Skip to content

Commit

Permalink
Problem: persist-credentials might leak github token unintentionally (#…
Browse files Browse the repository at this point in the history 
…1090)

* Problem: persist-credentials might leak github token unintentionally

Solution:
- try persist-credentials: false

* refresh

---------

Signed-off-by: yihuang <[email protected]>
Co-authored-by: mmsqe <[email protected]>
  • Loading branch information
@yihuang @mmsqe
yihuang and mmsqe authored Oct 30, 2024
1 parent e92dda1 commit c23a527
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 3 deletions.
12 changes: 12 additions & 0 deletions .github/workflows/build.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -98,11 +98,13 @@ jobs:
if: github.event_name == 'issue_comment'
with:
submodules: true
persist-credentials: false
token: ${{ secrets.GITHUB_TOKEN }}
ref: ${{ steps.pr_data.outputs.ref }}
- name: Normal check out code
uses: actions/checkout@v4
with:
persist-credentials: false
submodules: true
if: github.event_name == 'push' || github.event_name == 'pull_request'
- id: changed-files
Expand Down Expand Up @@ -151,6 +153,8 @@ jobs:
security-events: write
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- uses: cachix/install-nix-action@v23
with:
nix_path: nixpkgs=channel:nixos-22.11
Expand Down Expand Up @@ -217,13 +221,15 @@ jobs:
if: github.event_name == 'issue_comment'
with:
submodules: true
persist-credentials: false
token: ${{ secrets.GITHUB_TOKEN }}
ref: ${{ needs.build.outputs.ref }}
- name: Normal check out code
uses: actions/checkout@v4
if: github.event_name == 'push' || github.event_name == 'pull_request'
with:
submodules: true
persist-credentials: false
- id: changed-files
uses: tj-actions/changed-files@v41
with:
Expand Down Expand Up @@ -263,13 +269,15 @@ jobs:
if: github.event_name == 'issue_comment'
with:
submodules: true
persist-credentials: false
token: ${{ secrets.GITHUB_TOKEN }}
ref: ${{ needs.build.outputs.ref }}
- name: Normal check out code
uses: actions/checkout@v4
if: github.event_name == 'push' || github.event_name == 'pull_request'
with:
submodules: true
persist-credentials: false
- id: changed-files
uses: tj-actions/changed-files@v41
with:
Expand Down Expand Up @@ -309,13 +317,15 @@ jobs:
if: github.event_name == 'issue_comment'
with:
submodules: true
persist-credentials: false
token: ${{ secrets.GITHUB_TOKEN }}
ref: ${{ needs.build.outputs.ref }}
- name: Normal check out code
uses: actions/checkout@v4
if: github.event_name == 'push' || github.event_name == 'pull_request'
with:
submodules: true
persist-credentials: false
- id: changed-files
uses: tj-actions/changed-files@v41
with:
Expand Down Expand Up @@ -412,6 +422,8 @@ jobs:
if: github.event_name == 'push' || github.event_name == 'pull_request'
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- id: changed-files
uses: tj-actions/changed-files@v41
with:
Expand Down
6 changes: 3 additions & 3 deletions integration_tests/install_solo_machine.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,17 +5,17 @@ let
x86_64-linux = {
url =
"https://github.com/crypto-com/ibc-solo-machine/releases/download/${version}/ubuntu-latest-${version}.tar.gz";
sha256 = "sha256-wQix7ZeYTVD+yIWGr4F+XXnHbvXe2WZeNxG2lIDtmJ4=";
sha256 = "sha256-b+A8G7HGl1Kv32X0ybV6RODQjqAHqfAo3DQh1DtY6UQ=";
};
x86_64-darwin = {
url =
"https://github.com/crypto-com/ibc-solo-machine/releases/download/${version}/macos-latest-${version}.tar.gz";
sha256 = "sha256-NYmm44l5exQiG9DbwUM/UZiEmxc0JriXM8/l/xpc+q4=";
sha256 = "sha256-9Zo3sGxnjB05X90FFK/3yGbWokxJqVL0teb1x1z5a0U=";
};
aarch64-darwin = {
url =
"https://github.com/crypto-com/ibc-solo-machine/releases/download/${version}/macos-latest-${version}.tar.gz";
sha256 = "sha256-NYmm44l5exQiG9DbwUM/UZiEmxc0JriXM8/l/xpc+q4=";
sha256 = "sha256-9Zo3sGxnjB05X90FFK/3yGbWokxJqVL0teb1x1z5a0U=";
};
}.${stdenv.system} or (throw
"Unsupported system: ${stdenv.system}");
Expand Down

0 comments on commit c23a527

Please sign in to comment.