dandri/matrix-authentication-service
1
0
Fork 0
mirror of https://github.com/element-hq/matrix-authentication-service.git synced 2026-06-03 19:11:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

Tell actions/checkout not to persist credentials

Browse Source 
Recommended by `zizmor`. See https://docs.zizmor.sh/audits/#artipacked
for an explanation.
This commit is contained in:
Andrew Morgan
2026-05-05 12:34:57 +01:00
parent b99023662a
commit fdf8dde38a
10 changed files with 50 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/build.yaml
+7
View File
@@ -50,6 +50,7 @@ jobs:
with:
# Need a full clone so that `git describe` reports the right version
fetch-depth: 0
persist-credentials: false
- name: Compute version and timestamp out of git history
id: git
@@ -68,6 +69,8 @@ jobs:
steps:
- name: Checkout the code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
- uses: ./.github/actions/build-frontend
- uses: ./.github/actions/build-policies
@@ -113,6 +116,8 @@ jobs:
steps:
- name: Checkout the code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@stable
@@ -380,6 +385,7 @@ jobs:
with:
sparse-checkout: |
.github/scripts
persist-credentials: false
- name: Download the artifacts from the previous job
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
@@ -458,6 +464,7 @@ jobs:
with:
sparse-checkout: |
.github/scripts
persist-credentials: false
- name: Remove label and comment
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
.github/workflows/ci.yaml
+20
View File
@@ -35,6 +35,8 @@ jobs:
steps:
- name: Checkout the code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
- uses: ./.github/actions/build-policies
@@ -62,6 +64,8 @@ jobs:
steps:
- name: Checkout the code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
- name: Install Node
uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
@@ -86,6 +90,8 @@ jobs:
steps:
- name: Checkout the code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
- name: Install Node
uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
@@ -110,6 +116,8 @@ jobs:
steps:
- name: Checkout the code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
- name: Install Node
uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
@@ -134,6 +142,8 @@ jobs:
steps:
- name: Checkout the code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@nightly
@@ -157,6 +167,8 @@ jobs:
steps:
- name: Checkout the code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
- name: Run `cargo-deny`
uses: EmbarkStudios/cargo-deny-action@175dc7fd4fb85ec8f46948fb98f44db001149081 # v2.0.16
@@ -173,6 +185,8 @@ jobs:
steps:
- name: Checkout the code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
- name: Install Rust toolchain
run: |
@@ -214,6 +228,8 @@ jobs:
steps:
- name: Checkout the code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@b1b44fef029483cc79808c5eb89461241fd8f32f # 1.93.0
@@ -239,6 +255,8 @@ jobs:
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@stable
@@ -292,6 +310,8 @@ jobs:
steps:
- name: Checkout the code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@stable
.github/workflows/coverage.yaml
+6
View File
@@ -30,6 +30,8 @@ jobs:
steps:
- name: Checkout the code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
- uses: ./.github/actions/build-policies
@@ -55,6 +57,8 @@ jobs:
steps:
- name: Checkout the code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
- uses: ./.github/actions/build-frontend
env:
@@ -100,6 +104,8 @@ jobs:
steps:
- name: Checkout the code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@stable
.github/workflows/docs.yaml
+2
View File
@@ -26,6 +26,8 @@ jobs:
steps:
- name: Checkout the code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@stable
.github/workflows/merge-back.yaml
+1
View File
@@ -28,6 +28,7 @@ jobs:
with:
sparse-checkout: |
.github/scripts
persist-credentials: false
- name: Push branch and open a PR
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
.github/workflows/release-branch.yaml
+5
View File
@@ -35,6 +35,8 @@ jobs:
- name: Checkout the code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@stable
@@ -62,6 +64,8 @@ jobs:
steps:
- name: Checkout the code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
- name: Install Node
uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
@@ -110,6 +114,7 @@ jobs:
with:
sparse-checkout: |
.github/scripts
persist-credentials: false
- name: Create a new release branch
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
.github/workflows/release-bump.yaml
+3
View File
@@ -34,6 +34,8 @@ jobs:
- name: Checkout the code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@stable
@@ -80,6 +82,7 @@ jobs:
with:
sparse-checkout: |
.github/scripts
persist-credentials: false
- name: Update the release branch
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
.github/workflows/tag.yaml
+2
View File
@@ -31,6 +31,8 @@ jobs:
steps:
- name: Checkout the code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@stable
.github/workflows/translations-download.yaml
+2
View File
@@ -20,6 +20,8 @@ jobs:
- name: Checkout the code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
- name: Install Node
uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
.github/workflows/translations-upload.yaml
+2
View File
@@ -19,6 +19,8 @@ jobs:
steps:
- name: Checkout the code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
- name: Install Node
uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0