Skip to content

Commit

Permalink
Problem: persist-credentials might leak github token unintentionally
Browse files Browse the repository at this point in the history 
Solution:
- try persist-credentials: false
  • Loading branch information
@yihuang @mmsqe
yihuang authored and mmsqe committed Oct 30, 2024
1 parent e92dda1 commit f23053b
Showing 1 changed file with 12 additions and 0 deletions.
12 changes: 12 additions & 0 deletions .github/workflows/build.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -98,11 +98,13 @@ jobs:
if: github.event_name == 'issue_comment'
with:
submodules: true
persist-credentials: false
token: ${{ secrets.GITHUB_TOKEN }}
ref: ${{ steps.pr_data.outputs.ref }}
- name: Normal check out code
uses: actions/checkout@v4
with:
persist-credentials: false
submodules: true
if: github.event_name == 'push' || github.event_name == 'pull_request'
- id: changed-files
Expand Down Expand Up @@ -151,6 +153,8 @@ jobs:
security-events: write
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- uses: cachix/install-nix-action@v23
with:
nix_path: nixpkgs=channel:nixos-22.11
Expand Down Expand Up @@ -217,13 +221,15 @@ jobs:
if: github.event_name == 'issue_comment'
with:
submodules: true
persist-credentials: false
token: ${{ secrets.GITHUB_TOKEN }}
ref: ${{ needs.build.outputs.ref }}
- name: Normal check out code
uses: actions/checkout@v4
if: github.event_name == 'push' || github.event_name == 'pull_request'
with:
submodules: true
persist-credentials: false
- id: changed-files
uses: tj-actions/changed-files@v41
with:
Expand Down Expand Up @@ -263,13 +269,15 @@ jobs:
if: github.event_name == 'issue_comment'
with:
submodules: true
persist-credentials: false
token: ${{ secrets.GITHUB_TOKEN }}
ref: ${{ needs.build.outputs.ref }}
- name: Normal check out code
uses: actions/checkout@v4
if: github.event_name == 'push' || github.event_name == 'pull_request'
with:
submodules: true
persist-credentials: false
- id: changed-files
uses: tj-actions/changed-files@v41
with:
Expand Down Expand Up @@ -309,13 +317,15 @@ jobs:
if: github.event_name == 'issue_comment'
with:
submodules: true
persist-credentials: false
token: ${{ secrets.GITHUB_TOKEN }}
ref: ${{ needs.build.outputs.ref }}
- name: Normal check out code
uses: actions/checkout@v4
if: github.event_name == 'push' || github.event_name == 'pull_request'
with:
submodules: true
persist-credentials: false
- id: changed-files
uses: tj-actions/changed-files@v41
with:
Expand Down Expand Up @@ -412,6 +422,8 @@ jobs:
if: github.event_name == 'push' || github.event_name == 'pull_request'
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- id: changed-files
uses: tj-actions/changed-files@v41
with:
Expand Down

0 comments on commit f23053b

Please sign in to comment.