From: Dmitry V. Levin <ldv@strace.io>
Date: Wed, 18 Feb 2026 08:00:00 +0000 (+0000)
Subject: github/workflows: disable persisting credentials for actions/checkout
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F40728%2Fhead;p=thirdparty%2Fsystemd.git

github/workflows: disable persisting credentials for actions/checkout

Set `persist-credentials: false` for actions/checkout.

By default, using `actions/checkout` causes a credential to be persisted on
disk.  Subsequent steps may accidentally publicly persist the credential, e.g.
by including it in a publicly accessible artifact via actions/upload-artifact.
However, even without this, persisting the credential on disk is non-ideal
unless actually needed.

Link: https://docs.zizmor.sh/audits/#artipacked
---

diff --git a/.github/workflows/build-test.yml b/.github/workflows/build-test.yml
index 06bff4bc74d..4a99f9ece64 100644
--- a/.github/workflows/build-test.yml
+++ b/.github/workflows/build-test.yml
@@ -52,6 +52,8 @@ jobs:
     steps:
       - name: Repository checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          persist-credentials: false
       - name: Setup python
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
         with:
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index d6f3a9b4704..8432da069ff 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -43,6 +43,8 @@ jobs:
     steps:
     - name: Checkout repository
       uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      with:
+        persist-credentials: false
 
     - name: Initialize CodeQL
       uses: github/codeql-action/init@b20883b0cd1f46c72ae0ba6d1090936928f9fa30
diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml
index 59b6df16dc3..7ebb7491506 100644
--- a/.github/workflows/coverage.yml
+++ b/.github/workflows/coverage.yml
@@ -25,6 +25,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          persist-credentials: false
       - uses: systemd/mkosi@66d51024b7149f40be4702e84275c936373ace97
 
       # Freeing up disk space with rm -rf can take multiple minutes. Since we don't need the extra free space
diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml
index 2ca2ac8a266..792cb916926 100644
--- a/.github/workflows/coverity.yml
+++ b/.github/workflows/coverity.yml
@@ -23,6 +23,8 @@ jobs:
     steps:
       - name: Repository checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          persist-credentials: false
       # Reuse the setup phase of the unit test script to avoid code duplication
       - name: Install build dependencies
         run: |
diff --git a/.github/workflows/development-freeze.yml b/.github/workflows/development-freeze.yml
index c1d7ba76c41..be75a2c421c 100644
--- a/.github/workflows/development-freeze.yml
+++ b/.github/workflows/development-freeze.yml
@@ -33,6 +33,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Development Freezer
         uses: redhat-plumbers-in-action/devel-freezer@ad766eafd555b28d2cb8e27937835983f9c3d173
diff --git a/.github/workflows/differential-shellcheck.yml b/.github/workflows/differential-shellcheck.yml
index 8c0f2d573e3..7d3dc5f9165 100644
--- a/.github/workflows/differential-shellcheck.yml
+++ b/.github/workflows/differential-shellcheck.yml
@@ -26,6 +26,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Differential ShellCheck
         uses: redhat-plumbers-in-action/differential-shellcheck@d965e66ec0b3b2f821f75c8eff9b12442d9a7d1e
diff --git a/.github/workflows/gather-pr-metadata.yml b/.github/workflows/gather-pr-metadata.yml
index d5471aa5856..f9cfd9154e6 100644
--- a/.github/workflows/gather-pr-metadata.yml
+++ b/.github/workflows/gather-pr-metadata.yml
@@ -17,6 +17,8 @@ jobs:
     steps:
       - name: Repository checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          persist-credentials: false
 
       - id: metadata
         name: Gather Pull Request Metadata
diff --git a/.github/workflows/issue-labeler.yml b/.github/workflows/issue-labeler.yml
index 0955af535c7..a5f1fb07577 100644
--- a/.github/workflows/issue-labeler.yml
+++ b/.github/workflows/issue-labeler.yml
@@ -21,6 +21,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          persist-credentials: false
 
       - name: Parse issue form
         uses: stefanbuck/github-issue-parser@1e5bdee70d4b3e066a33aa0669ab782943825f94
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
index fd87a570bec..49b6d1fb367 100644
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -32,6 +32,8 @@ jobs:
     - name: Repository checkout
       uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
       if: github.event_name == 'pull_request'
+      with:
+        persist-credentials: false
 
     - name: Label PR based on policy in labeler.yml
       uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b
diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml
index 52670eaa6bb..2264beb92f1 100644
--- a/.github/workflows/linter.yml
+++ b/.github/workflows/linter.yml
@@ -27,6 +27,7 @@ jobs:
         with:
           # We need a full repo clone
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Lint Code Base
         uses: super-linter/super-linter/slim@12562e48d7059cf666c43a4ecb0d3b5a2b31bd9e
diff --git a/.github/workflows/mkosi.yml b/.github/workflows/mkosi.yml
index a44f667cec2..e011c146231 100644
--- a/.github/workflows/mkosi.yml
+++ b/.github/workflows/mkosi.yml
@@ -167,6 +167,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          persist-credentials: false
       - uses: systemd/mkosi@66d51024b7149f40be4702e84275c936373ace97
 
       # Freeing up disk space with rm -rf can take multiple minutes. Since we don't need the extra free space
diff --git a/.github/workflows/unit-tests-musl.yml b/.github/workflows/unit-tests-musl.yml
index aa77afb674b..2120eddeeb1 100644
--- a/.github/workflows/unit-tests-musl.yml
+++ b/.github/workflows/unit-tests-musl.yml
@@ -21,6 +21,8 @@ jobs:
     steps:
       - name: Repository checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          persist-credentials: false
 
       - name: Install build dependencies
         uses: jirutka/setup-alpine@v1
diff --git a/.github/workflows/unit-tests.yml b/.github/workflows/unit-tests.yml
index 387ab8edd1a..79950640178 100644
--- a/.github/workflows/unit-tests.yml
+++ b/.github/workflows/unit-tests.yml
@@ -41,6 +41,8 @@ jobs:
     steps:
       - name: Repository checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          persist-credentials: false
       - name: Install build dependencies
         run: |
           # Drop XDG_* stuff from /etc/environment, so we don't get the user