Skip to content

GH Actions: do not persist credentials #59

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 18, 2025
Merged

GH Actions: do not persist credentials #59

merged 1 commit into from
Sep 18, 2025

Conversation

jrfnl
Copy link
Member

@jrfnl jrfnl commented Sep 18, 2025

Description

By default, using actions/checkout causes a credential to be persisted in the checked-out repo's .git/config, so that subsequent git operations can be authenticated.

Subsequent steps may accidentally publicly persist .git/config, e.g. by including it in a publicly accessible artifact via actions/upload-artifact.

However, even without this, persisting the credential in the .git/config is non-ideal unless actually needed.

Remediation

Unless needed for git operations, actions/checkout should be used with persist-credentials: false.

If the persisted credential is needed, it should be made explicit with persist-credentials: true.

This has now been addressed in all workflows.

Refs:

@jrfnl
GH Actions: do not persist credentials
b450b34 
> By default, using `actions/checkout` causes a credential to be persisted in the checked-out repo's `.git/config`, so that subsequent `git` operations can be authenticated.
>
> Subsequent steps may accidentally publicly persist `.git/config`, e.g. by including it in a publicly accessible artifact via `actions/upload-artifact`.
>
> However, even without this, persisting the credential in the `.git/config` is non-ideal unless actually needed.
>
> **Remediation**
>
> Unless needed for `git` operations, `actions/checkout` should be used with `persist-credentials: false`.
>
> If the persisted credential is needed, it should be made explicit with `persist-credentials: true`.

This has now been addressed in all workflows.

Refs:
* https://unit42.paloaltonetworks.com/github-repo-artifacts-leak-tokens/
* https://docs.zizmor.sh/audits/#artipacked
@github-actions GitHub Actions
Copy link

=== This is an auto-generated comment ===

Thank you for your PR.
A dry-run has been executed on your PR, executing all markdown pre-processing for the wiki files.

Please review the resulting final markdown files via the created artifact.
This is especially important when adding new pages or updating auto-generated output blocks.

N.B.: the above link will automatically be updated when this PR is updated.

@jrfnl
Copy link
Member Author

jrfnl commented Sep 18, 2025

Leaving this open until there is a wiki PR ready to be merged. This may break the publish-wiki.yml workflow. So better to merge & check when there is something which would need to be deployed (and revert that part if needed).

@jrfnl jrfnl merged commit 783f31d into main Sep 18, 2025
18 checks passed
@jrfnl jrfnl deleted the feature/ghactions-do-not-persist-credentials branch September 18, 2025 22:46
@jrfnl
Copy link
Member Author

jrfnl commented Sep 18, 2025

Merged a wiki PR after this one and all looks to be okay.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Type: chores/QA/automation
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@jrfnl