From 988c79e174e3d0d0d5fc6985a73a075510498b0f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oliver=20St=C3=B6neberg?= Date: Wed, 27 Nov 2024 10:01:41 +0100 Subject: [PATCH] do not persist checkout credentials in GitHub workflows (#7044) based on [zizmor ](https://github.com/woodruffw/zizmor) analysis --- .github/workflows/CI-cygwin.yml | 2 ++ .github/workflows/CI-mingw.yml | 2 ++ .github/workflows/CI-unixish-docker.yml | 4 ++++ .github/workflows/CI-unixish.yml | 14 ++++++++++++++ .github/workflows/CI-windows.yml | 4 ++++ .github/workflows/asan.yml | 2 ++ .github/workflows/buildman.yml | 4 ++++ .github/workflows/clang-tidy.yml | 2 ++ .github/workflows/codeql-analysis.yml | 2 ++ .github/workflows/coverage.yml | 2 ++ .github/workflows/coverity.yml | 2 ++ .github/workflows/cppcheck-premium.yml | 2 ++ .github/workflows/format.yml | 2 ++ .github/workflows/iwyu.yml | 4 ++++ .github/workflows/release-windows.yml | 2 ++ .github/workflows/scriptcheck.yml | 6 ++++++ .github/workflows/selfcheck.yml | 2 ++ .github/workflows/tsan.yml | 2 ++ .github/workflows/ubsan.yml | 2 ++ .github/workflows/valgrind.yml | 2 ++ 20 files changed, 64 insertions(+) diff --git a/.github/workflows/CI-cygwin.yml b/.github/workflows/CI-cygwin.yml index 91552735d74..116ce699115 100644 --- a/.github/workflows/CI-cygwin.yml +++ b/.github/workflows/CI-cygwin.yml @@ -36,6 +36,8 @@ jobs: steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Set up Cygwin uses: cygwin/cygwin-install-action@master diff --git a/.github/workflows/CI-mingw.yml b/.github/workflows/CI-mingw.yml index 931a629deda..a84d160c70e 100644 --- a/.github/workflows/CI-mingw.yml +++ b/.github/workflows/CI-mingw.yml @@ -32,6 +32,8 @@ jobs: steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Set up MSYS2 uses: msys2/setup-msys2@v2 diff --git a/.github/workflows/CI-unixish-docker.yml b/.github/workflows/CI-unixish-docker.yml index 354456c0fcc..e3b7a8f9268 100644 --- a/.github/workflows/CI-unixish-docker.yml +++ b/.github/workflows/CI-unixish-docker.yml @@ -41,6 +41,8 @@ jobs: steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Install missing software on ubuntu if: contains(matrix.image, 'ubuntu') @@ -92,6 +94,8 @@ jobs: steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Install missing software on ubuntu if: contains(matrix.image, 'ubuntu') diff --git a/.github/workflows/CI-unixish.yml b/.github/workflows/CI-unixish.yml index 898781f2537..854e5d5bf5f 100644 --- a/.github/workflows/CI-unixish.yml +++ b/.github/workflows/CI-unixish.yml @@ -35,6 +35,8 @@ jobs: steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: ccache uses: hendrikmuhs/ccache-action@v1.2 @@ -98,6 +100,8 @@ jobs: steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: ccache uses: hendrikmuhs/ccache-action@v1.2 @@ -172,6 +176,8 @@ jobs: steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: ccache uses: hendrikmuhs/ccache-action@v1.2 @@ -204,6 +210,8 @@ jobs: steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: ccache uses: hendrikmuhs/ccache-action@v1.2 @@ -236,6 +244,8 @@ jobs: steps: - uses: actions/checkout@v4 + with: + persist-credentials: false # coreutils contains "g++" (default is "c++") and "nproc" - name: Install missing software on macos @@ -258,6 +268,8 @@ jobs: steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: ccache uses: hendrikmuhs/ccache-action@v1.2 @@ -426,6 +438,8 @@ jobs: steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: ccache uses: hendrikmuhs/ccache-action@v1.2 diff --git a/.github/workflows/CI-windows.yml b/.github/workflows/CI-windows.yml index 731c639f6b1..7234d55aa23 100644 --- a/.github/workflows/CI-windows.yml +++ b/.github/workflows/CI-windows.yml @@ -34,6 +34,8 @@ jobs: steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Set up Visual Studio environment uses: ilammy/msvc-dev-cmd@v1 @@ -86,6 +88,8 @@ jobs: steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Set up Python 3.13 if: matrix.config == 'release' diff --git a/.github/workflows/asan.yml b/.github/workflows/asan.yml index ecbce274e9a..6e4e77de580 100644 --- a/.github/workflows/asan.yml +++ b/.github/workflows/asan.yml @@ -28,6 +28,8 @@ jobs: steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: ccache uses: hendrikmuhs/ccache-action@v1.2 diff --git a/.github/workflows/buildman.yml b/.github/workflows/buildman.yml index 601180c8916..c6ac57e60c7 100644 --- a/.github/workflows/buildman.yml +++ b/.github/workflows/buildman.yml @@ -20,6 +20,8 @@ jobs: runs-on: ubuntu-22.04 steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - run: | mkdir output @@ -45,6 +47,8 @@ jobs: runs-on: ubuntu-22.04 steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Install missing software on ubuntu run: | diff --git a/.github/workflows/clang-tidy.yml b/.github/workflows/clang-tidy.yml index b67268d6f3d..46705c2bac3 100644 --- a/.github/workflows/clang-tidy.yml +++ b/.github/workflows/clang-tidy.yml @@ -25,6 +25,8 @@ jobs: steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Install missing software run: | diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 4f7f66be27d..dae84f188e1 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -33,6 +33,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4 + with: + persist-credentials: false - name: Install missing software on ubuntu run: | diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml index f2f8aa5011d..3c0c8e1d1df 100644 --- a/.github/workflows/coverage.yml +++ b/.github/workflows/coverage.yml @@ -22,6 +22,8 @@ jobs: steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: ccache uses: hendrikmuhs/ccache-action@v1.2 diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml index 148fc15462d..3c07b61d7c7 100644 --- a/.github/workflows/coverity.yml +++ b/.github/workflows/coverity.yml @@ -15,6 +15,8 @@ jobs: if: ${{ github.repository_owner == 'danmar' }} steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Install missing software on ubuntu run: | sudo apt-get update diff --git a/.github/workflows/cppcheck-premium.yml b/.github/workflows/cppcheck-premium.yml index d45b0f18789..de328b1ce69 100644 --- a/.github/workflows/cppcheck-premium.yml +++ b/.github/workflows/cppcheck-premium.yml @@ -25,6 +25,8 @@ jobs: runs-on: ubuntu-24.04 # run on the latest image only steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Download cppcheckpremium run: | diff --git a/.github/workflows/format.yml b/.github/workflows/format.yml index 6b30eb70e97..77d8af0e9a1 100644 --- a/.github/workflows/format.yml +++ b/.github/workflows/format.yml @@ -22,6 +22,8 @@ jobs: steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Cache uncrustify uses: actions/cache@v4 diff --git a/.github/workflows/iwyu.yml b/.github/workflows/iwyu.yml index d01a7000e03..2ffa3ce8636 100644 --- a/.github/workflows/iwyu.yml +++ b/.github/workflows/iwyu.yml @@ -35,6 +35,8 @@ jobs: steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Install missing software on debian/ubuntu if: contains(matrix.image, 'debian') @@ -158,6 +160,8 @@ jobs: steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Install missing software run: | diff --git a/.github/workflows/release-windows.yml b/.github/workflows/release-windows.yml index efc8ee2807d..4b8f21ca4ee 100644 --- a/.github/workflows/release-windows.yml +++ b/.github/workflows/release-windows.yml @@ -31,6 +31,8 @@ jobs: steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Set up Visual Studio environment uses: ilammy/msvc-dev-cmd@v1 diff --git a/.github/workflows/scriptcheck.yml b/.github/workflows/scriptcheck.yml index ff37edc5c08..bd30ce6fac4 100644 --- a/.github/workflows/scriptcheck.yml +++ b/.github/workflows/scriptcheck.yml @@ -23,6 +23,8 @@ jobs: steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: ccache uses: hendrikmuhs/ccache-action@v1.2 @@ -57,6 +59,8 @@ jobs: steps: - uses: actions/checkout@v4 + with: + persist-credentials: false # TODO: bailout on error - name: Restore Cppcheck @@ -193,6 +197,8 @@ jobs: steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: run dmake run: | diff --git a/.github/workflows/selfcheck.yml b/.github/workflows/selfcheck.yml index df84c7719a3..1666e7352a1 100644 --- a/.github/workflows/selfcheck.yml +++ b/.github/workflows/selfcheck.yml @@ -25,6 +25,8 @@ jobs: steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: ccache uses: hendrikmuhs/ccache-action@v1.2 diff --git a/.github/workflows/tsan.yml b/.github/workflows/tsan.yml index 13cc99566a2..b681217b3b3 100644 --- a/.github/workflows/tsan.yml +++ b/.github/workflows/tsan.yml @@ -28,6 +28,8 @@ jobs: steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: ccache uses: hendrikmuhs/ccache-action@v1.2 diff --git a/.github/workflows/ubsan.yml b/.github/workflows/ubsan.yml index 21e90751000..921cbaee27c 100644 --- a/.github/workflows/ubsan.yml +++ b/.github/workflows/ubsan.yml @@ -28,6 +28,8 @@ jobs: steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: ccache uses: hendrikmuhs/ccache-action@v1.2 diff --git a/.github/workflows/valgrind.yml b/.github/workflows/valgrind.yml index 25297ebf19b..7fd16382802 100644 --- a/.github/workflows/valgrind.yml +++ b/.github/workflows/valgrind.yml @@ -22,6 +22,8 @@ jobs: steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: ccache uses: hendrikmuhs/ccache-action@v1.2