Don't persist credentials

maresb · ricardoV94 · commit 5d6e5601d101 · 2025-01-20T10:33:40.000+01:00
This is an insecure default on GitHub that increases the chances of credential leakage. <https://unit42.paloaltonetworks.com/github-repo-artifacts-leak-tokens/>
diff --git a/.github/workflows/devcontainer-docker-image.yml b/.github/workflows/devcontainer-docker-image.yml
@@ -24,6 +24,8 @@ jobs:
     steps:
     - name: Checkout source
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+      with:
+        persist-credentials: false
 
     - name: Setup Docker buildx
       uses: docker/setup-buildx-action@v3.7.1
diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml
@@ -14,6 +14,8 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        with:
+          persist-credentials: false
 
       - name: Login to Docker Hub
         uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567
diff --git a/.github/workflows/mypy.yml b/.github/workflows/mypy.yml
@@ -13,6 +13,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        with:
+          persist-credentials: false
       - uses: mamba-org/setup-micromamba@v2
         with:
           environment-file: conda-envs/environment-test.yml
diff --git a/.github/workflows/pr-auto-label.yml b/.github/workflows/pr-auto-label.yml
@@ -11,6 +11,8 @@ jobs:
     steps:
     - name: Checkout repository
       uses: actions/checkout@v2
+      with:
+        persist-credentials: false
     - name: Sync labels with closing issues
       uses: wd60622/closing-labels@v0.0.3
       with:
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -34,6 +34,7 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with:
           fetch-depth: 0
+          persist-credentials: false
       - uses: dorny/paths-filter@v3
         id: changes
         with:
@@ -144,6 +145,8 @@ jobs:
         shell: bash -leo pipefail {0}
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        with:
+          persist-credentials: false
       - uses: mamba-org/setup-micromamba@v2
         with:
           environment-file: conda-envs/environment-test.yml
@@ -194,6 +197,8 @@ jobs:
         shell: cmd /C call {0}
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        with:
+          persist-credentials: false
       - uses: mamba-org/setup-micromamba@v2
         with:
           environment-file: conda-envs/windows-environment-test.yml
@@ -253,6 +258,8 @@ jobs:
         shell: bash -leo pipefail {0}
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        with:
+          persist-credentials: false
       - uses: mamba-org/setup-micromamba@v2
         with:
           environment-file: conda-envs/environment-test.yml
@@ -297,6 +304,8 @@ jobs:
         shell: bash -leo pipefail {0}
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        with:
+          persist-credentials: false
       - uses: mamba-org/setup-micromamba@v2
         with:
           environment-file: conda-envs/environment-jax.yml
@@ -341,6 +350,8 @@ jobs:
         shell: cmd /C call {0}
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        with:
+          persist-credentials: false
       - uses: mamba-org/setup-micromamba@v2
         with:
           environment-file: conda-envs/windows-environment-test.yml
