From fdf8dde38a97ec44d579b8a006c32ede374fba0d Mon Sep 17 00:00:00 2001 From: Andrew Morgan Date: Tue, 5 May 2026 12:34:57 +0100 Subject: [PATCH] Tell `actions/checkout` not to persist credentials Recommended by `zizmor`. See https://docs.zizmor.sh/audits/#artipacked for an explanation. --- .github/workflows/build.yaml | 7 +++++++ .github/workflows/ci.yaml | 20 ++++++++++++++++++++ .github/workflows/coverage.yaml | 6 ++++++ .github/workflows/docs.yaml | 2 ++ .github/workflows/merge-back.yaml | 1 + .github/workflows/release-branch.yaml | 5 +++++ .github/workflows/release-bump.yaml | 3 +++ .github/workflows/tag.yaml | 2 ++ .github/workflows/translations-download.yaml | 2 ++ .github/workflows/translations-upload.yaml | 2 ++ 10 files changed, 50 insertions(+) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 3d1e6d315..db97fc562 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -50,6 +50,7 @@ jobs: with: # Need a full clone so that `git describe` reports the right version fetch-depth: 0 + persist-credentials: false - name: Compute version and timestamp out of git history id: git @@ -68,6 +69,8 @@ jobs: steps: - name: Checkout the code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - uses: ./.github/actions/build-frontend - uses: ./.github/actions/build-policies @@ -113,6 +116,8 @@ jobs: steps: - name: Checkout the code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Install Rust toolchain uses: dtolnay/rust-toolchain@stable @@ -380,6 +385,7 @@ jobs: with: sparse-checkout: | .github/scripts + persist-credentials: false - name: Download the artifacts from the previous job uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 @@ -458,6 +464,7 @@ jobs: with: sparse-checkout: | .github/scripts + persist-credentials: false - name: Remove label and comment uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index ca2ed7645..218300e02 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -35,6 +35,8 @@ jobs: steps: - name: Checkout the code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - uses: ./.github/actions/build-policies @@ -62,6 +64,8 @@ jobs: steps: - name: Checkout the code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Install Node uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -86,6 +90,8 @@ jobs: steps: - name: Checkout the code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Install Node uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -110,6 +116,8 @@ jobs: steps: - name: Checkout the code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Install Node uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -134,6 +142,8 @@ jobs: steps: - name: Checkout the code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Install Rust toolchain uses: dtolnay/rust-toolchain@nightly @@ -157,6 +167,8 @@ jobs: steps: - name: Checkout the code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Run `cargo-deny` uses: EmbarkStudios/cargo-deny-action@175dc7fd4fb85ec8f46948fb98f44db001149081 # v2.0.16 @@ -173,6 +185,8 @@ jobs: steps: - name: Checkout the code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Install Rust toolchain run: | @@ -214,6 +228,8 @@ jobs: steps: - name: Checkout the code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Install Rust toolchain uses: dtolnay/rust-toolchain@b1b44fef029483cc79808c5eb89461241fd8f32f # 1.93.0 @@ -239,6 +255,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Install Rust toolchain uses: dtolnay/rust-toolchain@stable @@ -292,6 +310,8 @@ jobs: steps: - name: Checkout the code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Install Rust toolchain uses: dtolnay/rust-toolchain@stable diff --git a/.github/workflows/coverage.yaml b/.github/workflows/coverage.yaml index d35ab9d0c..e870d5b3a 100644 --- a/.github/workflows/coverage.yaml +++ b/.github/workflows/coverage.yaml @@ -30,6 +30,8 @@ jobs: steps: - name: Checkout the code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - uses: ./.github/actions/build-policies @@ -55,6 +57,8 @@ jobs: steps: - name: Checkout the code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - uses: ./.github/actions/build-frontend env: @@ -100,6 +104,8 @@ jobs: steps: - name: Checkout the code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Install Rust toolchain uses: dtolnay/rust-toolchain@stable diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml index 94601caf6..460be4195 100644 --- a/.github/workflows/docs.yaml +++ b/.github/workflows/docs.yaml @@ -26,6 +26,8 @@ jobs: steps: - name: Checkout the code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Install Rust toolchain uses: dtolnay/rust-toolchain@stable diff --git a/.github/workflows/merge-back.yaml b/.github/workflows/merge-back.yaml index 82162c78e..f6a4d4aec 100644 --- a/.github/workflows/merge-back.yaml +++ b/.github/workflows/merge-back.yaml @@ -28,6 +28,7 @@ jobs: with: sparse-checkout: | .github/scripts + persist-credentials: false - name: Push branch and open a PR uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 diff --git a/.github/workflows/release-branch.yaml b/.github/workflows/release-branch.yaml index f81bbd392..4c48ebe56 100644 --- a/.github/workflows/release-branch.yaml +++ b/.github/workflows/release-branch.yaml @@ -35,6 +35,8 @@ jobs: - name: Checkout the code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Install Rust toolchain uses: dtolnay/rust-toolchain@stable @@ -62,6 +64,8 @@ jobs: steps: - name: Checkout the code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Install Node uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -110,6 +114,7 @@ jobs: with: sparse-checkout: | .github/scripts + persist-credentials: false - name: Create a new release branch uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 diff --git a/.github/workflows/release-bump.yaml b/.github/workflows/release-bump.yaml index 75f52a451..6fc357840 100644 --- a/.github/workflows/release-bump.yaml +++ b/.github/workflows/release-bump.yaml @@ -34,6 +34,8 @@ jobs: - name: Checkout the code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Install Rust toolchain uses: dtolnay/rust-toolchain@stable @@ -80,6 +82,7 @@ jobs: with: sparse-checkout: | .github/scripts + persist-credentials: false - name: Update the release branch uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 diff --git a/.github/workflows/tag.yaml b/.github/workflows/tag.yaml index 13d543d7c..9ef1e05e3 100644 --- a/.github/workflows/tag.yaml +++ b/.github/workflows/tag.yaml @@ -31,6 +31,8 @@ jobs: steps: - name: Checkout the code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Install Rust toolchain uses: dtolnay/rust-toolchain@stable diff --git a/.github/workflows/translations-download.yaml b/.github/workflows/translations-download.yaml index eedea35c4..f8ff5c67e 100644 --- a/.github/workflows/translations-download.yaml +++ b/.github/workflows/translations-download.yaml @@ -20,6 +20,8 @@ jobs: - name: Checkout the code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Install Node uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 diff --git a/.github/workflows/translations-upload.yaml b/.github/workflows/translations-upload.yaml index de0eb7477..a1de3381a 100644 --- a/.github/workflows/translations-upload.yaml +++ b/.github/workflows/translations-upload.yaml @@ -19,6 +19,8 @@ jobs: steps: - name: Checkout the code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Install Node uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0