Skip to content

Commit

Permalink
Problem: persist-credentials might leak github token unintentionally (#…
Browse files Browse the repository at this point in the history 
…1090)

* Problem: persist-credentials might leak github token unintentionally

Solution:
- try persist-credentials: false

* refresh

---------

Signed-off-by: yihuang <[email protected]>
Co-authored-by: mmsqe <[email protected]>
  • Loading branch information
@yihuang @mmsqe
yihuang and mmsqe committed Dec 18, 2024
1 parent 676b5b2 commit c656e8f
Show file tree
Hide file tree
Showing 11 changed files with 48 additions and 32 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/audit.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ jobs:
uses: actions/setup-go@v3
with:
go-version: 1.20.3
- uses: actions/checkout@v3
- uses: actions/checkout@v4
with:
submodules: true
- name: install govulncheck
Expand Down
38 changes: 27 additions & 11 deletions .github/workflows/build.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -83,16 +83,18 @@ jobs:
with:
go-version: 1.20.3
- name: Checkout Comment PR Branch
uses: actions/checkout@v3
uses: actions/checkout@v4
if: github.event_name == 'issue_comment'
with:
submodules: true
persist-credentials: false
token: ${{ secrets.GITHUB_TOKEN }}
repository: ${{ steps.pr_data.outputs.repo_name }}
ref: ${{ steps.pr_data.outputs.ref }}
- name: Normal check out code
uses: actions/checkout@v3
uses: actions/checkout@v4
with:
persist-credentials: false
submodules: true
if: github.event_name == 'push' || github.event_name == 'pull_request'
- id: changed-files
Expand Down Expand Up @@ -136,8 +138,10 @@ jobs:
os: [ubuntu-latest, macos-latest]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v3
- uses: cachix/install-nix-action@v22
- uses: actions/checkout@v4
with:
persist-credentials: false
- uses: cachix/install-nix-action@v23
with:
# pin to nix-2.13 to workaround compability issue of 2.14,
# see: https://github.com/cachix/install-nix-action/issues/161
Expand Down Expand Up @@ -202,18 +206,20 @@ jobs:
with:
go-version: 1.20.3
- name: Checkout Comment PR Branch
uses: actions/checkout@v3
uses: actions/checkout@v4
if: github.event_name == 'issue_comment'
with:
submodules: true
persist-credentials: false
token: ${{ secrets.GITHUB_TOKEN }}
repository: ${{ needs.build.outputs.repo_name }}
ref: ${{ needs.build.outputs.ref }}
- name: Normal check out code
uses: actions/checkout@v3
uses: actions/checkout@v4
if: github.event_name == 'push' || github.event_name == 'pull_request'
with:
submodules: true
persist-credentials: false
- id: changed-files
uses: tj-actions/changed-files@v35
with:
Expand Down Expand Up @@ -249,18 +255,20 @@ jobs:
with:
go-version: 1.20.3
- name: Checkout Comment PR Branch
uses: actions/checkout@v3
uses: actions/checkout@v4
if: github.event_name == 'issue_comment'
with:
submodules: true
persist-credentials: false
token: ${{ secrets.GITHUB_TOKEN }}
repository: ${{ needs.build.outputs.repo_name }}
ref: ${{ needs.build.outputs.ref }}
- name: Normal check out code
uses: actions/checkout@v3
uses: actions/checkout@v4
if: github.event_name == 'push' || github.event_name == 'pull_request'
with:
submodules: true
persist-credentials: false
- id: changed-files
uses: tj-actions/changed-files@v35
with:
Expand Down Expand Up @@ -296,18 +304,20 @@ jobs:
with:
go-version: 1.20.3
- name: Checkout Comment PR Branch
uses: actions/checkout@v3
uses: actions/checkout@v4
if: github.event_name == 'issue_comment'
with:
submodules: true
persist-credentials: false
token: ${{ secrets.GITHUB_TOKEN }}
repository: ${{ needs.build.outputs.repo_name }}
ref: ${{ needs.build.outputs.ref }}
- name: Normal check out code
uses: actions/checkout@v3
uses: actions/checkout@v4
if: github.event_name == 'push' || github.event_name == 'pull_request'
with:
submodules: true
persist-credentials: false
- id: changed-files
uses: tj-actions/changed-files@v35
with:
Expand Down Expand Up @@ -403,7 +413,13 @@ jobs:
runs-on: ubuntu-latest
if: github.event_name == 'push' || github.event_name == 'pull_request'
steps:
- uses: actions/checkout@v3
<<<<<<< HEAD
- uses: actions/checkout@v4
=======
- uses: actions/checkout@v4
with:
persist-credentials: false
>>>>>>> c23a527 (Problem: persist-credentials might leak github token unintentionally (#1090))
- id: changed-files
uses: tj-actions/changed-files@v35
with:
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/buildwin.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ jobs:
with:
go-version: 1.20.3
- name: Normal check out code
uses: actions/checkout@v3
uses: actions/checkout@v4
with:
submodules: true
- name: Set GOBIN
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/codecov.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ jobs:
uses: actions/setup-go@v3
with:
go-version: 1.20.3
- uses: actions/checkout@v3
- uses: actions/checkout@v4
with:
submodules: true
- id: changed-files
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/codeql-analysis.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@ jobs:

steps:
- name: Checkout repository
uses: actions/checkout@v3
uses: actions/checkout@v4
- uses: actions/setup-go@v3
with:
go-version: 1.20.3
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/gosec.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ jobs:
env:
GO111MODULE: on
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
- id: changed-files
uses: tj-actions/changed-files@v35
with:
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/lint.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ jobs:
- uses: actions/setup-go@v3
with:
go-version: 1.20.3
- uses: actions/checkout@v3
- uses: actions/checkout@v4
with:
submodules: true
- id: changed-files
Expand Down
22 changes: 11 additions & 11 deletions .github/workflows/nix.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ jobs:
lint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
with:
submodules: true
- uses: cachix/install-nix-action@v22
Expand All @@ -33,7 +33,7 @@ jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
with:
submodules: true
- uses: cachix/install-nix-action@v22
Expand Down Expand Up @@ -78,7 +78,7 @@ jobs:
os: [macos-latest]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
with:
submodules: true
- uses: cachix/install-nix-action@v22
Expand All @@ -100,7 +100,7 @@ jobs:
test-upgrade:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
with:
submodules: true
- uses: cachix/install-nix-action@v22
Expand Down Expand Up @@ -137,7 +137,7 @@ jobs:
test-ledger:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
with:
submodules: true
- uses: cachix/install-nix-action@v18
Expand Down Expand Up @@ -174,7 +174,7 @@ jobs:
test-solomachine:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
with:
submodules: true
- uses: cachix/install-nix-action@v18
Expand Down Expand Up @@ -211,7 +211,7 @@ jobs:
test-slow:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
with:
submodules: true
- uses: cachix/install-nix-action@v18
Expand Down Expand Up @@ -248,7 +248,7 @@ jobs:
test-ibc:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
with:
submodules: true
- uses: cachix/install-nix-action@v18
Expand Down Expand Up @@ -285,7 +285,7 @@ jobs:
test-byzantine:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
with:
submodules: true
- uses: cachix/install-nix-action@v18
Expand Down Expand Up @@ -322,7 +322,7 @@ jobs:
test-gov:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
with:
submodules: true
- uses: cachix/install-nix-action@v18
Expand Down Expand Up @@ -360,7 +360,7 @@ jobs:
test-grpc:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
with:
submodules: true
- uses: cachix/install-nix-action@v18
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/release.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ jobs:
runs-on: ubuntu-latest
environment: release
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
- uses: cachix/install-nix-action@v22
with:
# pin to nix-2.13 to workaround compability issue of 2.14,
Expand Down Expand Up @@ -56,7 +56,7 @@ jobs:
runs-on: macos-latest
environment: release
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
- uses: cachix/install-nix-action@v22
with:
# pin to nix-2.13 to workaround compability issue of 2.14,
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/semgrep.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ jobs:
if: (github.actor != 'dependabot[bot]')
steps:
# Fetch project source with GitHub Actions Checkout.
- uses: actions/checkout@v3
- uses: actions/checkout@v4
with:
submodules: true
# Run the "semgrep ci" command on the command line of the docker image.
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/staticmajor.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Check out repository code
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: Staticmajor action
id: staticmajor
uses: orijtech/staticmajor-action@main
Expand Down

0 comments on commit c656e8f

Please sign in to comment.