From c656e8f53a767c449f84f9901948a81910ec18a1 Mon Sep 17 00:00:00 2001 From: yihuang Date: Wed, 30 Oct 2024 13:06:20 +0800 Subject: [PATCH] Problem: persist-credentials might leak github token unintentionally (#1090) * Problem: persist-credentials might leak github token unintentionally Solution: - try persist-credentials: false * refresh --------- Signed-off-by: yihuang Co-authored-by: mmsqe --- .github/workflows/audit.yml | 2 +- .github/workflows/build.yml | 38 +++++++++++++++++++-------- .github/workflows/buildwin.yml | 2 +- .github/workflows/codecov.yml | 2 +- .github/workflows/codeql-analysis.yml | 2 +- .github/workflows/gosec.yml | 2 +- .github/workflows/lint.yml | 2 +- .github/workflows/nix.yml | 22 ++++++++-------- .github/workflows/release.yml | 4 +-- .github/workflows/semgrep.yml | 2 +- .github/workflows/staticmajor.yml | 2 +- 11 files changed, 48 insertions(+), 32 deletions(-) diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml index cc0f921a3..c8d4490ae 100644 --- a/.github/workflows/audit.yml +++ b/.github/workflows/audit.yml @@ -17,7 +17,7 @@ jobs: uses: actions/setup-go@v3 with: go-version: 1.20.3 - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: submodules: true - name: install govulncheck diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index a866943e7..632b05b2e 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -83,16 +83,18 @@ jobs: with: go-version: 1.20.3 - name: Checkout Comment PR Branch - uses: actions/checkout@v3 + uses: actions/checkout@v4 if: github.event_name == 'issue_comment' with: submodules: true + persist-credentials: false token: ${{ secrets.GITHUB_TOKEN }} repository: ${{ steps.pr_data.outputs.repo_name }} ref: ${{ steps.pr_data.outputs.ref }} - name: Normal check out code - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: + persist-credentials: false submodules: true if: github.event_name == 'push' || github.event_name == 'pull_request' - id: changed-files @@ -136,8 +138,10 @@ jobs: os: [ubuntu-latest, macos-latest] runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@v3 - - uses: cachix/install-nix-action@v22 + - uses: actions/checkout@v4 + with: + persist-credentials: false + - uses: cachix/install-nix-action@v23 with: # pin to nix-2.13 to workaround compability issue of 2.14, # see: https://github.com/cachix/install-nix-action/issues/161 @@ -202,18 +206,20 @@ jobs: with: go-version: 1.20.3 - name: Checkout Comment PR Branch - uses: actions/checkout@v3 + uses: actions/checkout@v4 if: github.event_name == 'issue_comment' with: submodules: true + persist-credentials: false token: ${{ secrets.GITHUB_TOKEN }} repository: ${{ needs.build.outputs.repo_name }} ref: ${{ needs.build.outputs.ref }} - name: Normal check out code - uses: actions/checkout@v3 + uses: actions/checkout@v4 if: github.event_name == 'push' || github.event_name == 'pull_request' with: submodules: true + persist-credentials: false - id: changed-files uses: tj-actions/changed-files@v35 with: @@ -249,18 +255,20 @@ jobs: with: go-version: 1.20.3 - name: Checkout Comment PR Branch - uses: actions/checkout@v3 + uses: actions/checkout@v4 if: github.event_name == 'issue_comment' with: submodules: true + persist-credentials: false token: ${{ secrets.GITHUB_TOKEN }} repository: ${{ needs.build.outputs.repo_name }} ref: ${{ needs.build.outputs.ref }} - name: Normal check out code - uses: actions/checkout@v3 + uses: actions/checkout@v4 if: github.event_name == 'push' || github.event_name == 'pull_request' with: submodules: true + persist-credentials: false - id: changed-files uses: tj-actions/changed-files@v35 with: @@ -296,18 +304,20 @@ jobs: with: go-version: 1.20.3 - name: Checkout Comment PR Branch - uses: actions/checkout@v3 + uses: actions/checkout@v4 if: github.event_name == 'issue_comment' with: submodules: true + persist-credentials: false token: ${{ secrets.GITHUB_TOKEN }} repository: ${{ needs.build.outputs.repo_name }} ref: ${{ needs.build.outputs.ref }} - name: Normal check out code - uses: actions/checkout@v3 + uses: actions/checkout@v4 if: github.event_name == 'push' || github.event_name == 'pull_request' with: submodules: true + persist-credentials: false - id: changed-files uses: tj-actions/changed-files@v35 with: @@ -403,7 +413,13 @@ jobs: runs-on: ubuntu-latest if: github.event_name == 'push' || github.event_name == 'pull_request' steps: - - uses: actions/checkout@v3 +<<<<<<< HEAD + - uses: actions/checkout@v4 +======= + - uses: actions/checkout@v4 + with: + persist-credentials: false +>>>>>>> c23a527 (Problem: persist-credentials might leak github token unintentionally (#1090)) - id: changed-files uses: tj-actions/changed-files@v35 with: diff --git a/.github/workflows/buildwin.yml b/.github/workflows/buildwin.yml index 383b773ec..114320786 100644 --- a/.github/workflows/buildwin.yml +++ b/.github/workflows/buildwin.yml @@ -17,7 +17,7 @@ jobs: with: go-version: 1.20.3 - name: Normal check out code - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: submodules: true - name: Set GOBIN diff --git a/.github/workflows/codecov.yml b/.github/workflows/codecov.yml index fae032e17..76eecae43 100644 --- a/.github/workflows/codecov.yml +++ b/.github/workflows/codecov.yml @@ -16,7 +16,7 @@ jobs: uses: actions/setup-go@v3 with: go-version: 1.20.3 - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: submodules: true - id: changed-files diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 39b668436..842ce198b 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -42,7 +42,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 - uses: actions/setup-go@v3 with: go-version: 1.20.3 diff --git a/.github/workflows/gosec.yml b/.github/workflows/gosec.yml index 66e7432d8..76663b637 100644 --- a/.github/workflows/gosec.yml +++ b/.github/workflows/gosec.yml @@ -17,7 +17,7 @@ jobs: env: GO111MODULE: on steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - id: changed-files uses: tj-actions/changed-files@v35 with: diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 8328d42ff..722714a03 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -15,7 +15,7 @@ jobs: - uses: actions/setup-go@v3 with: go-version: 1.20.3 - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: submodules: true - id: changed-files diff --git a/.github/workflows/nix.yml b/.github/workflows/nix.yml index 91e6f7c2c..db68c42d7 100644 --- a/.github/workflows/nix.yml +++ b/.github/workflows/nix.yml @@ -13,7 +13,7 @@ jobs: lint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: submodules: true - uses: cachix/install-nix-action@v22 @@ -33,7 +33,7 @@ jobs: test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: submodules: true - uses: cachix/install-nix-action@v22 @@ -78,7 +78,7 @@ jobs: os: [macos-latest] runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: submodules: true - uses: cachix/install-nix-action@v22 @@ -100,7 +100,7 @@ jobs: test-upgrade: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: submodules: true - uses: cachix/install-nix-action@v22 @@ -137,7 +137,7 @@ jobs: test-ledger: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: submodules: true - uses: cachix/install-nix-action@v18 @@ -174,7 +174,7 @@ jobs: test-solomachine: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: submodules: true - uses: cachix/install-nix-action@v18 @@ -211,7 +211,7 @@ jobs: test-slow: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: submodules: true - uses: cachix/install-nix-action@v18 @@ -248,7 +248,7 @@ jobs: test-ibc: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: submodules: true - uses: cachix/install-nix-action@v18 @@ -285,7 +285,7 @@ jobs: test-byzantine: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: submodules: true - uses: cachix/install-nix-action@v18 @@ -322,7 +322,7 @@ jobs: test-gov: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: submodules: true - uses: cachix/install-nix-action@v18 @@ -360,7 +360,7 @@ jobs: test-grpc: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: submodules: true - uses: cachix/install-nix-action@v18 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d809d0aa4..2e4071cf8 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -13,7 +13,7 @@ jobs: runs-on: ubuntu-latest environment: release steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - uses: cachix/install-nix-action@v22 with: # pin to nix-2.13 to workaround compability issue of 2.14, @@ -56,7 +56,7 @@ jobs: runs-on: macos-latest environment: release steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - uses: cachix/install-nix-action@v22 with: # pin to nix-2.13 to workaround compability issue of 2.14, diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index c04ec28a0..4479ea4fc 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -21,7 +21,7 @@ jobs: if: (github.actor != 'dependabot[bot]') steps: # Fetch project source with GitHub Actions Checkout. - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: submodules: true # Run the "semgrep ci" command on the command line of the docker image. diff --git a/.github/workflows/staticmajor.yml b/.github/workflows/staticmajor.yml index 167fbf296..4312de541 100644 --- a/.github/workflows/staticmajor.yml +++ b/.github/workflows/staticmajor.yml @@ -13,7 +13,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out repository code - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Staticmajor action id: staticmajor uses: orijtech/staticmajor-action@main