Skip to content

Commit

Permalink
[CI] Don't persist git credentials in CI
Browse files Browse the repository at this point in the history
# Motivation

https://yossarian.net/til/post/actions-checkout-can-leak-github-credentials shows a common way to leak git credentials in CI. While we are not publishing artifacts right now, we can harden our security here by disabling the persistence of git credentials as much as possible.

# Modification

Don't persist git credentials when not needed.

# Result

Less likely to leak credentials
  • Loading branch information
FranzBusch committed Aug 19, 2024
1 parent a4e0a13 commit f2d0556
Show file tree
Hide file tree
Showing 4 changed files with 19 additions and 0 deletions.
2 changes: 2 additions & 0 deletions .github/workflows/pull_request_label.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,5 +12,7 @@ jobs:
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
persist-credentials: false
- name: Check for Semantic Version label
uses: ./.github/actions/pull_request_semver_label_checker/
13 changes: 13 additions & 0 deletions .github/workflows/soundness.yml
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,7 @@ jobs:
with:
# We need to fetch everything otherwise only the head commit will be fetched.
fetch-depth: 0
persist-credentials: false
- name: Mark the workspace as safe
# https://github.com/actions/checkout/issues/766
run: git config --global --add safe.directory ${GITHUB_WORKSPACE}
Expand All @@ -75,6 +76,8 @@ jobs:
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
persist-credentials: false
- name: Run documentation check
run: |
apt-get -qq update && apt-get -qq -y install curl yq
Expand All @@ -88,6 +91,8 @@ jobs:
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
persist-credentials: false
- name: Run unacceptable language check
env:
UNACCEPTABLE_WORD_LIST: ${{ inputs.unacceptable_language_check_word_list}}
Expand All @@ -101,6 +106,8 @@ jobs:
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
persist-credentials: false
- name: Run license header check
env:
PROJECT_NAME: ${{ inputs.license_header_check_project_name }}
Expand All @@ -114,6 +121,8 @@ jobs:
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
persist-credentials: false
- name: Run broken symlinks check
run: curl -s https://raw.githubusercontent.com/apple/swift-nio/main/scripts/check-broken-symlinks.sh | bash

Expand All @@ -127,6 +136,8 @@ jobs:
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
persist-credentials: false
- name: Mark the workspace as safe
# https://github.com/actions/checkout/issues/766
run: git config --global --add safe.directory ${GITHUB_WORKSPACE}
Expand All @@ -143,6 +154,8 @@ jobs:
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
persist-credentials: false
- name: Mark the workspace as safe
# https://github.com/actions/checkout/issues/766
run: git config --global --add safe.directory ${GITHUB_WORKSPACE}
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/swift_6_language_mode.yml
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,8 @@ jobs:
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
persist-credentials: false
- name: Set the language mode
run: swift package tools-version --set 6.0
- name: Build with Swift 6 language mode
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/swift_matrix.yml
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,8 @@ jobs:
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
persist-credentials: false
- name: Run matrix job
if: ${{ matrix.swift.enabled }}
env:
Expand Down

0 comments on commit f2d0556

Please sign in to comment.