From b450b341ee64ad67c9bba905121d1bbe738fe0b5 Mon Sep 17 00:00:00 2001 From: jrfnl Date: Thu, 18 Sep 2025 15:27:11 +0200 Subject: [PATCH] GH Actions: do not persist credentials > By default, using `actions/checkout` causes a credential to be persisted in the checked-out repo's `.git/config`, so that subsequent `git` operations can be authenticated. > > Subsequent steps may accidentally publicly persist `.git/config`, e.g. by including it in a publicly accessible artifact via `actions/upload-artifact`. > > However, even without this, persisting the credential in the `.git/config` is non-ideal unless actually needed. > > **Remediation** > > Unless needed for `git` operations, `actions/checkout` should be used with `persist-credentials: false`. > > If the persisted credential is needed, it should be made explicit with `persist-credentials: true`. This has now been addressed in all workflows. Refs: * https://unit42.paloaltonetworks.com/github-repo-artifacts-leak-tokens/ * https://docs.zizmor.sh/audits/#artipacked --- .github/workflows/basic-qa.yml | 6 ++++++ .github/workflows/label-new-prs.yml | 2 ++ .github/workflows/publish-wiki.yml | 2 ++ 3 files changed, 10 insertions(+) diff --git a/.github/workflows/basic-qa.yml b/.github/workflows/basic-qa.yml index 2b95f25..28560f4 100644 --- a/.github/workflows/basic-qa.yml +++ b/.github/workflows/basic-qa.yml @@ -31,6 +31,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Restore lychee cache uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 @@ -58,6 +60,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Spellcheck uses: streetsidesoftware/cspell-action@dcd03dc3e8a59ec2e360d0c62db517baa0b4bb6d # v7.2.0 @@ -81,6 +85,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Set up problem matcher uses: lumaxis/shellcheck-problem-matchers@b02a1715a00c729b20eed3ebb7edf56fa9a433ba # v2.1.0 diff --git a/.github/workflows/label-new-prs.yml b/.github/workflows/label-new-prs.yml index c1355ac..2bf3297 100644 --- a/.github/workflows/label-new-prs.yml +++ b/.github/workflows/label-new-prs.yml @@ -39,6 +39,8 @@ jobs: # Checkout is needed to use the `use_local_config` option. - name: Checkout code uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Verify changes to the labeling logic uses: srvaroa/labeler@0a20eccb8c94a1ee0bed5f16859aece1c45c3e55 # v1.13.0 diff --git a/.github/workflows/publish-wiki.yml b/.github/workflows/publish-wiki.yml index b5159fb..293d0fe 100644 --- a/.github/workflows/publish-wiki.yml +++ b/.github/workflows/publish-wiki.yml @@ -44,6 +44,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Install PHP uses: shivammathur/setup-php@ec406be512d7077f68eed36e63f4d91bc006edc4 # 2.35.4