Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ci: Do not persist credentials after checkout #7772

Merged
merged 1 commit into from
Dec 18, 2024
+21 −0
Merged

ci: Do not persist credentials after checkout #7772

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .github/workflows/build-and-test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ jobs:
uses: actions/checkout@v4
with:
ref: ${{ inputs.ref || github.ref }}
persist-credentials: false

- name: Lint
run: python build/check.py
Expand Down Expand Up @@ -104,6 +105,7 @@ jobs:
uses: actions/checkout@v4
with:
ref: ${{ inputs.ref || github.ref }}
persist-credentials: false

# Older versions of Safari can be installed, but not to the root, and it
# can't replace the standard version, at least not on GitHub's VMs. If
Expand Down Expand Up @@ -256,6 +258,7 @@ jobs:
uses: actions/checkout@v4
with:
ref: ${{ inputs.ref || github.ref }}
persist-credentials: false

- name: Docker
run: |
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/demo-version-index.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ jobs:
with:
# We need a list of all tags for this, so fetch the entire history.
fetch-depth: 0
persist-credentials: false

- uses: google-github-actions/auth@v2
with:
Expand Down
7 changes: 7 additions & 0 deletions .github/workflows/release-please.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,10 @@ jobs:
ref: main
# Use a special shaka-bot access token for releases.
token: ${{ secrets.RELEASE_PLEASE_TOKEN }}
# We want to explicitly use these credentials to push a tag.
# The job is only one more step, so they don't leak.
persist-credentials: true

- name: Tag the main branch
run: |
# Set missing git config for the tag.
Expand Down Expand Up @@ -189,6 +193,9 @@ jobs:
fetch-depth: 0
# Use a special shaka-bot access token for releases.
token: ${{ secrets.RELEASE_PLEASE_TOKEN }}
# We want to explicitly use these credentials to create the branch.
# The job is only one more step, so they don't leak.
persist-credentials: true

- name: Create release branch
run: |
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/report-incremental-coverage.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,8 @@ jobs:
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
persist-credentials: false

- name: Compute incremental code coverage
id: compute
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/selenium-lab-tests.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,7 @@ jobs:
- uses: actions/checkout@v4
with:
ref: ${{ needs.compute-sha.outputs.SHA }}
persist-credentials: false

- name: Install dependencies
run: npm ci
Expand Down Expand Up @@ -154,6 +155,7 @@ jobs:
- uses: actions/checkout@v4
with:
ref: ${{ needs.compute-sha.outputs.SHA }}
persist-credentials: false

- name: Set commit status to pending
if: ${{ inputs.skip_test_status == false }}
Expand Down Expand Up @@ -235,6 +237,7 @@ jobs:
- uses: actions/checkout@v4
with:
ref: ${{ needs.compute-sha.outputs.SHA }}
persist-credentials: false

- name: Set commit status to pending
if: ${{ inputs.skip_commit_status == false }}
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/talk-to-shaka-bot.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,8 @@ jobs:
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
persist-credentials: false

- name: Handle command
shell: bash
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/update-screenshots.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@ jobs:
- uses: actions/checkout@v4
with:
ref: ${{ needs.compute-sha.outputs.SHA }}
persist-credentials: false

- name: Set commit status to pending
uses: shaka-project/shaka-github-tools/set-commit-status@main
Expand Down Expand Up @@ -61,6 +62,7 @@ jobs:
- uses: actions/checkout@v4
with:
ref: ${{ needs.compute-sha.outputs.SHA }}
persist-credentials: false

- name: Get artifacts
uses: actions/download-artifact@v4
Expand Down Expand Up @@ -114,6 +116,7 @@ jobs:
- uses: actions/checkout@v4
with:
ref: ${{ needs.compute-sha.outputs.SHA }}
persist-credentials: false

- name: Compute final status
id: compute
Expand Down
Loading