From 0a512b666ab2cf6f6e768ad1100a905a43e1b9a8 Mon Sep 17 00:00:00 2001 From: jrfnl Date: Thu, 18 Sep 2025 05:42:53 +0200 Subject: [PATCH] GH Actions: do not persist credentials > By default, using `actions/checkout` causes a credential to be persisted in the checked-out repo's `.git/config`, so that subsequent `git` operations can be authenticated. > > Subsequent steps may accidentally publicly persist `.git/config`, e.g. by including it in a publicly accessible artifact via `actions/upload-artifact`. > > However, even without this, persisting the credential in the `.git/config` is non-ideal unless actually needed. > > **Remediation** > > Unless needed for `git` operations, `actions/checkout` should be used with `persist-credentials: false`. > > If the persisted credential is needed, it should be made explicit with `persist-credentials: true`. This has now been addressed in all workflows. Refs: * https://unit42.paloaltonetworks.com/github-repo-artifacts-leak-tokens/ * https://docs.zizmor.sh/audits/#artipacked --- .github/workflows/qa.yml | 2 ++ .github/workflows/update-website.yml | 1 + 2 files changed, 3 insertions(+) diff --git a/.github/workflows/qa.yml b/.github/workflows/qa.yml index 71305a2..b9f3002 100644 --- a/.github/workflows/qa.yml +++ b/.github/workflows/qa.yml @@ -21,6 +21,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false - name: Install PHP uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # 2.36.0 diff --git a/.github/workflows/update-website.yml b/.github/workflows/update-website.yml index c77082a..ecf66d1 100644 --- a/.github/workflows/update-website.yml +++ b/.github/workflows/update-website.yml @@ -53,6 +53,7 @@ jobs: uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: ref: ${{ steps.base_branch.outputs.BRANCH }} + persist-credentials: false - name: Install PHP uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # 2.36.0