PowerDNS/pdns/set-ubuntu-mirror@meta - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: actions/setup-python@v5 with: python-version: '3.11' @@ -212,6 +214,8 @@ jobs: fi - uses: PowerDNS/pdns/set-ubuntu-mirror@meta - uses: actions/checkout@v4 + with: + persist-credentials: false - run: build-scripts/gh-actions-setup-inv-no-dist-upgrade - uses: actions/download-artifact@v4 with: @@ -268,6 +272,8 @@ jobs: exit 1 fi - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: aws-actions/configure-aws-credentials@v4 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} diff --git a/.github/workflows/formatting.yml b/.github/workflows/formatting.yml index 1e3e7a5e9e..05fd847f7d 100644 --- a/.github/workflows/formatting.yml +++ b/.github/workflows/formatting.yml @@ -18,6 +18,7 @@ jobs: with: fetch-depth: 5 submodules: recursive + persist-credentials: false - name: Update dependencies run: | sudo apt-get update diff --git a/.github/workflows/fuzz.yml b/.github/workflows/fuzz.yml index 182013c75c..e8c624edac 100644 --- a/.github/workflows/fuzz.yml +++ b/.github/workflows/fuzz.yml @@ -12,6 +12,7 @@ jobs: with: fetch-depth: 5 submodules: recursive + persist-credentials: false - run: docker build -t gcr.io/oss-fuzz-base/base-builder:latest -f Dockerfile-cifuzz . - name: Build Fuzzers uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master diff --git a/.github/workflows/misc-dailies.yml b/.github/workflows/misc-dailies.yml index e5341ffadb..2bf15749ee 100644 --- a/.github/workflows/misc-dailies.yml +++ b/.github/workflows/misc-dailies.yml @@ -35,6 +35,7 @@ jobs: with: fetch-depth: 5 submodules: recursive + persist-credentials: false - name: Check if Debian is about to toss us off a balcony run: ./build-scripts/check-debian-autoremovals.py @@ -90,6 +91,8 @@ jobs: req-files: ${{ steps.get-list-requirements.outputs.files }} steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Get all requirements.txt files and export them as outputs id: get-list-requirements run: | @@ -117,6 +120,8 @@ jobs: - run: echo "${{ matrix.requirements-file }}" - uses: PowerDNS/pdns/set-ubuntu-mirror@meta - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: actions/setup-python@v5 with: python-version: '3.11' @@ -148,6 +153,7 @@ jobs: fetch-depth: 5 submodules: recursive ref: ${{ inputs.branch-name }} + persist-credentials: false - name: Add PowerDNS Repo run: echo 'deb [signed-by=/etc/apt/keyrings/rec-master-pub.asc] http://repo.powerdns.com/ubuntu noble-rec-master main' | sudo tee /etc/apt/sources.list.d/pdns.list - name: Add key diff --git a/.github/workflows/secpoll.yml b/.github/workflows/secpoll.yml index 8f9fbdd050..314daa2531 100644 --- a/.github/workflows/secpoll.yml +++ b/.github/workflows/secpoll.yml @@ -19,6 +19,7 @@ jobs: with: fetch-depth: 5 submodules: recursive + persist-credentials: false - run: sh docs/secpoll-check.sh docs/secpoll.zone - run: echo 'deb [arch=amd64] http://repo.powerdns.com/ubuntu noble-auth-master main' | sudo tee /etc/apt/sources.list.d/pdns.list - run: "echo -ne 'Package: pdns-*\nPin: origin repo.powerdns.com\nPin-Priority: 600\n' | sudo tee /etc/apt/preferences.d/pdns"