Skip to content

Refine check-no-persist-credentials CI job #105

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
EliahKagan merged 6 commits into from
Sep 21, 2025
Merged

Refine check-no-persist-credentials CI job #105

Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
2813ab6
Test that we always have `actions/checkout` not persist credentials
EliahKagan Sep 21, 2025
5a8eb9c
Check that we catch `actions/checkout` with no `with`
EliahKagan Sep 21, 2025
80b9e26
Improve `check-no-persist-credentials` output and maintainability
EliahKagan Sep 21, 2025
3e2d553
Check that we catch checkout `with` without `persist-credentials`
EliahKagan Sep 21, 2025
938313a
Check that we catch `persist-credentials` not set to boolean false
EliahKagan Sep 21, 2025
adf319c
Having tested the new check, restore `persist-credentials: false`
EliahKagan Sep 21, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 28 additions & 0 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -561,6 +561,33 @@ jobs:
git status
git diff --exit-code

# Check that all `actions/checkout` in CI jobs have `persist-credentials: false`.
check-no-persist-credentials:
runs-on: ubuntu-latest

env:
GLOB: .github/workflows/*.@(yaml|yml)

steps:
- uses: actions/checkout@v5
with:
persist-credentials: false
sparse-checkout: '.github/workflows'
- name: List workflows to be scanned
run: |
shopt -s extglob
printf '%s\n' ${{ env.GLOB }}
- name: Scan workflows
run: |
shopt -s extglob
yq '.jobs.*.steps[]
| select(.uses == "actions/checkout@*" and .with.["persist-credentials"]? != false)
| {"file": filename, "line": line, "name": (.name // .uses)}
| .file + ":" + (.line | tostring) + ": " + .name
' -- ${{ env.GLOB }} >query-output.txt
cat query-output.txt
test -z "$(<query-output.txt)" # Report failure if we found anything.

# Check that only jobs intended not to block PR auto-merge are omitted as
# dependencies of the `tests-pass` job below, so that whenever a job is
# added, a decision is made about whether it must pass for PRs to merge.
Expand Down Expand Up @@ -615,6 +642,7 @@ jobs:
- lint
- cargo-deny
- check-packetline
- check-no-persist-credentials
- check-blocking

if: always() # Always run even if dependencies fail.
Expand Down
Loading