From 6a13bef1d9e7c1dabc47670d0a20487e43b68f01 Mon Sep 17 00:00:00 2001 From: Joey Parrish Date: Tue, 17 Dec 2024 20:00:13 -0800 Subject: [PATCH] ci: Do not persist credentials after checkout See actions/checkout#485 and https://johnstawinski.com/2024/01/11/playing-with-fire-how-we-executed-a-critical-supply-chain-attack-on-pytorch/ In short, it is a terrible idea to persist even our default credentials after checkout. There's no call for that, so we will now set `persist-credentials: false` on all checkout actions. --- .github/workflows/build-docker.yaml | 1 + .github/workflows/build-docs.yaml | 1 + .github/workflows/build.yaml | 2 ++ .github/workflows/lint.yaml | 1 + .github/workflows/publish-docker.yaml | 1 + .github/workflows/publish-npm.yaml | 1 + .github/workflows/release-please.yaml | 1 + .github/workflows/test-linux-distros.yaml | 2 ++ 8 files changed, 10 insertions(+) diff --git a/.github/workflows/build-docker.yaml b/.github/workflows/build-docker.yaml index 99f831cde2e..1e36ceaad57 100644 --- a/.github/workflows/build-docker.yaml +++ b/.github/workflows/build-docker.yaml @@ -31,6 +31,7 @@ jobs: with: ref: ${{ inputs.ref }} submodules: recursive + persist-credentials: false - name: Build shell: bash diff --git a/.github/workflows/build-docs.yaml b/.github/workflows/build-docs.yaml index 899f8da0f86..1037d78300b 100644 --- a/.github/workflows/build-docs.yaml +++ b/.github/workflows/build-docs.yaml @@ -43,6 +43,7 @@ jobs: uses: actions/checkout@v4 with: ref: ${{ inputs.ref }} + persist-credentials: false - name: Generate docs run: | diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index df53eaea32e..32a437b765e 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -47,6 +47,7 @@ jobs: - uses: actions/checkout@v4 with: ref: ${{ inputs.ref }} + persist-credentials: false - name: Configure Build Matrix id: configure @@ -99,6 +100,7 @@ jobs: ref: ${{ inputs.ref }} submodules: recursive fetch-tags: true + persist-credentials: false - name: Install Linux deps if: runner.os == 'Linux' diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index 1d43098ee2d..ed8a270222c 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -33,6 +33,7 @@ jobs: # We must use 'fetch-depth: 2', or else the linter won't have another # revision to compare to. fetch-depth: 2 + persist-credentials: false - name: Lint shell: bash diff --git a/.github/workflows/publish-docker.yaml b/.github/workflows/publish-docker.yaml index c7b01b9141c..1cbc05b080c 100644 --- a/.github/workflows/publish-docker.yaml +++ b/.github/workflows/publish-docker.yaml @@ -48,6 +48,7 @@ jobs: ref: ${{ inputs.tag }} submodules: recursive fetch-tags: true + persist-credentials: false - name: Log in to Docker Hub uses: docker/login-action@v3 diff --git a/.github/workflows/publish-npm.yaml b/.github/workflows/publish-npm.yaml index a8172c1797b..579db44d440 100644 --- a/.github/workflows/publish-npm.yaml +++ b/.github/workflows/publish-npm.yaml @@ -44,6 +44,7 @@ jobs: uses: actions/checkout@v4 with: ref: ${{ inputs.tag }} + persist-credentials: false - uses: actions/setup-node@v4 with: diff --git a/.github/workflows/release-please.yaml b/.github/workflows/release-please.yaml index a411e952693..5771c57864f 100644 --- a/.github/workflows/release-please.yaml +++ b/.github/workflows/release-please.yaml @@ -55,6 +55,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-tags: true + persist-credentials: false - name: Compute latest id: compute diff --git a/.github/workflows/test-linux-distros.yaml b/.github/workflows/test-linux-distros.yaml index 992900b174b..e47de0734c5 100644 --- a/.github/workflows/test-linux-distros.yaml +++ b/.github/workflows/test-linux-distros.yaml @@ -32,6 +32,7 @@ jobs: - uses: actions/checkout@v4 with: ref: ${{ inputs.ref }} + persist-credentials: false - name: Configure Build Matrix id: configure @@ -69,6 +70,7 @@ jobs: with: ref: ${{ inputs.ref }} submodules: recursive + persist-credentials: false - name: Build in Docker run: ./packager/testing/test_dockers.sh "${{ matrix.os_name }}"