From 531e6181130d497f5891f9de8baf76ab89d33610 Mon Sep 17 00:00:00 2001 From: jrfnl Date: Thu, 18 Sep 2025 05:42:53 +0200 Subject: [PATCH] GH Actions: do not persist credentials > By default, using `actions/checkout` causes a credential to be persisted in the checked-out repo's `.git/config`, so that subsequent `git` operations can be authenticated. > > Subsequent steps may accidentally publicly persist `.git/config`, e.g. by including it in a publicly accessible artifact via `actions/upload-artifact`. > > However, even without this, persisting the credential in the `.git/config` is non-ideal unless actually needed. > > **Remediation** > > Unless needed for `git` operations, `actions/checkout` should be used with `persist-credentials: false`. > > If the persisted credential is needed, it should be made explicit with `persist-credentials: true`. This has now been addressed in all workflows. Refs: * https://unit42.paloaltonetworks.com/github-repo-artifacts-leak-tokens/ * https://docs.zizmor.sh/audits/#artipacked --- .github/workflows/qa.yml | 2 ++ .github/workflows/update-website.yml | 1 + 2 files changed, 3 insertions(+) diff --git a/.github/workflows/qa.yml b/.github/workflows/qa.yml index b85a52e..d4ef1cd 100644 --- a/.github/workflows/qa.yml +++ b/.github/workflows/qa.yml @@ -21,6 +21,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Install PHP uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # 2.36.0 diff --git a/.github/workflows/update-website.yml b/.github/workflows/update-website.yml index f1f305d..cbebee9 100644 --- a/.github/workflows/update-website.yml +++ b/.github/workflows/update-website.yml @@ -53,6 +53,7 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: ${{ steps.base_branch.outputs.BRANCH }} + persist-credentials: false - name: Install PHP uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # 2.36.0