From 56e40981d34f64747abeae2e13f88d6da1454923 Mon Sep 17 00:00:00 2001 From: Joey Parrish Date: Tue, 17 Dec 2024 19:32:06 -0800 Subject: [PATCH] ci: Do not persist credentials after checkout See actions/checkout#485 and https://johnstawinski.com/2024/01/11/playing-with-fire-how-we-executed-a-critical-supply-chain-attack-on-pytorch/ In short, it is a terrible idea to persist even our default credentials after checkout. There's no call for that, so we will now set `persist-credentials: false` on all checkout actions. --- .github/workflows/sync-common-workflows.yaml | 2 ++ .github/workflows/sync-labels.yaml | 1 + .github/workflows/test-update-issues.yaml | 1 + .github/workflows/update-issues.yaml | 1 + compute-sha/README.md | 1 + sync-labels/sync-labels.yaml | 1 + update-issues/update-issues.yaml | 1 + 7 files changed, 8 insertions(+) diff --git a/.github/workflows/sync-common-workflows.yaml b/.github/workflows/sync-common-workflows.yaml index 9b28d66..a03e3b9 100644 --- a/.github/workflows/sync-common-workflows.yaml +++ b/.github/workflows/sync-common-workflows.yaml @@ -45,6 +45,8 @@ jobs: - uses: actions/checkout@v4 with: path: workflows + persist-credentials: false + - name: Sync Workflows run: | git config --global user.email "shaka-bot@users.noreply.github.com" diff --git a/.github/workflows/sync-labels.yaml b/.github/workflows/sync-labels.yaml index ac1b6ca..9dc6183 100644 --- a/.github/workflows/sync-labels.yaml +++ b/.github/workflows/sync-labels.yaml @@ -26,6 +26,7 @@ jobs: uses: actions/checkout@v4 with: repository: shaka-project/shaka-github-tools + persist-credentials: false # TODO: revert to micnncim and new release after landing # https://github.com/micnncim/action-label-syncer/pull/68 diff --git a/.github/workflows/test-update-issues.yaml b/.github/workflows/test-update-issues.yaml index afa6fd9..90c6f24 100644 --- a/.github/workflows/test-update-issues.yaml +++ b/.github/workflows/test-update-issues.yaml @@ -24,6 +24,7 @@ jobs: uses: actions/checkout@v4 with: ref: ${{ inputs.ref || github.ref }} + persist-credentials: false - name: Test run: | diff --git a/.github/workflows/update-issues.yaml b/.github/workflows/update-issues.yaml index 29b6984..7fc25cf 100644 --- a/.github/workflows/update-issues.yaml +++ b/.github/workflows/update-issues.yaml @@ -23,6 +23,7 @@ jobs: uses: actions/checkout@v4 with: repository: shaka-project/shaka-github-tools + persist-credentials: false - name: Update Issues env: diff --git a/compute-sha/README.md b/compute-sha/README.md index 625b85b..5af76a4 100644 --- a/compute-sha/README.md +++ b/compute-sha/README.md @@ -30,6 +30,7 @@ jobs: - uses: actions/checkout@v4 with: ref: ${{ needs.compute-sha.outputs.SHA }} + persist-credentials: false # ... ``` diff --git a/sync-labels/sync-labels.yaml b/sync-labels/sync-labels.yaml index ac1b6ca..9dc6183 100644 --- a/sync-labels/sync-labels.yaml +++ b/sync-labels/sync-labels.yaml @@ -26,6 +26,7 @@ jobs: uses: actions/checkout@v4 with: repository: shaka-project/shaka-github-tools + persist-credentials: false # TODO: revert to micnncim and new release after landing # https://github.com/micnncim/action-label-syncer/pull/68 diff --git a/update-issues/update-issues.yaml b/update-issues/update-issues.yaml index 29b6984..7fc25cf 100644 --- a/update-issues/update-issues.yaml +++ b/update-issues/update-issues.yaml @@ -23,6 +23,7 @@ jobs: uses: actions/checkout@v4 with: repository: shaka-project/shaka-github-tools + persist-credentials: false - name: Update Issues env: