Skip to content

Commit 5d6e560

Browse files
maresbricardoV94
authored andcommitted
Don't persist credentials
This is an insecure default on GitHub that increases the chances of credential leakage. <https://unit42.paloaltonetworks.com/github-repo-artifacts-leak-tokens/>
1 parent aad5400 commit 5d6e560

File tree

5 files changed

+19
-0
lines changed

5 files changed

+19
-0
lines changed

.github/workflows/devcontainer-docker-image.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,8 @@ jobs:
2424
steps:
2525
- name: Checkout source
2626
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
27+
with:
28+
persist-credentials: false
2729

2830
- name: Setup Docker buildx
2931
uses: docker/[email protected]

.github/workflows/docker-image.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,8 @@ jobs:
1414
steps:
1515
- name: Checkout code
1616
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
17+
with:
18+
persist-credentials: false
1719

1820
- name: Login to Docker Hub
1921
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567

.github/workflows/mypy.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,8 @@ jobs:
1313
runs-on: ubuntu-latest
1414
steps:
1515
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
16+
with:
17+
persist-credentials: false
1618
- uses: mamba-org/setup-micromamba@v2
1719
with:
1820
environment-file: conda-envs/environment-test.yml

.github/workflows/pr-auto-label.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,8 @@ jobs:
1111
steps:
1212
- name: Checkout repository
1313
uses: actions/checkout@v2
14+
with:
15+
persist-credentials: false
1416
- name: Sync labels with closing issues
1517
uses: wd60622/[email protected]
1618
with:

.github/workflows/tests.yml

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -34,6 +34,7 @@ jobs:
3434
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
3535
with:
3636
fetch-depth: 0
37+
persist-credentials: false
3738
- uses: dorny/paths-filter@v3
3839
id: changes
3940
with:
@@ -144,6 +145,8 @@ jobs:
144145
shell: bash -leo pipefail {0}
145146
steps:
146147
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
148+
with:
149+
persist-credentials: false
147150
- uses: mamba-org/setup-micromamba@v2
148151
with:
149152
environment-file: conda-envs/environment-test.yml
@@ -194,6 +197,8 @@ jobs:
194197
shell: cmd /C call {0}
195198
steps:
196199
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
200+
with:
201+
persist-credentials: false
197202
- uses: mamba-org/setup-micromamba@v2
198203
with:
199204
environment-file: conda-envs/windows-environment-test.yml
@@ -253,6 +258,8 @@ jobs:
253258
shell: bash -leo pipefail {0}
254259
steps:
255260
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
261+
with:
262+
persist-credentials: false
256263
- uses: mamba-org/setup-micromamba@v2
257264
with:
258265
environment-file: conda-envs/environment-test.yml
@@ -297,6 +304,8 @@ jobs:
297304
shell: bash -leo pipefail {0}
298305
steps:
299306
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
307+
with:
308+
persist-credentials: false
300309
- uses: mamba-org/setup-micromamba@v2
301310
with:
302311
environment-file: conda-envs/environment-jax.yml
@@ -341,6 +350,8 @@ jobs:
341350
shell: cmd /C call {0}
342351
steps:
343352
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
353+
with:
354+
persist-credentials: false
344355
- uses: mamba-org/setup-micromamba@v2
345356
with:
346357
environment-file: conda-envs/windows-environment-test.yml

0 commit comments

Comments
 (0)