ci: Do not persist credentials after checkout

See actions/checkout#485 and https://johnstawinski.com/2024/01/11/playing-with-fire-how-we-executed-a-critical-supply-chain-attack-on-pytorch/ In short, it is a terrible idea to persist even our default credentials after checkout. There's no call for that, so we will now set `persist-credentials: false` on all checkout actions.
joeyparrish · Dec 18, 2024 · 7f53ab3 · 7f53ab3
1 parent a71cade
commit 7f53ab3
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 0 deletions.
diff --git a/.github/workflows/build-and-test.yaml b/.github/workflows/build-and-test.yaml
@@ -43,6 +43,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           ref: ${{ inputs.ref || (github.event.number && format('refs/pull/{0}/merge', github.event.number)) }}
+          persist-credentials: false
 
       - name: Configure Build Matrix
         id: configure
@@ -96,6 +97,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           ref: ${{ inputs.ref || (github.event.number && format('refs/pull/{0}/merge', github.event.number)) }}
+          persist-credentials: false
 
       - name: Set Python version
         uses: actions/setup-python@v5

diff --git a/.github/workflows/publish-docs.yaml b/.github/workflows/publish-docs.yaml
@@ -32,6 +32,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           ref: ${{ inputs.ref || github.ref }}
+          persist-credentials: false
 
       - name: Set Python version
         uses: actions/setup-python@v5