Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Avoid persisting credentials on checkout step of the Github actions #19089

Open
wants to merge 1 commit into
base: dev
Choose a base branch
from

Conversation

arash77
Copy link
Collaborator

@arash77 arash77 commented Oct 31, 2024

Adding persist-credentials: false into the checkout step of the Github action workflows will prevent storing sensitive credentials for future jobs, which will increase the security of workflows.

How to test the changes?

(Select all options that apply)

  • I've included appropriate automated tests.
  • This is a refactoring of components with existing test coverage.
  • Instructions for manual testing are as follows:
    1. [add testing steps and prerequisites here if you didn't write automated tests covering all your changes]

License

  • I agree to license these and all my past contributions to the core galaxy codebase under the MIT license.

@github-actions github-actions bot added this to the 24.2 milestone Oct 31, 2024
@arash77 arash77 marked this pull request as draft November 4, 2024 15:57
@arash77
Copy link
Collaborator Author

arash77 commented Nov 7, 2024

This will cause GITHUB_TOKEN not to be accessible automatically anymore in the workflows and steps needing GitHub authentication (write access) must re-authenticate.

@arash77 arash77 force-pushed the Improve-github-workflows-security branch from 016717c to 4765594 Compare November 8, 2024 13:55
@jdavcs jdavcs modified the milestones: 24.2, 25.0 Nov 20, 2024
@nsoranzo
Copy link
Member

LGTM, can you rebase it please?

@arash77 arash77 force-pushed the Improve-github-workflows-security branch from 4765594 to 84f6781 Compare December 12, 2024 10:11
@arash77
Copy link
Collaborator Author

arash77 commented Dec 12, 2024

LGTM, can you rebase it please?

I didn't get a chance to verify if using GITHUB_TOKEN in any workflows might cause issues with this PR. If you're confident it's fine, I'm good to proceed as well.

@nsoranzo
Copy link
Member

LGTM, can you rebase it please?

I didn't get a chance to verify if using GITHUB_TOKEN in any workflows might cause issues with this PR. If you're confident it's fine, I'm good to proceed as well.

In case a workflow breaks, we can revisit. Can you take it out of draft, so we can merge?

@arash77 arash77 marked this pull request as ready for review December 12, 2024 12:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants