From d0f1d1a0741f22ac1cb3674d7f8e4a771fb60160 Mon Sep 17 00:00:00 2001 From: Joey Parrish Date: Wed, 18 Dec 2024 08:25:26 -0800 Subject: [PATCH] ci: Do not persist credentials after checkout (#71) See actions/checkout#485 and https://johnstawinski.com/2024/01/11/playing-with-fire-how-we-executed-a-critical-supply-chain-attack-on-pytorch/ In short, it is a terrible idea to persist even our default credentials after checkout. There's no call for that, so we will now set `persist-credentials: false` on all checkout actions. --- .github/workflows/release.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index b145f26..cb711e6 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -25,6 +25,7 @@ jobs: - uses: actions/checkout@v4 with: submodules: true + persist-credentials: false - name: Install deps run: | @@ -99,6 +100,8 @@ jobs: runs-on: windows-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Set version number shell: bash @@ -196,6 +199,8 @@ jobs: with: repository: '${{ secrets.HOMEBREW_TAP_REPO }}' fetch-depth: 0 # The entire repo history, so we can push an update + # To push to this repo, an explicit token is used to authenticate. + persist-credentials: false - name: Wipe source and formula folders run: | @@ -211,6 +216,7 @@ jobs: uses: actions/checkout@v4 with: path: shaka-lab-source + persist-credentials: false - name: Finish staging tap repo run: |