From 5beb44eca7660373077633b65f055eaf0c19b4df Mon Sep 17 00:00:00 2001 From: jrfnl Date: Fri, 19 Sep 2025 17:52:22 +0200 Subject: [PATCH] GH Actions: do not persist credentials > By default, using `actions/checkout` causes a credential to be persisted in the checked-out repo's `.git/config`, so that subsequent `git` operations can be authenticated. > > Subsequent steps may accidentally publicly persist `.git/config`, e.g. by including it in a publicly accessible artifact via `actions/upload-artifact`. > > However, even without this, persisting the credential in the `.git/config` is non-ideal unless actually needed. > > **Remediation** > > Unless needed for `git` operations, `actions/checkout` should be used with `persist-credentials: false`. > > If the persisted credential is needed, it should be made explicit with `persist-credentials: true`. This has now been addressed in all workflows. Note: in my estimation, the only workflow which _might_ be negatively affected by this, would be the `happy-new-year.yml` workflow. If that would turn out to be the case (won't be clear until next year), `persist-credentials` should be explicitly set to `true` for that workflow to document this is deliberate. Refs: * https://unit42.paloaltonetworks.com/github-repo-artifacts-leak-tokens/ * https://docs.zizmor.sh/audits/#artipacked --- .github/workflows/end-to-end-tests.yml | 2 ++ .github/workflows/happy-new-year.yml | 1 + .github/workflows/label-new-prs.yml | 2 ++ .github/workflows/quicktest.yml | 2 ++ .github/workflows/reusable-build-phar.yml | 2 ++ .github/workflows/test.yml | 4 ++++ .github/workflows/validate.yml | 8 ++++++++ 7 files changed, 21 insertions(+) diff --git a/.github/workflows/end-to-end-tests.yml b/.github/workflows/end-to-end-tests.yml index 707333f378..e32437e58a 100644 --- a/.github/workflows/end-to-end-tests.yml +++ b/.github/workflows/end-to-end-tests.yml @@ -40,6 +40,8 @@ jobs: - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Install PHP uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # 2.36.0 diff --git a/.github/workflows/happy-new-year.yml b/.github/workflows/happy-new-year.yml index 2288a547d0..45010e4349 100644 --- a/.github/workflows/happy-new-year.yml +++ b/.github/workflows/happy-new-year.yml @@ -52,6 +52,7 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: ${{ steps.branches.outputs.BASE }} + persist-credentials: false - name: Update the year in the copyright tag in the fixed file id: findreplace diff --git a/.github/workflows/label-new-prs.yml b/.github/workflows/label-new-prs.yml index dbfb180c20..a61e2784fc 100644 --- a/.github/workflows/label-new-prs.yml +++ b/.github/workflows/label-new-prs.yml @@ -39,6 +39,8 @@ jobs: # Checkout is needed to use the `use_local_config` option. - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Verify changes to the labeling logic uses: srvaroa/labeler@bf262763a8a8e191f5847873aecc0f29df84f957 # v1.14.0 diff --git a/.github/workflows/quicktest.yml b/.github/workflows/quicktest.yml index 8a759c5f1f..92b3332e40 100644 --- a/.github/workflows/quicktest.yml +++ b/.github/workflows/quicktest.yml @@ -50,6 +50,8 @@ jobs: - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Install PHP uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # 2.36.0 diff --git a/.github/workflows/reusable-build-phar.yml b/.github/workflows/reusable-build-phar.yml index b6b415f4d4..7a72beb3be 100644 --- a/.github/workflows/reusable-build-phar.yml +++ b/.github/workflows/reusable-build-phar.yml @@ -34,6 +34,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Setup PHP uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # 2.36.0 diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index eaced9bd8c..7a71e56a76 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -115,6 +115,8 @@ jobs: - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: "libxml2: find the latest relevant tag" if: ${{ matrix.libxml_minor }} @@ -303,6 +305,8 @@ jobs: - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Setup ini config if: ${{ matrix.custom_ini == true && matrix.os != 'windows-latest' }} diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index f16babe0b3..b69d01df8a 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -21,6 +21,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Install PHP uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # 2.36.0 @@ -44,6 +46,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false # Validate the XSD file. - name: Validate XSD against schema @@ -88,6 +92,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false # Updating the lists can fail intermittently, typically after Microsoft has released a new package. # This should not be blocking for this job, so ignore any errors from this step. @@ -137,6 +143,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up problem matcher uses: lumaxis/shellcheck-problem-matchers@b02a1715a00c729b20eed3ebb7edf56fa9a433ba # v2.1.0