Skip to content

Commit 8124014

Browse files
hsbthsbt
committed
Fix: Set persist-credentials to false for actions/checkout
1 parent 0b82bfd commit 8124014

28 files changed

Lines changed: 67 additions & 45 deletions

.github/actions/setup/directories/action.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -102,6 +102,7 @@ runs:
102102
with:
103103
path: ${{ inputs.srcdir }}
104104
fetch-depth: ${{ inputs.fetch-depth }}
105+
persist-credentials: false
105106

106107
- uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
107108
with:

.github/workflows/annocheck.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -65,6 +65,7 @@ jobs:
6565
with:
6666
sparse-checkout-cone-mode: false
6767
sparse-checkout: /.github
68+
persist-credentials: false
6869

6970
- uses: ./.github/actions/setup/directories
7071
with:

.github/workflows/auto_review_pr.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,8 @@ jobs:
2020
steps:
2121
- name: Checkout repository
2222
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
23+
with:
24+
persist-credentials: false
2325

2426
- uses: ruby/setup-ruby@09a7688d3b55cf0e976497ff046b70949eeaccfd # v1.288.0
2527
with:

.github/workflows/baseruby.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -54,6 +54,8 @@ jobs:
5454
bundler: none
5555

5656
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
57+
with:
58+
persist-credentials: false
5759

5860
- uses: ./.github/actions/setup/ubuntu
5961

.github/workflows/bundled_gems.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -34,7 +34,7 @@ jobs:
3434
runs-on: ubuntu-latest
3535

3636
steps:
37-
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
37+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 # zizmor: ignore[artipacked]
3838
with:
3939
token: ${{ (github.repository == 'ruby/ruby' && !startsWith(github.event_name, 'pull')) && secrets.MATZBOT_AUTO_UPDATE_TOKEN || secrets.GITHUB_TOKEN }}
4040

.github/workflows/check_dependencies.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,8 @@ jobs:
3131

3232
steps:
3333
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
34+
with:
35+
persist-credentials: false
3436

3537
- uses: ./.github/actions/setup/ubuntu
3638
if: ${{ contains(matrix.os, 'ubuntu') }}

.github/workflows/check_misc.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,7 @@ jobs:
2121
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
2222
with:
2323
token: ${{ (github.repository == 'ruby/ruby' && !startsWith(github.event_name, 'pull')) && secrets.MATZBOT_AUTO_UPDATE_TOKEN || secrets.GITHUB_TOKEN }}
24+
persist-credentials: false
2425

2526
- uses: ruby/setup-ruby@09a7688d3b55cf0e976497ff046b70949eeaccfd # v1.288.0
2627
with:
@@ -94,6 +95,7 @@ jobs:
9495
repository: ruby/rdoc
9596
ref: ${{ steps.rdoc.outputs.ref }}
9697
path: .bundle/gems/rdoc-${{ steps.rdoc.outputs.version }}
98+
persist-credentials: false
9799
if: ${{ steps.rdoc.outputs.ref != '' }}
98100

99101
- name: Generate rdoc scripts

.github/workflows/codeql-analysis.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -41,6 +41,8 @@ jobs:
4141

4242
steps:
4343
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
44+
with:
45+
persist-credentials: false
4446

4547
- name: Run zizmor
4648
uses: zizmorcore/zizmor@94308f638c114a3f42c4c842abee9cf46f166890 # v1.22.0
@@ -85,6 +87,8 @@ jobs:
8587
steps:
8688
- name: Checkout repository
8789
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
90+
with:
91+
persist-credentials: false
8892

8993
- name: Install libraries
9094
if: ${{ contains(matrix.os, 'macos') }}

.github/workflows/compilers.yml

Lines changed: 13 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -52,7 +52,7 @@ jobs:
5252
services: { docuum: { image: 'stephanmisc/docuum', options: '--init', volumes: [ '/root', '/var/run/docker.sock:/var/run/docker.sock' ] } }
5353
steps:
5454
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
55-
with: { sparse-checkout-cone-mode: false, sparse-checkout: /.github }
55+
with: { sparse-checkout-cone-mode: false, sparse-checkout: /.github, persist-credentials: false }
5656
# Set fetch-depth: 10 so that Launchable can receive commits information.
5757
- { uses: './.github/actions/setup/directories', with: { srcdir: 'src', builddir: 'build', makeup: true, fetch-depth: 10 } }
5858
- name: 'clang 22 LTO'
@@ -75,7 +75,7 @@ jobs:
7575
services: { docuum: { image: 'stephanmisc/docuum', options: '--init', volumes: [ '/root', '/var/run/docker.sock:/var/run/docker.sock' ] } }
7676
steps:
7777
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
78-
with: { sparse-checkout-cone-mode: false, sparse-checkout: /.github }
78+
with: { sparse-checkout-cone-mode: false, sparse-checkout: /.github, persist-credentials: false }
7979
- { uses: './.github/actions/setup/directories', with: { srcdir: 'src', builddir: 'build', makeup: true, fetch-depth: 10 } }
8080
- name: 'GCC 15 LTO'
8181
uses: './.github/actions/compilers'
@@ -105,7 +105,7 @@ jobs:
105105
services: { docuum: { image: 'stephanmisc/docuum', options: '--init', volumes: [ '/root', '/var/run/docker.sock:/var/run/docker.sock' ] } }
106106
steps:
107107
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
108-
with: { sparse-checkout-cone-mode: false, sparse-checkout: /.github }
108+
with: { sparse-checkout-cone-mode: false, sparse-checkout: /.github, persist-credentials: false }
109109
- { uses: './.github/actions/setup/directories', with: { srcdir: 'src', builddir: 'build', makeup: true, fetch-depth: 10 } }
110110
- { uses: './.github/actions/compilers', name: 'clang 23', with: { tag: 'clang-23' }, timeout-minutes: 5 }
111111
- { uses: './.github/actions/compilers', name: 'clang 22', with: { tag: 'clang-22' }, timeout-minutes: 5 }
@@ -127,7 +127,7 @@ jobs:
127127
services: { docuum: { image: 'stephanmisc/docuum', options: '--init', volumes: [ '/root', '/var/run/docker.sock:/var/run/docker.sock' ] } }
128128
steps:
129129
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
130-
with: { sparse-checkout-cone-mode: false, sparse-checkout: /.github }
130+
with: { sparse-checkout-cone-mode: false, sparse-checkout: /.github, persist-credentials: false }
131131
- { uses: './.github/actions/setup/directories', with: { srcdir: 'src', builddir: 'build', makeup: true, fetch-depth: 10 } }
132132
- { uses: './.github/actions/compilers', name: 'clang 13', with: { tag: 'clang-13' }, timeout-minutes: 5 }
133133
- { uses: './.github/actions/compilers', name: 'clang 12', with: { tag: 'clang-12' }, timeout-minutes: 5 }
@@ -148,7 +148,7 @@ jobs:
148148
services: { docuum: { image: 'stephanmisc/docuum', options: '--init', volumes: [ '/root', '/var/run/docker.sock:/var/run/docker.sock' ] } }
149149
steps:
150150
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
151-
with: { sparse-checkout-cone-mode: false, sparse-checkout: /.github }
151+
with: { sparse-checkout-cone-mode: false, sparse-checkout: /.github, persist-credentials: false }
152152
- { uses: './.github/actions/setup/directories', with: { srcdir: 'src', builddir: 'build', makeup: true, fetch-depth: 10 } }
153153
# -Wno-strict-prototypes is necessary with current clang-15 since
154154
# older autoconf generate functions without prototype and -pedantic
@@ -174,7 +174,7 @@ jobs:
174174
services: { docuum: { image: 'stephanmisc/docuum', options: '--init', volumes: [ '/root', '/var/run/docker.sock:/var/run/docker.sock' ] } }
175175
steps:
176176
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
177-
with: { sparse-checkout-cone-mode: false, sparse-checkout: /.github }
177+
with: { sparse-checkout-cone-mode: false, sparse-checkout: /.github, persist-credentials: false }
178178
- { uses: './.github/actions/setup/directories', with: { srcdir: 'src', builddir: 'build', makeup: true, fetch-depth: 10 } }
179179
- { uses: './.github/actions/compilers', name: 'C++20', with: { CXXFLAGS: '-std=c++20 -Werror=pedantic -pedantic-errors -Wno-c++11-long-long' }, timeout-minutes: 5 }
180180
- { uses: './.github/actions/compilers', name: 'C++23', with: { CXXFLAGS: '-std=c++23 -Werror=pedantic -pedantic-errors -Wno-c++11-long-long' }, timeout-minutes: 5 }
@@ -194,7 +194,7 @@ jobs:
194194
services: { docuum: { image: 'stephanmisc/docuum', options: '--init', volumes: [ '/root', '/var/run/docker.sock:/var/run/docker.sock' ] } }
195195
steps:
196196
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
197-
with: { sparse-checkout-cone-mode: false, sparse-checkout: /.github }
197+
with: { sparse-checkout-cone-mode: false, sparse-checkout: /.github, persist-credentials: false }
198198
- { uses: './.github/actions/setup/directories', with: { srcdir: 'src', builddir: 'build', makeup: true, fetch-depth: 10 } }
199199
- { uses: './.github/actions/compilers', name: 'disable-jit', with: { append_configure: '--disable-yjit --disable-zjit' }, timeout-minutes: 5 }
200200
- { uses: './.github/actions/compilers', name: 'disable-yjit', with: { append_configure: '--disable-yjit' }, timeout-minutes: 5 }
@@ -216,7 +216,7 @@ jobs:
216216
services: { docuum: { image: 'stephanmisc/docuum', options: '--init', volumes: [ '/root', '/var/run/docker.sock:/var/run/docker.sock' ] } }
217217
steps:
218218
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
219-
with: { sparse-checkout-cone-mode: false, sparse-checkout: /.github }
219+
with: { sparse-checkout-cone-mode: false, sparse-checkout: /.github, persist-credentials: false }
220220
- { uses: './.github/actions/setup/directories', with: { srcdir: 'src', builddir: 'build', makeup: true, fetch-depth: 10 } }
221221
- { uses: './.github/actions/compilers', name: 'NDEBUG', with: { cppflags: '-DNDEBUG' }, timeout-minutes: 5 }
222222
- { uses: './.github/actions/compilers', name: 'RUBY_DEBUG', with: { cppflags: '-DRUBY_DEBUG' }, timeout-minutes: 5 }
@@ -236,7 +236,7 @@ jobs:
236236
services: { docuum: { image: 'stephanmisc/docuum', options: '--init', volumes: [ '/root', '/var/run/docker.sock:/var/run/docker.sock' ] } }
237237
steps:
238238
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
239-
with: { sparse-checkout-cone-mode: false, sparse-checkout: /.github }
239+
with: { sparse-checkout-cone-mode: false, sparse-checkout: /.github, persist-credentials: false }
240240
- { uses: './.github/actions/setup/directories', with: { srcdir: 'src', builddir: 'build', makeup: true, fetch-depth: 10 } }
241241
- { uses: './.github/actions/compilers', name: 'HASH_DEBUG', with: { cppflags: '-DHASH_DEBUG' }, timeout-minutes: 5 }
242242
- { uses: './.github/actions/compilers', name: 'ID_TABLE_DEBUG', with: { cppflags: '-DID_TABLE_DEBUG' }, timeout-minutes: 5 }
@@ -256,7 +256,7 @@ jobs:
256256
services: { docuum: { image: 'stephanmisc/docuum', options: '--init', volumes: [ '/root', '/var/run/docker.sock:/var/run/docker.sock' ] } }
257257
steps:
258258
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
259-
with: { sparse-checkout-cone-mode: false, sparse-checkout: /.github }
259+
with: { sparse-checkout-cone-mode: false, sparse-checkout: /.github, persist-credentials: false }
260260
- { uses: './.github/actions/setup/directories', with: { srcdir: 'src', builddir: 'build', makeup: true, fetch-depth: 10 } }
261261
- { uses: './.github/actions/compilers', name: 'USE_LAZY_LOAD', with: { cppflags: '-DUSE_LAZY_LOAD' }, timeout-minutes: 5 }
262262
- { uses: './.github/actions/compilers', name: 'USE_SYMBOL_GC=0', with: { cppflags: '-DUSE_SYMBOL_GC=0' }, timeout-minutes: 5 }
@@ -276,7 +276,7 @@ jobs:
276276
services: { docuum: { image: 'stephanmisc/docuum', options: '--init', volumes: [ '/root', '/var/run/docker.sock:/var/run/docker.sock' ] } }
277277
steps:
278278
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
279-
with: { sparse-checkout-cone-mode: false, sparse-checkout: /.github }
279+
with: { sparse-checkout-cone-mode: false, sparse-checkout: /.github, persist-credentials: false }
280280
- { uses: './.github/actions/setup/directories', with: { srcdir: 'src', builddir: 'build', makeup: true, fetch-depth: 10 } }
281281
- { uses: './.github/actions/compilers', name: 'GC_DEBUG_STRESS_TO_CLASS', with: { cppflags: '-DGC_DEBUG_STRESS_TO_CLASS' }, timeout-minutes: 5 }
282282
- { uses: './.github/actions/compilers', name: 'GC_ENABLE_LAZY_SWEEP=0', with: { cppflags: '-DGC_ENABLE_LAZY_SWEEP=0' }, timeout-minutes: 5 }
@@ -295,7 +295,7 @@ jobs:
295295
services: { docuum: { image: 'stephanmisc/docuum', options: '--init', volumes: [ '/root', '/var/run/docker.sock:/var/run/docker.sock' ] } }
296296
steps:
297297
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
298-
with: { sparse-checkout-cone-mode: false, sparse-checkout: /.github }
298+
with: { sparse-checkout-cone-mode: false, sparse-checkout: /.github, persist-credentials: false }
299299
- { uses: './.github/actions/setup/directories', with: { srcdir: 'src', builddir: 'build', makeup: true, fetch-depth: 10 } }
300300
- { uses: './.github/actions/compilers', name: 'VM_DEBUG_BP_CHECK', with: { cppflags: '-DVM_DEBUG_BP_CHECK' }, timeout-minutes: 5 }
301301
- { uses: './.github/actions/compilers', name: 'VM_DEBUG_VERIFY_METHOD_CACHE', with: { cppflags: '-DVM_DEBUG_VERIFY_METHOD_CACHE' }, timeout-minutes: 5 }
@@ -321,7 +321,7 @@ jobs:
321321
- 'compileC'
322322
steps:
323323
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
324-
with: { sparse-checkout-cone-mode: false, sparse-checkout: /.github }
324+
with: { sparse-checkout-cone-mode: false, sparse-checkout: /.github, persist-credentials: false }
325325
- uses: ./.github/actions/slack
326326
with:
327327
label: 'omnibus'

.github/workflows/cygwin.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -41,6 +41,8 @@ jobs:
4141
- run: git config --global core.autocrlf input
4242

4343
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
44+
with:
45+
persist-credentials: false
4446

4547
- name: Setup Cygwin
4648
uses: cygwin/cygwin-install-action@master

0 commit comments

Comments
 (0)