.github/workflows/ci.yml

-Original file line number
+Diff line change
@@ Expand Up / @@ -38,6 +38,8 @@ jobs: @@
         steps:
           - uses: actions/checkout@v5
+            with:
+              persist-credentials: false
           - uses: extractions/setup-just@v3
           - name: Read the MSRV
             run: |
@@ Expand All / @@ -60,6 +62,8 @@ jobs: @@
         steps:
           - uses: actions/checkout@v5
+            with:
+              persist-credentials: false
           - uses: extractions/setup-just@v3
           - name: Ensure we start out clean
             run: git diff --exit-code
@@ Expand All / @@ -75,6 +79,8 @@ jobs: @@
         steps:
           - uses: actions/checkout@v5
+            with:
+              persist-credentials: false
           - name: Prerequisites
             run: |
               prerequisites=(
@@ Expand Down Expand Up / @@ -177,6 +183,8 @@ jobs: @@
         steps:
           - uses: actions/checkout@v5
+            with:
+              persist-credentials: false
           - uses: dtolnay/rust-toolchain@stable
           - uses: Swatinem/rust-cache@v2
           - name: Setup dependencies
@@ Expand All / @@ -197,6 +205,8 @@ jobs: @@
         steps:
           - uses: actions/checkout@v5
+            with:
+              persist-credentials: false
           - uses: dtolnay/rust-toolchain@stable
           - uses: Swatinem/rust-cache@v2
           - uses: extractions/setup-just@v3
@@ Expand All / @@ -221,6 +231,8 @@ jobs: @@
         steps:
           - uses: actions/checkout@v5
+            with:
+              persist-credentials: false
           - uses: dtolnay/rust-toolchain@stable
           - uses: Swatinem/rust-cache@v2
           - name: cargo check default features
@@ Expand Down Expand Up / @@ -268,6 +280,8 @@ jobs: @@
         steps:
           - uses: actions/checkout@v5
+            with:
+              persist-credentials: false
           - uses: dtolnay/rust-toolchain@stable
           - uses: Swatinem/rust-cache@v2
           - uses: taiki-e/install-action@v2
@@ Expand Down Expand Up / @@ -339,6 +353,8 @@ jobs: @@
               apt-get install --no-install-recommends -y -- "${prerequisites[@]}"
             shell: bash  # This step needs `bash`, and the default in container jobs is `sh`.
           - uses: actions/checkout@v5
+            with:
+              persist-credentials: false
           - name: Install Rust via Rustup
             run: |
               # Specify toolchain to avoid possible misdetection based on the 64-bit running kernel.
@@ Expand All / @@ -365,6 +381,8 @@ jobs: @@
         steps:
           - uses: actions/checkout@v5
+            with:
+              persist-credentials: false
           - uses: dtolnay/rust-toolchain@stable
             with:
               targets: ${{ env.TARGET }}
@@ Expand All / @@ -382,6 +400,8 @@ jobs: @@
         steps:
           - uses: actions/checkout@v5
+            with:
+              persist-credentials: false
           - uses: dtolnay/rust-toolchain@master
             with:
               toolchain: stable
@@ Expand Down Expand Up / @@ -412,6 +432,8 @@ jobs: @@
         steps:
           - uses: actions/checkout@v5
+            with:
+              persist-credentials: false
           - uses: EmbarkStudios/cargo-deny-action@v2
             with:
               command: check advisories
@@ Expand All / @@ -422,6 +444,8 @@ jobs: @@
         steps:
           - uses: actions/checkout@v5
+            with:
+              persist-credentials: false
           - uses: EmbarkStudios/cargo-deny-action@v2
             with:
               command: check bans licenses sources
@@ Expand All / @@ -441,6 +465,8 @@ jobs: @@
         steps:
           - uses: actions/checkout@v5
+            with:
+              persist-credentials: false
           - name: Install Rust
             run: |
               rustup update stable
@@ Expand Down Expand Up / @@ -520,6 +546,8 @@ jobs: @@
         steps:
           - uses: actions/checkout@v5
+            with:
+              persist-credentials: false
           - name: Check that working tree is initially clean
             run: |
               set -x
@@ Expand All / @@ -533,6 +561,33 @@ jobs: @@
               git status
               git diff --exit-code
+      # Check that all `actions/checkout` in CI jobs have `persist-credentials: false`.
+      check-no-persist-credentials:
+        runs-on: ubuntu-latest
+        env:
+          GLOB: .github/workflows/*.@(yaml|yml)
+        steps:
+          - uses: actions/checkout@v5
+            with:
+              persist-credentials: false
+              sparse-checkout: '.github/workflows'
+          - name: List workflows to be scanned
+            run: |
+              shopt -s extglob
+              printf '%s\n' ${{ env.GLOB }}
+          - name: Scan workflows
+            run: |
+              shopt -s extglob
+              yq '.jobs.*.steps[]
+                | select(.uses == "actions/checkout@*" and .with.["persist-credentials"]? != false)
+                | {"file": filename, "line": line, "name": (.name // .uses)}
+                | .file + ":" + (.line | tostring) + ": " + .name
+              ' -- ${{ env.GLOB }} >query-output.txt
+              cat query-output.txt
+              test -z "$(<query-output.txt)"  # Report failure if we found anything.
       # Check that only jobs intended not to block PR auto-merge are omitted as
       # dependencies of the `tests-pass` job below, so that whenever a job is
       # added, a decision is made about whether it must pass for PRs to merge.
@@ Expand All / @@ -557,6 +612,7 @@ jobs: @@
               echo "WORKFLOW_PATH=${relative_workflow_with_ref%@*}" >> "$GITHUB_ENV"
           - uses: actions/checkout@v5
             with:
+              persist-credentials: false
               sparse-checkout: ${{ env.WORKFLOW_PATH }}
           - name: Get all jobs
             run: yq '.jobs | keys.[]' -- "$WORKFLOW_PATH" | sort | tee all-jobs.txt
@@ Expand Down Expand Up / @@ -586,6 +642,7 @@ jobs: @@
           - lint
           - cargo-deny
           - check-packetline
+          - check-no-persist-credentials
           - check-blocking
         if: always()  # Always run even if dependencies fail.
@@ Expand Down @@

.github/workflows/cron.yml

-Original file line number
+Diff line change
@@ Expand Up / @@ -14,6 +14,8 @@ jobs: @@
         steps:
           - uses: actions/checkout@v5
+            with:
+              persist-credentials: false
           - uses: Swatinem/rust-cache@v2
           - name: stress
             run: make stress

.github/workflows/release.yml

-Original file line number
+Diff line change
@@ Expand Up / @@ -41,6 +41,8 @@ jobs: @@
         steps:
           - name: Checkout repository
             uses: actions/checkout@v5
+            with:
+              persist-credentials: false
           - name: Get the release version from the tag
             if: env.VERSION == ''
@@ Expand Down Expand Up / @@ -234,6 +236,8 @@ jobs: @@
         steps:
           - name: Checkout repository
             uses: actions/checkout@v5
+            with:
+              persist-credentials: false
           - name: Install packages (Ubuntu)
             # Because openssl doesn't work on musl by default, we resort to max-pure.
@@ Expand Down Expand Up / @@ -537,6 +541,8 @@ jobs: @@
         steps:
           - uses: actions/checkout@v5
+            with:
+              persist-credentials: false
           - name: Install Rust
             uses: dtolnay/rust-toolchain@master
             with:
@@ Expand Down @@

Don't persist GitHub authentication token in `.git/config` on CI #2187

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged

EliahKagan merged 2 commits into GitoxideLabs:main from EliahKagan:run-ci/no-persist-credentials

Sep 22, 2025

-Original file line number
+Diff line change
@@ Expand Up / @@ -38,6 +38,8 @@ jobs: @@
         steps:
           - uses: actions/checkout@v5
+            with:
+              persist-credentials: false
           - uses: extractions/setup-just@v3
           - name: Read the MSRV
             run: |
@@ Expand All / @@ -60,6 +62,8 @@ jobs: @@
         steps:
           - uses: actions/checkout@v5
+            with:
+              persist-credentials: false
           - uses: extractions/setup-just@v3
           - name: Ensure we start out clean
             run: git diff --exit-code
@@ Expand All / @@ -75,6 +79,8 @@ jobs: @@
         steps:
           - uses: actions/checkout@v5
+            with:
+              persist-credentials: false
           - name: Prerequisites
             run: |
               prerequisites=(
@@ Expand Down Expand Up / @@ -177,6 +183,8 @@ jobs: @@
         steps:
           - uses: actions/checkout@v5
+            with:
+              persist-credentials: false
           - uses: dtolnay/rust-toolchain@stable
           - uses: Swatinem/rust-cache@v2
           - name: Setup dependencies
@@ Expand All / @@ -197,6 +205,8 @@ jobs: @@
         steps:
           - uses: actions/checkout@v5
+            with:
+              persist-credentials: false
           - uses: dtolnay/rust-toolchain@stable
           - uses: Swatinem/rust-cache@v2
           - uses: extractions/setup-just@v3
@@ Expand All / @@ -221,6 +231,8 @@ jobs: @@
         steps:
           - uses: actions/checkout@v5
+            with:
+              persist-credentials: false
           - uses: dtolnay/rust-toolchain@stable
           - uses: Swatinem/rust-cache@v2
           - name: cargo check default features
@@ Expand Down Expand Up / @@ -268,6 +280,8 @@ jobs: @@
         steps:
           - uses: actions/checkout@v5
+            with:
+              persist-credentials: false
           - uses: dtolnay/rust-toolchain@stable
           - uses: Swatinem/rust-cache@v2
           - uses: taiki-e/install-action@v2
@@ Expand Down Expand Up / @@ -339,6 +353,8 @@ jobs: @@
               apt-get install --no-install-recommends -y -- "${prerequisites[@]}"
             shell: bash  # This step needs `bash`, and the default in container jobs is `sh`.
           - uses: actions/checkout@v5
+            with:
+              persist-credentials: false
           - name: Install Rust via Rustup
             run: |
               # Specify toolchain to avoid possible misdetection based on the 64-bit running kernel.
@@ Expand All / @@ -365,6 +381,8 @@ jobs: @@
         steps:
           - uses: actions/checkout@v5
+            with:
+              persist-credentials: false
           - uses: dtolnay/rust-toolchain@stable
             with:
               targets: ${{ env.TARGET }}
@@ Expand All / @@ -382,6 +400,8 @@ jobs: @@
         steps:
           - uses: actions/checkout@v5
+            with:
+              persist-credentials: false
           - uses: dtolnay/rust-toolchain@master
             with:
               toolchain: stable
@@ Expand Down Expand Up / @@ -412,6 +432,8 @@ jobs: @@
         steps:
           - uses: actions/checkout@v5
+            with:
+              persist-credentials: false
           - uses: EmbarkStudios/cargo-deny-action@v2
             with:
               command: check advisories
@@ Expand All / @@ -422,6 +444,8 @@ jobs: @@
         steps:
           - uses: actions/checkout@v5
+            with:
+              persist-credentials: false
           - uses: EmbarkStudios/cargo-deny-action@v2
             with:
               command: check bans licenses sources
@@ Expand All / @@ -441,6 +465,8 @@ jobs: @@
         steps:
           - uses: actions/checkout@v5
+            with:
+              persist-credentials: false
           - name: Install Rust
             run: |
               rustup update stable
@@ Expand Down Expand Up / @@ -520,6 +546,8 @@ jobs: @@
         steps:
           - uses: actions/checkout@v5
+            with:
+              persist-credentials: false
           - name: Check that working tree is initially clean
             run: |
               set -x
@@ Expand All / @@ -533,6 +561,33 @@ jobs: @@
               git status
               git diff --exit-code
+      # Check that all `actions/checkout` in CI jobs have `persist-credentials: false`.
+      check-no-persist-credentials:
+        runs-on: ubuntu-latest
+        env:
+          GLOB: .github/workflows/*.@(yaml|yml)
+        steps:
+          - uses: actions/checkout@v5
+            with:
+              persist-credentials: false
+              sparse-checkout: '.github/workflows'
+          - name: List workflows to be scanned
+            run: |
+              shopt -s extglob
+              printf '%s\n' ${{ env.GLOB }}
+          - name: Scan workflows
+            run: |
+              shopt -s extglob
+              yq '.jobs.*.steps[]
+                | select(.uses == "actions/checkout@*" and .with.["persist-credentials"]? != false)
+                | {"file": filename, "line": line, "name": (.name // .uses)}
+                | .file + ":" + (.line | tostring) + ": " + .name
+              ' -- ${{ env.GLOB }} >query-output.txt
+              cat query-output.txt
+              test -z "$(<query-output.txt)"  # Report failure if we found anything.
       # Check that only jobs intended not to block PR auto-merge are omitted as
       # dependencies of the `tests-pass` job below, so that whenever a job is
       # added, a decision is made about whether it must pass for PRs to merge.
@@ Expand All / @@ -557,6 +612,7 @@ jobs: @@
               echo "WORKFLOW_PATH=${relative_workflow_with_ref%@*}" >> "$GITHUB_ENV"
           - uses: actions/checkout@v5
             with:
+              persist-credentials: false
               sparse-checkout: ${{ env.WORKFLOW_PATH }}
           - name: Get all jobs
             run: yq '.jobs | keys.[]' -- "$WORKFLOW_PATH" | sort | tee all-jobs.txt
@@ Expand Down Expand Up / @@ -586,6 +642,7 @@ jobs: @@
           - lint
           - cargo-deny
           - check-packetline
+          - check-no-persist-credentials
           - check-blocking
         if: always()  # Always run even if dependencies fail.
@@ Expand Down @@

-Original file line number
+Diff line change
@@ Expand Up / @@ -14,6 +14,8 @@ jobs: @@
         steps:
           - uses: actions/checkout@v5
+            with:
+              persist-credentials: false
           - uses: Swatinem/rust-cache@v2
           - name: stress
             run: make stress

-Original file line number
+Diff line change
@@ Expand Up / @@ -41,6 +41,8 @@ jobs: @@
         steps:
           - name: Checkout repository
             uses: actions/checkout@v5
+            with:
+              persist-credentials: false
           - name: Get the release version from the tag
             if: env.VERSION == ''
@@ Expand Down Expand Up / @@ -234,6 +236,8 @@ jobs: @@
         steps:
           - name: Checkout repository
             uses: actions/checkout@v5
+            with:
+              persist-credentials: false
           - name: Install packages (Ubuntu)
             # Because openssl doesn't work on musl by default, we resort to max-pure.
@@ Expand Down Expand Up / @@ -537,6 +541,8 @@ jobs: @@
         steps:
           - uses: actions/checkout@v5
+            with:
+              persist-credentials: false
           - name: Install Rust
             uses: dtolnay/rust-toolchain@master
             with:
@@ Expand Down @@

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Don't persist GitHub authentication token in `.git/config` on CI #2187

Uh oh!

Diff view

Diff view

There are no files selected for viewing

Uh oh!

Uh oh!

Don't persist GitHub authentication token in .git/config on CI #2187

Uh oh!

Don't persist GitHub authentication token in .git/config on CI #2187

Uh oh!

Uh oh!

Diff view

Diff view

There are no files selected for viewing

Uh oh!

Don't persist GitHub authentication token in `.git/config` on CI #2187

Don't persist GitHub authentication token in `.git/config` on CI #2187