From 20ed4678977c1f7bbc3971ebd8394f7fe35d9fc9 Mon Sep 17 00:00:00 2001 From: HuangYi Date: Wed, 16 Oct 2024 17:24:24 +0800 Subject: [PATCH] Problem: persist-credentials might leak github token unintentionally Solution: - try persist-credentials: false --- .github/workflows/build.yml | 32 ++++++++++++++++++++++---------- 1 file changed, 22 insertions(+), 10 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 7c8532f44..37a438501 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -94,15 +94,17 @@ jobs: with: go-version: 1.22 - name: Checkout Comment PR Branch - uses: actions/checkout@v3 + uses: actions/checkout@v4 if: github.event_name == 'issue_comment' with: submodules: true + persist-credentials: false token: ${{ secrets.GITHUB_TOKEN }} ref: ${{ steps.pr_data.outputs.ref }} - name: Normal check out code - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: + persist-credentials: false submodules: true if: github.event_name == 'push' || github.event_name == 'pull_request' - id: changed-files @@ -150,7 +152,9 @@ jobs: contents: read security-events: write steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: cachix/install-nix-action@v23 with: nix_path: nixpkgs=channel:nixos-22.11 @@ -213,17 +217,19 @@ jobs: with: go-version: 1.22 - name: Checkout Comment PR Branch - uses: actions/checkout@v3 + uses: actions/checkout@v4 if: github.event_name == 'issue_comment' with: submodules: true + persist-credentials: false token: ${{ secrets.GITHUB_TOKEN }} ref: ${{ needs.build.outputs.ref }} - name: Normal check out code - uses: actions/checkout@v3 + uses: actions/checkout@v4 if: github.event_name == 'push' || github.event_name == 'pull_request' with: submodules: true + persist-credentials: false - id: changed-files uses: tj-actions/changed-files@v41 with: @@ -259,17 +265,19 @@ jobs: with: go-version: 1.22 - name: Checkout Comment PR Branch - uses: actions/checkout@v3 + uses: actions/checkout@v4 if: github.event_name == 'issue_comment' with: submodules: true + persist-credentials: false token: ${{ secrets.GITHUB_TOKEN }} ref: ${{ needs.build.outputs.ref }} - name: Normal check out code - uses: actions/checkout@v3 + uses: actions/checkout@v4 if: github.event_name == 'push' || github.event_name == 'pull_request' with: submodules: true + persist-credentials: false - id: changed-files uses: tj-actions/changed-files@v41 with: @@ -305,17 +313,19 @@ jobs: with: go-version: 1.22 - name: Checkout Comment PR Branch - uses: actions/checkout@v3 + uses: actions/checkout@v4 if: github.event_name == 'issue_comment' with: submodules: true + persist-credentials: false token: ${{ secrets.GITHUB_TOKEN }} ref: ${{ needs.build.outputs.ref }} - name: Normal check out code - uses: actions/checkout@v3 + uses: actions/checkout@v4 if: github.event_name == 'push' || github.event_name == 'pull_request' with: submodules: true + persist-credentials: false - id: changed-files uses: tj-actions/changed-files@v41 with: @@ -411,7 +421,9 @@ jobs: runs-on: ubuntu-latest if: github.event_name == 'push' || github.event_name == 'pull_request' steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 + with: + persist-credentials: false - id: changed-files uses: tj-actions/changed-files@v41 with: