Skip to content

GH Actions: do not persist credentials #198

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: stable
Choose a base branch
from
Open

GH Actions: do not persist credentials #198

wants to merge 1 commit into from

Conversation

@jrfnl
Copy link
Member

@jrfnl jrfnl commented Sep 17, 2025

By default, using actions/checkout causes a credential to be persisted in the checked-out repo's .git/config, so that subsequent git operations can be authenticated.

Subsequent steps may accidentally publicly persist .git/config, e.g. by including it in a publicly accessible artifact via actions/upload-artifact.

However, even without this, persisting the credential in the .git/config is non-ideal unless actually needed.

Remediation

Unless needed for git operations, actions/checkout should be used with persist-credentials: false.

If the persisted credential is needed, it should be made explicit with persist-credentials: true.

This has now been addressed in all workflows.

Refs:

@jrfnl jrfnl added this to the 1.x Next milestone Sep 17, 2025
@jrfnl
Copy link
Member Author

jrfnl commented Sep 17, 2025

Leaving this open until the next release. This may break the update-website.yml workflow. So better to merge & check this when a release is being done (and revert that part if needed).

@jrfnl jrfnl mentioned this pull request Sep 17, 2025
Merged
@jrfnl
GH Actions: do not persist credentials
55023b0 
> By default, using `actions/checkout` causes a credential to be persisted in the checked-out repo's `.git/config`, so that subsequent `git` operations can be authenticated.
>
> Subsequent steps may accidentally publicly persist `.git/config`, e.g. by including it in a publicly accessible artifact via `actions/upload-artifact`.
>
> However, even without this, persisting the credential in the `.git/config` is non-ideal unless actually needed.
>
> **Remediation**
>
> Unless needed for `git` operations, `actions/checkout` should be used with `persist-credentials: false`.
>
> If the persisted credential is needed, it should be made explicit with `persist-credentials: true`.

This has now been addressed in all workflows.

Refs:
* https://unit42.paloaltonetworks.com/github-repo-artifacts-leak-tokens/
* https://docs.zizmor.sh/audits/#artipacked
@jrfnl
Copy link
Member Author

jrfnl commented Nov 19, 2025

Rebased without changes to get passed imaginary merge conflict.

@jrfnl jrfnl force-pushed the feature/ghactions-do-not-persist-credentials branch from c1d1e1a to 55023b0 Compare November 19, 2025 01:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Type: chores/QA

Milestone

1.x Next

Development

Successfully merging this pull request may close these issues.

2 participants

@jrfnl