From 7f53ab349358d33a3e73304301c747f494e1c932 Mon Sep 17 00:00:00 2001
From: Joey Parrish <joeyparrish@google.com>
Date: Tue, 17 Dec 2024 20:01:58 -0800
Subject: [PATCH] ci: Do not persist credentials after checkout

See actions/checkout#485 and https://johnstawinski.com/2024/01/11/playing-with-fire-how-we-executed-a-critical-supply-chain-attack-on-pytorch/

In short, it is a terrible idea to persist even our default credentials after checkout. There's no call for that, so we will now set `persist-credentials: false` on all checkout actions.
---
 .github/workflows/build-and-test.yaml | 2 ++
 .github/workflows/publish-docs.yaml   | 1 +
 2 files changed, 3 insertions(+)

diff --git a/.github/workflows/build-and-test.yaml b/.github/workflows/build-and-test.yaml
index 25cdf9d..6d9e727 100644
--- a/.github/workflows/build-and-test.yaml
+++ b/.github/workflows/build-and-test.yaml
@@ -43,6 +43,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           ref: ${{ inputs.ref || (github.event.number && format('refs/pull/{0}/merge', github.event.number)) }}
+          persist-credentials: false
 
       - name: Configure Build Matrix
         id: configure
@@ -96,6 +97,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           ref: ${{ inputs.ref || (github.event.number && format('refs/pull/{0}/merge', github.event.number)) }}
+          persist-credentials: false
 
       - name: Set Python version
         uses: actions/setup-python@v5
diff --git a/.github/workflows/publish-docs.yaml b/.github/workflows/publish-docs.yaml
index 4368757..00af996 100644
--- a/.github/workflows/publish-docs.yaml
+++ b/.github/workflows/publish-docs.yaml
@@ -32,6 +32,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           ref: ${{ inputs.ref || github.ref }}
+          persist-credentials: false
 
       - name: Set Python version
         uses: actions/setup-python@v5