From d41a42a4a566e5e7ac2c0a365a245f8a7f3811cc Mon Sep 17 00:00:00 2001 From: jrfnl Date: Thu, 18 Sep 2025 05:42:53 +0200 Subject: [PATCH] GH Actions: do not persist credentials > By default, using `actions/checkout` causes a credential to be persisted in the checked-out repo's `.git/config`, so that subsequent `git` operations can be authenticated. > > Subsequent steps may accidentally publicly persist `.git/config`, e.g. by including it in a publicly accessible artifact via `actions/upload-artifact`. > > However, even without this, persisting the credential in the `.git/config` is non-ideal unless actually needed. > > **Remediation** > > Unless needed for `git` operations, `actions/checkout` should be used with `persist-credentials: false`. > > If the persisted credential is needed, it should be made explicit with `persist-credentials: true`. This has now been addressed in all workflows. Refs: * https://unit42.paloaltonetworks.com/github-repo-artifacts-leak-tokens/ * https://docs.zizmor.sh/audits/#artipacked --- .github/workflows/qa.yml | 2 ++ .github/workflows/update-website.yml | 1 + 2 files changed, 3 insertions(+) diff --git a/.github/workflows/qa.yml b/.github/workflows/qa.yml index 564482d..4006ae8 100644 --- a/.github/workflows/qa.yml +++ b/.github/workflows/qa.yml @@ -21,6 +21,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Install PHP uses: shivammathur/setup-php@bf6b4fbd49ca58e4608c9c89fba0b8d90bd2a39f # 2.35.5 diff --git a/.github/workflows/update-website.yml b/.github/workflows/update-website.yml index 7d4eaa8..d69d5f8 100644 --- a/.github/workflows/update-website.yml +++ b/.github/workflows/update-website.yml @@ -53,6 +53,7 @@ jobs: uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: ref: ${{ steps.base_branch.outputs.BRANCH }} + persist-credentials: false - name: Install PHP uses: shivammathur/setup-php@bf6b4fbd49ca58e4608c9c89fba0b8d90bd2a39f # 2.35.5