From 096be18c88732656921832977237a5b9347d83a7 Mon Sep 17 00:00:00 2001 From: jrfnl Date: Thu, 18 Sep 2025 05:42:53 +0200 Subject: [PATCH] GH Actions: do not persist credentials > By default, using `actions/checkout` causes a credential to be persisted in the checked-out repo's `.git/config`, so that subsequent `git` operations can be authenticated. > > Subsequent steps may accidentally publicly persist `.git/config`, e.g. by including it in a publicly accessible artifact via `actions/upload-artifact`. > > However, even without this, persisting the credential in the `.git/config` is non-ideal unless actually needed. > > **Remediation** > > Unless needed for `git` operations, `actions/checkout` should be used with `persist-credentials: false`. > > If the persisted credential is needed, it should be made explicit with `persist-credentials: true`. This has now been addressed in all workflows. Refs: * https://unit42.paloaltonetworks.com/github-repo-artifacts-leak-tokens/ * https://docs.zizmor.sh/audits/#artipacked --- .github/workflows/qa.yml | 2 ++ .github/workflows/update-website.yml | 1 + 2 files changed, 3 insertions(+) diff --git a/.github/workflows/qa.yml b/.github/workflows/qa.yml index 416899d..3dfcab9 100644 --- a/.github/workflows/qa.yml +++ b/.github/workflows/qa.yml @@ -21,6 +21,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + persist-credentials: false - name: Install PHP uses: shivammathur/setup-php@f3e473d116dcccaddc5834248c87452386958240 # 2.37.2 diff --git a/.github/workflows/update-website.yml b/.github/workflows/update-website.yml index b577a9b..526ebe1 100644 --- a/.github/workflows/update-website.yml +++ b/.github/workflows/update-website.yml @@ -53,6 +53,7 @@ jobs: uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: ref: ${{ steps.base_branch.outputs.BRANCH }} + persist-credentials: false - name: Install PHP uses: shivammathur/setup-php@f3e473d116dcccaddc5834248c87452386958240 # 2.37.2