Skip to content

Commit 988c79e

Browse files
authored
do not persist checkout credentials in GitHub workflows (#7044)
based on [zizmor ](https://github.com/woodruffw/zizmor) analysis
1 parent 93ea424 commit 988c79e

20 files changed

+64
-0
lines changed

.github/workflows/CI-cygwin.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -36,6 +36,8 @@ jobs:
3636

3737
steps:
3838
- uses: actions/checkout@v4
39+
with:
40+
persist-credentials: false
3941

4042
- name: Set up Cygwin
4143
uses: cygwin/cygwin-install-action@master

.github/workflows/CI-mingw.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -32,6 +32,8 @@ jobs:
3232

3333
steps:
3434
- uses: actions/checkout@v4
35+
with:
36+
persist-credentials: false
3537

3638
- name: Set up MSYS2
3739
uses: msys2/setup-msys2@v2

.github/workflows/CI-unixish-docker.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -41,6 +41,8 @@ jobs:
4141

4242
steps:
4343
- uses: actions/checkout@v4
44+
with:
45+
persist-credentials: false
4446

4547
- name: Install missing software on ubuntu
4648
if: contains(matrix.image, 'ubuntu')
@@ -92,6 +94,8 @@ jobs:
9294

9395
steps:
9496
- uses: actions/checkout@v4
97+
with:
98+
persist-credentials: false
9599

96100
- name: Install missing software on ubuntu
97101
if: contains(matrix.image, 'ubuntu')

.github/workflows/CI-unixish.yml

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -35,6 +35,8 @@ jobs:
3535

3636
steps:
3737
- uses: actions/checkout@v4
38+
with:
39+
persist-credentials: false
3840

3941
- name: ccache
4042
uses: hendrikmuhs/[email protected]
@@ -98,6 +100,8 @@ jobs:
98100

99101
steps:
100102
- uses: actions/checkout@v4
103+
with:
104+
persist-credentials: false
101105

102106
- name: ccache
103107
uses: hendrikmuhs/[email protected]
@@ -172,6 +176,8 @@ jobs:
172176

173177
steps:
174178
- uses: actions/checkout@v4
179+
with:
180+
persist-credentials: false
175181

176182
- name: ccache
177183
uses: hendrikmuhs/[email protected]
@@ -204,6 +210,8 @@ jobs:
204210

205211
steps:
206212
- uses: actions/checkout@v4
213+
with:
214+
persist-credentials: false
207215

208216
- name: ccache
209217
uses: hendrikmuhs/[email protected]
@@ -236,6 +244,8 @@ jobs:
236244

237245
steps:
238246
- uses: actions/checkout@v4
247+
with:
248+
persist-credentials: false
239249

240250
# coreutils contains "g++" (default is "c++") and "nproc"
241251
- name: Install missing software on macos
@@ -258,6 +268,8 @@ jobs:
258268

259269
steps:
260270
- uses: actions/checkout@v4
271+
with:
272+
persist-credentials: false
261273

262274
- name: ccache
263275
uses: hendrikmuhs/[email protected]
@@ -426,6 +438,8 @@ jobs:
426438

427439
steps:
428440
- uses: actions/checkout@v4
441+
with:
442+
persist-credentials: false
429443

430444
- name: ccache
431445
uses: hendrikmuhs/[email protected]

.github/workflows/CI-windows.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -34,6 +34,8 @@ jobs:
3434

3535
steps:
3636
- uses: actions/checkout@v4
37+
with:
38+
persist-credentials: false
3739

3840
- name: Set up Visual Studio environment
3941
uses: ilammy/msvc-dev-cmd@v1
@@ -86,6 +88,8 @@ jobs:
8688

8789
steps:
8890
- uses: actions/checkout@v4
91+
with:
92+
persist-credentials: false
8993

9094
- name: Set up Python 3.13
9195
if: matrix.config == 'release'

.github/workflows/asan.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,8 @@ jobs:
2828

2929
steps:
3030
- uses: actions/checkout@v4
31+
with:
32+
persist-credentials: false
3133

3234
- name: ccache
3335
uses: hendrikmuhs/[email protected]

.github/workflows/buildman.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,8 @@ jobs:
2020
runs-on: ubuntu-22.04
2121
steps:
2222
- uses: actions/checkout@v4
23+
with:
24+
persist-credentials: false
2325

2426
- run: |
2527
mkdir output
@@ -45,6 +47,8 @@ jobs:
4547
runs-on: ubuntu-22.04
4648
steps:
4749
- uses: actions/checkout@v4
50+
with:
51+
persist-credentials: false
4852

4953
- name: Install missing software on ubuntu
5054
run: |

.github/workflows/clang-tidy.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,8 @@ jobs:
2525

2626
steps:
2727
- uses: actions/checkout@v4
28+
with:
29+
persist-credentials: false
2830

2931
- name: Install missing software
3032
run: |

.github/workflows/codeql-analysis.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,8 @@ jobs:
3333
steps:
3434
- name: Checkout repository
3535
uses: actions/checkout@v4
36+
with:
37+
persist-credentials: false
3638

3739
- name: Install missing software on ubuntu
3840
run: |

.github/workflows/coverage.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,8 @@ jobs:
2222

2323
steps:
2424
- uses: actions/checkout@v4
25+
with:
26+
persist-credentials: false
2527

2628
- name: ccache
2729
uses: hendrikmuhs/[email protected]

0 commit comments

Comments
 (0)