From 7241910070817910efffafea05d5d7ab6bdb8c6d Mon Sep 17 00:00:00 2001 From: Gustaw Lippa Date: Thu, 12 Dec 2024 16:11:19 +0100 Subject: [PATCH] Do not persist credentials on GH Actions I ran a GH Actions safety checker, which suggested that the "persist-credentials" option should be set to "false". The rationale: https://woodruffw.github.io/zizmor/audits/#artipacked. It is not a big issue for us, as we don't upload artifacts from GH Actions, but using this option should add a bit of safety anyway. --- .github/workflows/ci.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 15a3b90c10..5d7cc61481 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -35,6 +35,7 @@ jobs: - uses: actions/checkout@v3 with: fetch-depth: 0 + persist-credentials: false - uses: erlef/setup-beam@v1.16.0 with: otp-version: ${{ matrix.otp }} @@ -82,6 +83,7 @@ jobs: - uses: actions/checkout@v3 with: fetch-depth: 0 + persist-credentials: false - uses: ./.github/actions/big-tests with: otp: ${{matrix.otp}} @@ -112,6 +114,7 @@ jobs: - uses: actions/checkout@v3 with: fetch-depth: 0 + persist-credentials: false - uses: ./.github/actions/big-tests with: otp: ${{matrix.otp}} @@ -146,6 +149,7 @@ jobs: - uses: actions/checkout@v3 with: fetch-depth: 0 + persist-credentials: false - uses: erlef/setup-beam@v1.16.0 with: otp-version: ${{matrix.otp}} @@ -162,6 +166,7 @@ jobs: - uses: actions/checkout@v3 with: fetch-depth: 0 + persist-credentials: false - uses: erlef/setup-beam@v1.16.0 with: otp-version: ${{matrix.otp}} @@ -178,6 +183,7 @@ jobs: - uses: actions/checkout@v3 with: fetch-depth: 0 + persist-credentials: false - uses: erlef/setup-beam@v1.16.0 with: otp-version: ${{matrix.otp}} @@ -200,4 +206,5 @@ jobs: - uses: actions/checkout@v3 with: fetch-depth: 0 + persist-credentials: false - run: tools/test.sh -p pkg