From c1d1e1a6b42ccbc03f8b760d22f478d22a6583f7 Mon Sep 17 00:00:00 2001 From: jrfnl Date: Wed, 17 Sep 2025 06:29:38 +0200 Subject: [PATCH] GH Actions: do not persist credentials > By default, using `actions/checkout` causes a credential to be persisted in the checked-out repo's `.git/config`, so that subsequent `git` operations can be authenticated. > > Subsequent steps may accidentally publicly persist `.git/config`, e.g. by including it in a publicly accessible artifact via `actions/upload-artifact`. > > However, even without this, persisting the credential in the `.git/config` is non-ideal unless actually needed. > > **Remediation** > > Unless needed for `git` operations, `actions/checkout` should be used with `persist-credentials: false`. > > If the persisted credential is needed, it should be made explicit with `persist-credentials: true`. This has now been addressed in all workflows. Refs: * https://unit42.paloaltonetworks.com/github-repo-artifacts-leak-tokens/ * https://docs.zizmor.sh/audits/#artipacked --- .github/workflows/cs.yml | 4 ++++ .github/workflows/quicktest.yml | 4 ++++ .github/workflows/test.yml | 4 ++++ .github/workflows/update-website.yml | 1 + 4 files changed, 13 insertions(+) diff --git a/.github/workflows/cs.yml b/.github/workflows/cs.yml index 99d8326..d4de112 100644 --- a/.github/workflows/cs.yml +++ b/.github/workflows/cs.yml @@ -22,6 +22,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Install PHP uses: shivammathur/setup-php@ec406be512d7077f68eed36e63f4d91bc006edc4 # master @@ -119,6 +121,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false # Updating the lists can fail intermittently, typically after Microsoft has released a new package. # This should not be blocking for this job, so ignore any errors from this step. diff --git a/.github/workflows/quicktest.yml b/.github/workflows/quicktest.yml index d8fcb7c..5d4fc7e 100644 --- a/.github/workflows/quicktest.yml +++ b/.github/workflows/quicktest.yml @@ -28,6 +28,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false # Updating the lists can fail intermittently, typically after Microsoft has released a new package. # This should not be blocking for this job, so ignore any errors from this step. @@ -121,6 +123,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false # On stable PHPCS versions, allow for PHP deprecation notices. # Unit tests don't need to fail on those for stable releases where those issues won't get fixed anymore. diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 8ee741c..93d5b4a 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -31,6 +31,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false # Updating the lists can fail intermittently, typically after Microsoft has released a new package. # This should not be blocking for this job, so ignore any errors from this step. @@ -175,6 +177,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Setup ini config id: set_ini diff --git a/.github/workflows/update-website.yml b/.github/workflows/update-website.yml index a06824e..02bbddd 100644 --- a/.github/workflows/update-website.yml +++ b/.github/workflows/update-website.yml @@ -51,6 +51,7 @@ jobs: uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: ref: ${{ steps.base_branch.outputs.BRANCH }} + persist-credentials: false - name: Install PHP uses: shivammathur/setup-php@ec406be512d7077f68eed36e63f4d91bc006edc4 # master