From af2cb81aec53556cb463f56abd9dda067d766887 Mon Sep 17 00:00:00 2001 From: Joey Parrish Date: Thu, 19 Dec 2024 10:08:19 -0800 Subject: [PATCH] ci: Do not persist credentials after checkout (#62) See actions/checkout#485 and https://johnstawinski.com/2024/01/11/playing-with-fire-how-we-executed-a-critical-supply-chain-attack-on-pytorch/ In short, it is a terrible idea to persist even our default credentials after checkout. There's no call for that, so we will now set `persist-credentials: false` on all checkout actions. --- .github/workflows/build.yaml | 2 ++ .github/workflows/release.yaml | 1 + 2 files changed, 3 insertions(+) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 2f78146..eccc2c9 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -55,6 +55,7 @@ jobs: with: path: repo-src ref: ${{ inputs.ref || github.ref }} + persist-credentials: false - name: Configure Build Matrix id: configure @@ -150,6 +151,7 @@ jobs: with: path: repo-src ref: ${{ inputs.ref || github.ref }} + persist-credentials: false - name: Install OS packages run: ./repo-src/build-scripts/00-packages.sh diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 8caf83d..d1a1856 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -47,6 +47,7 @@ jobs: with: path: repo-src ref: ${{ github.ref }} + persist-credentials: false - uses: actions/download-artifact@v4 with: