From: Dmitry Misharov Date: Thu, 23 Oct 2025 10:10:24 +0000 (+0200) Subject: do not persist credentials after check out X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=df64f04232c5f9765c665ab50d071b210fe49a28;p=thirdparty%2Fopenssl.git do not persist credentials after check out https://docs.zizmor.sh/audits/#artipacked Reviewed-by: Neil Horman Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/28982) --- diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml index 2c595e2e09..7c548ed8f6 100644 --- a/.github/workflows/backport.yml +++ b/.github/workflows/backport.yml @@ -45,6 +45,7 @@ jobs: with: ref: ${{ github.event.pull_request.head.sha }} fetch-depth: 0 + persist-credentials: false - name: cherry-pick if: ${{ contains(join(github.event.pull_request.labels.*.name,','),matrix.release.branch) }} run: | diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 18bc2d47e4..1e9b606f35 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -35,6 +35,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - name: config run: ./config --strict-warnings --banner=Configured enable-fips && perl configdata.pm --dump - name: make build_generated @@ -48,6 +49,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: config run: ./config --strict-warnings --banner=Configured enable-fips && perl configdata.pm --dump - name: make build_generated @@ -68,6 +71,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: config run: CPPFLAGS='-std=c99 -D_XOPEN_SOURCE=1 -D_POSIX_C_SOURCE=200809L' ./config --strict-warnings --banner=Configured enable-sslkeylog no-asm no-secure-memory no-makedepend enable-buildtest-c++ enable-fips enable-lms && perl configdata.pm --dump - name: make @@ -77,6 +82,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: checkout fuzz/corpora submodule run: git submodule update --init --depth 1 fuzz/corpora - name: localegen @@ -109,6 +116,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: checkout fuzz/corpora submodule run: git submodule update --init --depth 1 fuzz/corpora - name: config @@ -132,6 +141,8 @@ jobs: runs-on: ubuntu-24.04-arm steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: config run: ./config --strict-warnings enable-demos enable-fips enable-lms enable-ec_nistp_64_gcc_128 enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method enable-trace - name: config dump @@ -155,6 +166,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: config uses: cross-platform-actions/action@fe0167d8082ac584754ef3ffb567fded22642c7d #v0.27.0 with: @@ -197,6 +210,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: checkout fuzz/corpora submodule run: git submodule update --init --depth 1 fuzz/corpora - name: config @@ -220,6 +235,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: checkout fuzz/corpora submodule run: git submodule update --init --depth 1 fuzz/corpora - name: config @@ -243,6 +260,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: checkout fuzz/corpora submodule run: git submodule update --init --depth 1 fuzz/corpora - name: config @@ -266,6 +285,8 @@ jobs: runs-on: macos-14 steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: checkout fuzz/corpora submodule run: git submodule update --init --depth 1 fuzz/corpora - name: config @@ -289,6 +310,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: checkout fuzz/corpora submodule run: git submodule update --init --depth 1 fuzz/corpora - name: Adjust ASLR for sanitizer @@ -316,6 +339,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: checkout fuzz/corpora submodule run: git submodule update --init --depth 1 fuzz/corpora - name: Adjust ASLR for sanitizer @@ -343,6 +368,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: checkout fuzz/corpora submodule run: git submodule update --init --depth 1 fuzz/corpora - name: Adjust ASLR for sanitizer @@ -371,6 +398,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: checkout fuzz/corpora submodule run: git submodule update --init --depth 1 fuzz/corpora - name: Adjust ASLR for sanitizer @@ -399,6 +428,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: checkout fuzz/corpora submodule run: git submodule update --init --depth 1 fuzz/corpora - name: Adjust ASLR for sanitizer @@ -426,6 +457,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: checkout fuzz/corpora submodule run: git submodule update --init --depth 1 fuzz/corpora - name: modprobe tls @@ -451,6 +484,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: checkout fuzz/corpora submodule run: git submodule update --init --depth 1 fuzz/corpora - name: modprobe tls @@ -482,6 +517,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: checkout fuzz/corpora submodule run: git submodule update --init --depth 1 fuzz/corpora - name: config @@ -505,6 +542,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: checkout fuzz/corpora submodule run: git submodule update --init --depth 1 fuzz/corpora - name: config @@ -535,6 +574,7 @@ jobs: - uses: actions/checkout@v4 with: path: ./source + persist-credentials: false - name: checkout fuzz/corpora submodule run: git submodule update --init --depth 1 fuzz/corpora working-directory: ./source @@ -576,6 +616,7 @@ jobs: - uses: actions/checkout@v4 with: path: ./source + persist-credentials: false - name: checkout fuzz/corpora submodule run: git submodule update --init --depth 1 fuzz/corpora working-directory: ./source @@ -617,6 +658,7 @@ jobs: - uses: actions/checkout@v4 with: submodules: recursive + persist-credentials: false - name: package installs run: | sudo apt-get update @@ -658,6 +700,7 @@ jobs: - uses: actions/checkout@v4 with: submodules: recursive + persist-credentials: false - name: config run: ./config --strict-warnings --banner=Configured --debug enable-external-tests && perl configdata.pm --dump - name: make @@ -677,6 +720,8 @@ jobs: run: | dnf install -y perl-FindBin perl-IPC-Cmd perl-File-Compare perl-File-Copy perl-Test-Simple perl-Test-Harness python3 make g++ perl git meson opensc expect kryoptic - uses: actions/checkout@v4 + with: + persist-credentials: false - name: checkout fuzz/corpora and pkcs11-provider submodule run: | git config --global --add safe.directory /__w/openssl/openssl @@ -708,6 +753,7 @@ jobs: - uses: actions/checkout@v4 with: submodules: recursive + persist-credentials: false - name: package installs run: | sudo apt-get update diff --git a/.github/workflows/compiler-zoo.yml b/.github/workflows/compiler-zoo.yml index 55cfd71e19..77f1496ac1 100644 --- a/.github/workflows/compiler-zoo.yml +++ b/.github/workflows/compiler-zoo.yml @@ -25,6 +25,8 @@ jobs: sudo apt-get update sudo apt-get -y install ${{ matrix.gcc }} - uses: actions/checkout@v5 + with: + persist-credentials: false - name: checkout fuzz/corpora submodule run: git submodule update --init --depth 1 fuzz/corpora - name: config @@ -59,6 +61,8 @@ jobs: sudo apt-get update || true sudo apt-get -y install ${{ matrix.clang }} - uses: actions/checkout@v5 + with: + persist-credentials: false - name: checkout fuzz/corpora submodule run: git submodule update --init --depth 1 fuzz/corpora - name: config diff --git a/.github/workflows/coveralls.yml b/.github/workflows/coveralls.yml index 9b73829f93..dd1782e308 100644 --- a/.github/workflows/coveralls.yml +++ b/.github/workflows/coveralls.yml @@ -88,6 +88,7 @@ jobs: with: submodules: recursive ref: ${{ matrix.branches.branch }} + persist-credentials: false - name: cache commit id run: | echo "githubid=`/usr/bin/git log -1 --format='%H'`" >>$GITHUB_ENV diff --git a/.github/workflows/cross-compiles.yml b/.github/workflows/cross-compiles.yml index 92f45dc01c..3d7bfb89a6 100644 --- a/.github/workflows/cross-compiles.yml +++ b/.github/workflows/cross-compiles.yml @@ -169,6 +169,8 @@ jobs: gcc-${{ matrix.platform.arch }} \ ${{ matrix.platform.libs }} - uses: actions/checkout@v4 + with: + persist-credentials: false - name: checkout fuzz/corpora submodule run: git submodule update --init --depth 1 fuzz/corpora diff --git a/.github/workflows/fips-checksums.yml b/.github/workflows/fips-checksums.yml index be2b6c7672..22b7da2257 100644 --- a/.github/workflows/fips-checksums.yml +++ b/.github/workflows/fips-checksums.yml @@ -31,6 +31,7 @@ jobs: repository: ${{ github.event.pull_request.base.repo.full_name }} ref: ${{ github.event.pull_request.base.ref }} path: source-pristine + persist-credentials: false - name: config pristine run: ../source-pristine/config enable-fips working-directory: ./build-pristine @@ -46,6 +47,7 @@ jobs: - uses: actions/checkout@v4 with: path: source + persist-credentials: false - name: config run: ../source/config enable-fips working-directory: ./build @@ -93,6 +95,7 @@ jobs: repository: ${{ github.event.pull_request.base.repo.full_name }} ref: ${{ github.event.pull_request.base.ref }} path: source-pristine + persist-credentials: false - name: config pristine run: ../source-pristine/config --banner=Configured $BUILD_OPTS && perl configdata.pm --dump working-directory: ./build-pristine @@ -102,6 +105,7 @@ jobs: - uses: actions/checkout@v4 with: path: source + persist-credentials: false - name: config run: ../source/config --banner=Configured $BUILD_OPTS && perl configdata.pm --dump working-directory: ./build diff --git a/.github/workflows/fuzz-checker.yml b/.github/workflows/fuzz-checker.yml index 7648785d5e..8d7dda78a1 100644 --- a/.github/workflows/fuzz-checker.yml +++ b/.github/workflows/fuzz-checker.yml @@ -53,6 +53,8 @@ jobs: sudo cat /proc/sys/vm/mmap_rnd_bits sudo sysctl -w vm.mmap_rnd_bits=28 - uses: actions/checkout@v4 + with: + persist-credentials: false - name: config run: | diff --git a/.github/workflows/interop-tests.yml b/.github/workflows/interop-tests.yml index be57d93427..c34a6853b5 100644 --- a/.github/workflows/interop-tests.yml +++ b/.github/workflows/interop-tests.yml @@ -25,6 +25,8 @@ jobs: COMPONENT: ${{ matrix.COMPONENT }} steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Display environment run: export - name : Install needed tools diff --git a/.github/workflows/make-release.yml b/.github/workflows/make-release.yml index 1e2c7f25f7..6c3d453c81 100644 --- a/.github/workflows/make-release.yml +++ b/.github/workflows/make-release.yml @@ -25,6 +25,7 @@ jobs: repository: "openssl/openssl" token: ${{ secrets.GHE_TOKEN }} path: ${{ github.ref_name }} + persist-credentials: false - name: "Prepare assets" run: | cd ${{ github.ref_name }} diff --git a/.github/workflows/os-zoo.yml b/.github/workflows/os-zoo.yml index a601018a1c..9a9caf6c1a 100644 --- a/.github/workflows/os-zoo.yml +++ b/.github/workflows/os-zoo.yml @@ -37,6 +37,8 @@ jobs: - name: install packages run: apk --no-cache add build-base perl linux-headers ${{ matrix.cc }} - uses: actions/checkout@v4 + with: + persist-credentials: false - name: config run: | ./config --strict-warnings --banner=Configured no-shared enable-fips \ @@ -87,6 +89,8 @@ jobs: container: ${{ matrix.zoo.image }} steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: install packages run: ${{ matrix.zoo.install }} - name: config @@ -111,6 +115,8 @@ jobs: runs-on: ${{ matrix.os }} steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: checkout fuzz/corpora submodule run: git submodule update --init --depth 1 fuzz/corpora - name: config @@ -139,6 +145,8 @@ jobs: runs-on: ${{ matrix.platform.os }} steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: checkout fuzz/corpora submodule run: git submodule update --init --depth 1 fuzz/corpora - name: install nasm @@ -181,6 +189,8 @@ jobs: runs-on: ubuntu-24.04-arm steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: config run: ./config --strict-warnings enable-fips enable-ec_nistp_64_gcc_128 enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method enable-trace - name: config dump @@ -197,6 +207,8 @@ jobs: if: github.repository == 'openssl/openssl' steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: config run: ./config --strict-warnings enable-fips enable-ec_nistp_64_gcc_128 enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method enable-trace - name: config dump @@ -215,6 +227,8 @@ jobs: if: github.repository == 'openssl/openssl' steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: config run: ./config --strict-warnings enable-fips enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method enable-trace - name: config dump @@ -233,6 +247,8 @@ jobs: if: github.repository == 'openssl/openssl' steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: config run: ./config enable-fips enable-ec_nistp_64_gcc_128 enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method enable-trace - name: config dump @@ -251,6 +267,8 @@ jobs: if: github.repository == 'openssl/openssl' steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: config uses: cross-platform-actions/action@fe0167d8082ac584754ef3ffb567fded22642c7d #v0.27.0 with: diff --git a/.github/workflows/perl-minimal-checker.yml b/.github/workflows/perl-minimal-checker.yml index 11f4563dcb..73cdda3ec5 100644 --- a/.github/workflows/perl-minimal-checker.yml +++ b/.github/workflows/perl-minimal-checker.yml @@ -38,6 +38,8 @@ jobs: perl -MTest::More -e 'print "$Test::More::VERSION\n"' popd - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Build openssl run: ./config && make -j $(nproc) - name: Install sed diff --git a/.github/workflows/prov-compat-label.yml b/.github/workflows/prov-compat-label.yml index 63758d682b..e2a5cbf745 100644 --- a/.github/workflows/prov-compat-label.yml +++ b/.github/workflows/prov-compat-label.yml @@ -147,6 +147,7 @@ jobs: path: ${{ matrix.branch.dir }} repository: openssl/openssl ref: ${{ matrix.branch.name }} + persist-credentials: false - name: localegen run: sudo locale-gen tr_TR.UTF-8 diff --git a/.github/workflows/provider-compatibility.yml b/.github/workflows/provider-compatibility.yml index dc4789acb5..4da0d32f40 100644 --- a/.github/workflows/provider-compatibility.yml +++ b/.github/workflows/provider-compatibility.yml @@ -159,6 +159,7 @@ jobs: path: ${{ matrix.branch.dir }} repository: openssl/openssl ref: ${{ matrix.branch.name }} + persist-credentials: false - name: localegen run: sudo locale-gen tr_TR.UTF-8 diff --git a/.github/workflows/riscv-more-cross-compiles.yml b/.github/workflows/riscv-more-cross-compiles.yml index 98e85211e0..0b27a251b3 100644 --- a/.github/workflows/riscv-more-cross-compiles.yml +++ b/.github/workflows/riscv-more-cross-compiles.yml @@ -195,6 +195,8 @@ jobs: gcc-${{ matrix.platform.arch }} \ ${{ matrix.platform.libs }} - uses: actions/checkout@v4 + with: + persist-credentials: false - name: checkout fuzz/corpora submodule run: git submodule update --init --depth 1 fuzz/corpora diff --git a/.github/workflows/run-checker-ci.yml b/.github/workflows/run-checker-ci.yml index f2d2d16e59..3295c27547 100644 --- a/.github/workflows/run-checker-ci.yml +++ b/.github/workflows/run-checker-ci.yml @@ -47,6 +47,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: checkout fuzz/corpora submodule run: git submodule update --init --depth 1 fuzz/corpora - name: config diff --git a/.github/workflows/run-checker-daily.yml b/.github/workflows/run-checker-daily.yml index 1eaa9700d0..9e55ba2c20 100644 --- a/.github/workflows/run-checker-daily.yml +++ b/.github/workflows/run-checker-daily.yml @@ -139,6 +139,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: checkout fuzz/corpora submodule run: git submodule update --init --depth 1 fuzz/corpora - name: config @@ -159,6 +161,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: checkout fuzz/corpora submodule run: git submodule update --init --depth 1 fuzz/corpora - name: Install Dependencies for sctp option @@ -204,6 +208,8 @@ jobs: sudo apt-get -yq --no-install-suggests --no-install-recommends --allow-unauthenticated --allow-downgrades --allow-remove-essential --allow-change-held-packages install brotli libbrotli1 libbrotli-dev - name: checkout openssl uses: actions/checkout@v4 + with: + persist-credentials: false - name: checkout fuzz/corpora submodule run: git submodule update --init --depth 1 fuzz/corpora - name: config @@ -227,6 +233,8 @@ jobs: sudo apt-get -yq --no-install-suggests --no-install-recommends --allow-unauthenticated --allow-downgrades --allow-remove-essential --allow-change-held-packages install zstd libzstd1 libzstd-dev - name: checkout openssl uses: actions/checkout@v4 + with: + persist-credentials: false - name: checkout fuzz/corpora submodule run: git submodule update --init --depth 1 fuzz/corpora - name: config @@ -251,6 +259,8 @@ jobs: sudo apt-get -yq --no-install-suggests --no-install-recommends --allow-unauthenticated --allow-downgrades --allow-remove-essential --allow-change-held-packages install zstd libzstd1 libzstd-dev - name: checkout openssl uses: actions/checkout@v4 + with: + persist-credentials: false - name: checkout fuzz/corpora submodule run: git submodule update --init --depth 1 fuzz/corpora - name: config @@ -270,6 +280,8 @@ jobs: steps: - name: checkout openssl uses: actions/checkout@v4 + with: + persist-credentials: false - name: Adjust ASLR for sanitizer run: | sudo cat /proc/sys/vm/mmap_rnd_bits @@ -297,6 +309,8 @@ jobs: sudo apt-get -yq --no-install-suggests --no-install-recommends --allow-unauthenticated --allow-downgrades --allow-remove-essential --allow-change-held-packages install brotli libbrotli1 libbrotli-dev - name: checkout openssl uses: actions/checkout@v4 + with: + persist-credentials: false - name: checkout fuzz/corpora submodule run: git submodule update --init --depth 1 fuzz/corpora - name: Adjust ASLR for sanitizer @@ -324,6 +338,8 @@ jobs: sudo apt-get -yq --no-install-suggests --no-install-recommends --allow-unauthenticated --allow-downgrades --allow-remove-essential --allow-change-held-packages install zstd libzstd1 libzstd-dev - name: checkout openssl uses: actions/checkout@v4 + with: + persist-credentials: false - name: checkout fuzz/corpora submodule run: git submodule update --init --depth 1 fuzz/corpora - name: Adjust ASLR for sanitizer @@ -349,6 +365,8 @@ jobs: runs-on: ${{matrix.os}} steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: checkout fuzz/corpora submodule run: git submodule update --init --depth 1 fuzz/corpora - name: config @@ -365,6 +383,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: checkout fuzz/corpora submodule run: git submodule update --init --depth 1 fuzz/corpora - name: config @@ -383,6 +403,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: checkout fuzz/corpora submodule run: git submodule update --init --depth 1 fuzz/corpora - name: Adjust ASLR for sanitizer diff --git a/.github/workflows/run-checker-merge.yml b/.github/workflows/run-checker-merge.yml index eb98a00a2c..0a0b1f18e7 100644 --- a/.github/workflows/run-checker-merge.yml +++ b/.github/workflows/run-checker-merge.yml @@ -44,6 +44,8 @@ jobs: sudo cat /proc/sys/vm/mmap_rnd_bits sudo sysctl -w vm.mmap_rnd_bits=28 - uses: actions/checkout@v4 + with: + persist-credentials: false - name: checkout fuzz/corpora submodule run: git submodule update --init --depth 1 fuzz/corpora - name: config @@ -64,12 +66,15 @@ jobs: steps: - name: checkout openssl uses: actions/checkout@v4 + with: + persist-credentials: false - name: checkout jitter uses: actions/checkout@v4 with: repository: smuellerDD/jitterentropy-library ref: v3.5.0 path: jitter + persist-credentials: false - name: build jitter run: make -C jitter/ - name: checkout fuzz/corpora submodule @@ -89,6 +94,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: checkout fuzz/corpora submodule run: git submodule update --init --depth 1 fuzz/corpora - name: Adjust ASLR for sanitizer diff --git a/.github/workflows/static-analysis-on-prem.yml b/.github/workflows/static-analysis-on-prem.yml index d346eab797..058782a15f 100644 --- a/.github/workflows/static-analysis-on-prem.yml +++ b/.github/workflows/static-analysis-on-prem.yml @@ -28,6 +28,8 @@ jobs: echo ${{ secrets.COVERITY_AUTH_KEY }} | base64 -d > /auth_key_file.txt chmod 0600 /auth_key_file.txt - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Config run: CC=gcc ./config --strict-warnings --banner=Configured --debug enable-lms enable-fips enable-rc5 enable-md2 enable-ssl3 enable-nextprotoneg enable-ssl3-method enable-weak-ssl-ciphers enable-zlib enable-ec_nistp_64_gcc_128 no-shared enable-buildtest-c++ enable-external-tests -DPEDANTIC - name: Config dump diff --git a/.github/workflows/static-analysis.yml b/.github/workflows/static-analysis.yml index f9bb9b076e..84d54cc934 100644 --- a/.github/workflows/static-analysis.yml +++ b/.github/workflows/static-analysis.yml @@ -22,6 +22,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: tool download run: | wget https://scan.coverity.com/download/linux64 \ diff --git a/.github/workflows/style-checks.yml b/.github/workflows/style-checks.yml index 69c9ca6c8e..fe0003b884 100644 --- a/.github/workflows/style-checks.yml +++ b/.github/workflows/style-checks.yml @@ -24,6 +24,7 @@ jobs: with: fetch-depth: 0 path: openssl + persist-credentials: false - name: check style for each commit working-directory: openssl shell: bash diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml index 89e53017f3..5a2bdfa297 100644 --- a/.github/workflows/windows.yml +++ b/.github/workflows/windows.yml @@ -33,6 +33,8 @@ jobs: runs-on: ${{ matrix.platform.os }} steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: checkout fuzz/corpora submodule run: git submodule update --init --depth 1 fuzz/corpora - name: install nasm @@ -103,6 +105,8 @@ jobs: runs-on: windows-2022 steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: checkout fuzz/corpora submodule run: git submodule update --init --depth 1 fuzz/corpora - name: prepare the build directory @@ -142,6 +146,8 @@ jobs: runs-on: windows-2022 steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: checkout fuzz/corpora submodule run: git submodule update --init --depth 1 fuzz/corpora - name: prepare the build directory @@ -198,6 +204,8 @@ jobs: steps: # Checkout before cygwin can mess with PATH... - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: cygwin/cygwin-install-action@f61179d72284ceddc397ed07ddb444d82bf9e559 #v5 with: packages: perl git make gcc-core diff --git a/.github/workflows/windows_comp.yml b/.github/workflows/windows_comp.yml index 7496c1b7e7..29786a876d 100644 --- a/.github/workflows/windows_comp.yml +++ b/.github/workflows/windows_comp.yml @@ -24,6 +24,8 @@ jobs: runs-on: windows-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: checkout fuzz/corpora submodule run: git submodule update --init --depth 1 fuzz/corpora - name: install nasm @@ -89,6 +91,8 @@ jobs: runs-on: windows-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: checkout fuzz/corpora submodule run: git submodule update --init --depth 1 fuzz/corpora - name: install nasm