Skip to content

GH Actions: do not persist credentials#1390

Merged
jrfnl merged 1 commit into3.xfrom
feature/ghactions-do-not-persist-credentials
Mar 7, 2026
Merged

GH Actions: do not persist credentials#1390
jrfnl merged 1 commit into3.xfrom
feature/ghactions-do-not-persist-credentials

Conversation

@jrfnl
Copy link
Copy Markdown
Member

@jrfnl jrfnl commented Mar 7, 2026

Description

By default, using actions/checkout causes a credential to be persisted in the checked-out repo's .git/config, so that subsequent git operations can be authenticated.

Subsequent steps may accidentally publicly persist .git/config, e.g. by including it in a publicly accessible artifact via actions/upload-artifact.

However, even without this, persisting the credential in the .git/config is non-ideal unless actually needed.

Remediation

Unless needed for git operations, actions/checkout should be used with persist-credentials: false.

If the persisted credential is needed, it should be made explicit with persist-credentials: true.

This has now been addressed in all workflows.

Note: in my estimation, the only workflow which might be negatively affected by this, would be the happy-new-year.yml workflow. If that would turn out to be the case (won't be clear until next year), persist-credentials should be explicitly set to true for that workflow to document this is deliberate.

Refs:

Suggested changelog entry

N/A

@jrfnl
GH Actions: do not persist credentials
5beb44e 
> By default, using `actions/checkout` causes a credential to be persisted in the checked-out repo's `.git/config`, so that subsequent `git` operations can be authenticated.
>
> Subsequent steps may accidentally publicly persist `.git/config`, e.g. by including it in a publicly accessible artifact via `actions/upload-artifact`.
>
> However, even without this, persisting the credential in the `.git/config` is non-ideal unless actually needed.
>
> **Remediation**
>
> Unless needed for `git` operations, `actions/checkout` should be used with `persist-credentials: false`.
>
> If the persisted credential is needed, it should be made explicit with `persist-credentials: true`.

This has now been addressed in all workflows.

Note: in my estimation, the only workflow which _might_ be negatively affected by this, would be the `happy-new-year.yml` workflow.
If that would turn out to be the case (won't be clear until next year), `persist-credentials` should be explicitly set to `true` for that workflow to document this is deliberate.

Refs:
* https://unit42.paloaltonetworks.com/github-repo-artifacts-leak-tokens/
* https://docs.zizmor.sh/audits/#artipacked
@jrfnl jrfnl added this to the 3.13.6 milestone Mar 7, 2026
@jrfnl jrfnl merged commit 1017866 into 3.x Mar 7, 2026
101 checks passed
@jrfnl jrfnl deleted the feature/ghactions-do-not-persist-credentials branch March 7, 2026 04:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Type: chores/QA

Projects

None yet

Milestone

3.13.6

Development

Successfully merging this pull request may close these issues.

1 participant

@jrfnl