Skip to content

Commit

Permalink
Merge pull request #4435 from esl/safe-gh-actions
Browse files Browse the repository at this point in the history 
Do not persist credentials on GH Actions

A GH Actions safety checker called Zizmor, suggested that the "persist-credentials" option should be set to "false", so that git auth tokens cannot be leaked. The full rationale: https://woodruffw.github.io/zizmor/audits/#artipacked. It is not a big issue for us, as we don't upload artifacts from GH Actions, but using this option should add a bit of safety anyway.
  • Loading branch information
@NelsonVides
NelsonVides authored Dec 17, 2024
2 parents 4ad74d9 + 7241910 commit a7c95ad
Showing 1 changed file with 7 additions and 0 deletions.
7 changes: 7 additions & 0 deletions .github/workflows/ci.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@ jobs:
- uses: actions/checkout@v3
with:
fetch-depth: 0
persist-credentials: false
- uses: erlef/[email protected]
with:
otp-version: ${{ matrix.otp }}
Expand Down Expand Up @@ -82,6 +83,7 @@ jobs:
- uses: actions/checkout@v3
with:
fetch-depth: 0
persist-credentials: false
- uses: ./.github/actions/big-tests
with:
otp: ${{matrix.otp}}
Expand Down Expand Up @@ -112,6 +114,7 @@ jobs:
- uses: actions/checkout@v3
with:
fetch-depth: 0
persist-credentials: false
- uses: ./.github/actions/big-tests
with:
otp: ${{matrix.otp}}
Expand Down Expand Up @@ -146,6 +149,7 @@ jobs:
- uses: actions/checkout@v3
with:
fetch-depth: 0
persist-credentials: false
- uses: erlef/[email protected]
with:
otp-version: ${{matrix.otp}}
Expand All @@ -162,6 +166,7 @@ jobs:
- uses: actions/checkout@v3
with:
fetch-depth: 0
persist-credentials: false
- uses: erlef/[email protected]
with:
otp-version: ${{matrix.otp}}
Expand All @@ -178,6 +183,7 @@ jobs:
- uses: actions/checkout@v3
with:
fetch-depth: 0
persist-credentials: false
- uses: erlef/[email protected]
with:
otp-version: ${{matrix.otp}}
Expand All @@ -200,4 +206,5 @@ jobs:
- uses: actions/checkout@v3
with:
fetch-depth: 0
persist-credentials: false
- run: tools/test.sh -p pkg

0 comments on commit a7c95ad

Please sign in to comment.