Skip to content

ci: disable credential persistence in build-validation checkout#1901

Merged
merill merged 2 commits into
maester365:mainfrom
SamErde:ci/checkout-persist-credentials
Jul 6, 2026
Merged

ci: disable credential persistence in build-validation checkout#1901
merill merged 2 commits into
maester365:mainfrom
SamErde:ci/checkout-persist-credentials

Conversation

@SamErde

@SamErde SamErde commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

TL;DR

Sets persist-credentials: false on the actions/checkout step in build-validation.yaml. This job only reads the repository and never pushes or fetches with the token after checkout, so persisting the credential in the git config is unnecessary. Low-cost hardening default (zizmor artipacked finding).

Scope

Intentionally limited to build-validation.yaml. The publish workflows are excluded because they use stefanzweifel/git-auto-commit-action to commit website version bumps, which requires the persisted checkout credential.

Follow-up to review feedback on #1899. Minimal 4-line diff (the file's existing mixed line endings are left untouched here; normalization is proposed separately in #1900).

Suggested by CodeRabbit.

Summary by CodeRabbit

  • Chores
    • Improved the build validation process to prevent checkout credentials from being retained after repository access, reducing the risk of unintended token persistence.

The build-validation job only reads the repository and never pushes or
fetches with the token after checkout, so persisting credentials in the
git config is unnecessary. Explicitly set persist-credentials: false as
a hardening default (zizmor 'artipacked' finding).

Suggested by CodeRabbit during review of maester365#1899.
Copilot AI review requested due to automatic review settings July 2, 2026 19:41
@SamErde SamErde requested a review from a team as a code owner July 2, 2026 19:41

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Hardens the CI build-validation workflow by preventing GitHub’s checkout action from persisting the workflow token in the local git config after checkout, aligning with the job’s read-only usage.

Changes:

  • Set persist-credentials: false on the actions/checkout step in build-validation.yaml.
  • Added inline comments documenting why credential persistence is disabled.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 809f5d81-6032-4ab3-9ef7-4213a5d34634

📥 Commits

Reviewing files that changed from the base of the PR and between 93c2de9 and 5110cc7.

📒 Files selected for processing (1)
  • .github/workflows/build-validation.yaml

📝 Walkthrough

Walkthrough

The actions/checkout step in the build-validation workflow was updated to add persist-credentials: false, with comments explaining the repository checkout token should not remain in git config.

Changes

Checkout Hardening

Layer / File(s) Summary
Set persist-credentials false in checkout step
.github/workflows/build-validation.yaml
Adds a with block to actions/checkout that sets persist-credentials: false and documents the read-only checkout behavior.

Estimated code review effort: 1 (Trivial) | ~2 minutes

Possibly related PRs

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title is concise and accurately summarizes the main change: disabling persisted checkout credentials in build-validation.
Description check ✅ Passed The description covers what changed, why, and the limited scope, but omits the template's issue-closing line and checklist details.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@codacy-production

Copy link
Copy Markdown

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.

@merill merill left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@merill merill merged commit 01999e9 into maester365:main Jul 6, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants