From dd75b1454d153dc599c9829d658965932158b06d Mon Sep 17 00:00:00 2001
From: Joey Parrish <joeyparrish@google.com>
Date: Tue, 17 Dec 2024 19:42:27 -0800
Subject: [PATCH] ci: Do not persist credentials after checkout

See actions/checkout#485 and https://johnstawinski.com/2024/01/11/playing-with-fire-how-we-executed-a-critical-supply-chain-attack-on-pytorch/

In short, it is a terrible idea to persist even our default credentials after checkout. There's no call for that, so we will now set `persist-credentials: false` on all checkout actions.
---
 .github/workflows/publish-demo.yaml  | 1 +
 .github/workflows/release-please.yml | 1 +
 .github/workflows/test.yaml          | 1 +
 3 files changed, 3 insertions(+)

diff --git a/.github/workflows/publish-demo.yaml b/.github/workflows/publish-demo.yaml
index 8d63c7e..37befbe 100644
--- a/.github/workflows/publish-demo.yaml
+++ b/.github/workflows/publish-demo.yaml
@@ -27,6 +27,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           ref: ${{ inputs.ref || github.ref }}
+          persist-credentials: false
 
       - name: Build
         run: npm ci && npm run build
diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
index ad8c5d6..1dd5418 100644
--- a/.github/workflows/release-please.yml
+++ b/.github/workflows/release-please.yml
@@ -20,6 +20,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           ref: refs/tags/${{ steps.release.outputs.tag_name }}
+          persist-credentials: false
         if: ${{ steps.release.outputs.release_created }}
 
       - uses: actions/setup-node@v1
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
index 0317473..a8e06e5 100644
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -22,6 +22,7 @@ jobs:
         uses: actions/checkout@v2
         with:
           ref: ${{ inputs.ref || github.ref }}
+          persist-credentials: false
 
       - name: Test
         run: |