Disable credentials persistence in Github checkout action

According to a couple of articles, the default should be `false`, but it's not, which makes the token exposed to actions that do not need it. According to a linter I tried just for fun, we should enforce it to close this hole. [1] actions/checkout#485 [2] https://github.com/woodruffw/zizmor
teemtee · Nov 1, 2024 · 9aad666 · 9aad666
1 parent ecedf0a
commit 9aad666
Show file tree

Hide file tree

Showing 4 changed files with 8 additions and 0 deletions.
diff --git a/.github/workflows/doc-tests.yml b/.github/workflows/doc-tests.yml
@@ -19,6 +19,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - uses: actions/setup-python@v5
         with:

diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
@@ -12,6 +12,8 @@ jobs:
       SKIP: no-commit-to-branch
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - uses: actions/setup-python@v5
       with:
         python-version: |

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -22,10 +22,13 @@ jobs:
       # Check out the repo
       - uses: actions/checkout@v4
         if: ${{ github.event_name == 'release' }}
+        with:
+          persist-credentials: false
       - uses: actions/checkout@v4
         if: ${{ github.event_name == 'workflow_dispatch' }}
         with:
           ref: ${{ github.event.inputs.ref }}
+          persist-credentials: false
 
       # Setup python
       - uses: actions/setup-python@v5

diff --git a/.github/workflows/shellcheck.yml b/.github/workflows/shellcheck.yml
@@ -20,6 +20,7 @@ jobs:
         uses: actions/checkout@v3
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - id: ShellCheck
         name: Differential ShellCheck