fix: ensure every action disables git credential persistence (#821)

* Ensure every action disables Git credential persistence

Reduces the possibility of inadvertently leaking the credentials in consuming workflows.

Signed-off-by: Jack Baldry <[email protected]>

* Update READMEs to encourage not persisting credentials

Signed-off-by: Jack Baldry <[email protected]>

---------

Signed-off-by: Jack Baldry <[email protected]>

Author: jdbaldry

README.md

@@ -61,6 +61,7 @@ will ensure actions in this repo are always used at the same commit. To do this:
     # action), so if multiple actions check `shared-workflows` out, they don't
     # overwrite each other
     path: _shared-workflows-your-action
+    persist-credentials: false
 
 - name: Use another action
   uses: ./_shared-workflows-your-action/actions/some-action

actions/argo-lint/action.yaml

@@ -23,6 +23,7 @@ runs:
         repository: ${{ env.action_repo }}
         ref: ${{ env.action_ref }}
         path: _shared-workflows-argo-lint
+        persist-credentials: false
 
     - name: Setup Argo
       uses: ./_shared-workflows-argo-lint/actions/setup-argo

actions/build-push-to-dockerhub/README.md

@@ -23,6 +23,8 @@ jobs:
     steps:
       - id: checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - id: push-to-dockerhub
         uses: grafana/shared-workflows/actions/[email protected]

actions/build-push-to-dockerhub/action.yaml

@@ -75,6 +75,7 @@ runs:
         repository: ${{ env.action_repo }}
         ref: ${{ env.action_ref }}
         path: _shared-workflows-build-push-to-dockerhub
+        persist-credentials: false
 
     - name: Login to DockerHub
       if: ${{ inputs.push == 'true' }}

actions/dockerhub-login/action.yaml

@@ -16,6 +16,7 @@ runs:
         repository: ${{ env.action_repo }}
         ref: ${{ env.action_ref }}
         path: _shared-workflows-dockerhub-login
+        persist-credentials: false
 
     - name: Get secrets for DockerHub login
       id: get-secrets

actions/generate-openapi-clients/README.md

@@ -36,6 +36,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v1.0.1
+        with:
+          persist-credentials: false
+
       - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v1.0.1
         with:
           go-version: 1.18

actions/lint-pr-title/README.md

@@ -83,7 +83,9 @@ jobs:
   lint-pr-title:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - id: lint-pr-title
         uses: grafana/shared-workflows/actions/[email protected]

actions/push-to-gar-docker/README.md

@@ -27,6 +27,8 @@ jobs:
     steps:
       - id: checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - id: push-to-gar
         uses: grafana/shared-workflows/actions/[email protected]

actions/push-to-gar-docker/action.yaml

@@ -107,6 +107,7 @@ runs:
         repository: ${{ env.action_repo }}
         ref: ${{ env.action_ref }}
         path: shared-workflows
+        persist-credentials: false
 
     - name: Get repository name
       id: get-repository-name

actions/push-to-gcs/README.md

@@ -28,6 +28,9 @@ jobs:
     runs-on: ubuntu-x64-small
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
       - uses: grafana/shared-workflows/actions/login-to-gcs@main
         id: login-to-gcs