Skip to content

Commit a7c95ad

Browse files
NelsonVidesNelsonVides
authored
Merge pull request #4435 from esl/safe-gh-actions
Do not persist credentials on GH Actions A GH Actions safety checker called Zizmor, suggested that the "persist-credentials" option should be set to "false", so that git auth tokens cannot be leaked. The full rationale: https://woodruffw.github.io/zizmor/audits/#artipacked. It is not a big issue for us, as we don't upload artifacts from GH Actions, but using this option should add a bit of safety anyway.
2 parents 4ad74d9 + 7241910 commit a7c95ad

File tree

1 file changed

+7
-0
lines changed

1 file changed

+7
-0
lines changed

.github/workflows/ci.yml

+7
Original file line numberDiff line numberDiff line change
@@ -35,6 +35,7 @@ jobs:
3535
- uses: actions/checkout@v3
3636
with:
3737
fetch-depth: 0
38+
persist-credentials: false
3839
- uses: erlef/[email protected]
3940
with:
4041
otp-version: ${{ matrix.otp }}
@@ -82,6 +83,7 @@ jobs:
8283
- uses: actions/checkout@v3
8384
with:
8485
fetch-depth: 0
86+
persist-credentials: false
8587
- uses: ./.github/actions/big-tests
8688
with:
8789
otp: ${{matrix.otp}}
@@ -112,6 +114,7 @@ jobs:
112114
- uses: actions/checkout@v3
113115
with:
114116
fetch-depth: 0
117+
persist-credentials: false
115118
- uses: ./.github/actions/big-tests
116119
with:
117120
otp: ${{matrix.otp}}
@@ -146,6 +149,7 @@ jobs:
146149
- uses: actions/checkout@v3
147150
with:
148151
fetch-depth: 0
152+
persist-credentials: false
149153
- uses: erlef/[email protected]
150154
with:
151155
otp-version: ${{matrix.otp}}
@@ -162,6 +166,7 @@ jobs:
162166
- uses: actions/checkout@v3
163167
with:
164168
fetch-depth: 0
169+
persist-credentials: false
165170
- uses: erlef/[email protected]
166171
with:
167172
otp-version: ${{matrix.otp}}
@@ -178,6 +183,7 @@ jobs:
178183
- uses: actions/checkout@v3
179184
with:
180185
fetch-depth: 0
186+
persist-credentials: false
181187
- uses: erlef/[email protected]
182188
with:
183189
otp-version: ${{matrix.otp}}
@@ -200,4 +206,5 @@ jobs:
200206
- uses: actions/checkout@v3
201207
with:
202208
fetch-depth: 0
209+
persist-credentials: false
203210
- run: tools/test.sh -p pkg

0 commit comments

Comments
 (0)