Prevent credential leaks in GitHub Actions workflows

SteveDesmond-ca · SteveDesmond-ca · commit 1bb621cced00 · 2026-02-20T11:32:28.000-05:00
diff --git a/.github/workflows/CI.yml b/.github/workflows/CI.yml
@@ -1,23 +1,25 @@
 name: CI
-on: [ push, pull_request ]
+on: [push, pull_request]
 
 jobs:
   Build:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v4
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
-    - name: Setup .NET
-      uses: actions/setup-dotnet@v4
-      with:
-        dotnet-version: 10.0.x
+      - name: Setup .NET
+        uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: 10.0.x
 
-    - name: Restore
-      run: dotnet restore
+      - name: Restore
+        run: dotnet restore
 
-    - name: Build
-      run: dotnet build --no-restore
+      - name: Build
+        run: dotnet build --no-restore
 
-    - name: Test
-      run: dotnet test --no-build
+      - name: Test
+        run: dotnet test --no-build
diff --git a/.github/workflows/CodeQL.yml b/.github/workflows/CodeQL.yml
@@ -13,12 +13,12 @@ name: "CodeQL"
 
 on:
   push:
-    branches: [ main ]
+    branches: [main]
   pull_request:
     # The branches below must be a subset of the branches above
-    branches: [ main ]
+    branches: [main]
   schedule:
-    - cron: '45 7 * * *'
+    - cron: "45 7 * * *"
 
 jobs:
   analyze:
@@ -32,44 +32,46 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        language: [ 'csharp' ]
+        language: ["csharp"]
         # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
         # Learn more about CodeQL language support at https://git.io/codeql-language-support
 
     steps:
-    - name: Checkout repository
-      uses: actions/checkout@v4
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
-    # Initializes the CodeQL tools for scanning.
-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
-      with:
-        languages: ${{ matrix.language }}
-        # If you wish to specify custom queries, you can do so here or in a config file.
-        # By default, queries listed here will override any specified in a config file.
-        # Prefix the list here with "+" to use these queries and those in the config file.
-        # queries: ./path/to/local/query, your-org/your-repo/queries@main
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+          # If you wish to specify custom queries, you can do so here or in a config file.
+          # By default, queries listed here will override any specified in a config file.
+          # Prefix the list here with "+" to use these queries and those in the config file.
+          # queries: ./path/to/local/query, your-org/your-repo/queries@main
 
-    - name: Setup .NET
-      uses: actions/setup-dotnet@v4
-      with:
-        dotnet-version: 10.0.x
+      - name: Setup .NET
+        uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: 10.0.x
 
-    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
-    # If this step fails, then you should remove it and run the build manually (see below)
-    - name: Autobuild
-      uses: github/codeql-action/autobuild@v3
+      # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+      # If this step fails, then you should remove it and run the build manually (see below)
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v3
 
-    # ℹ️ Command-line programs to run using the OS shell.
-    # 📚 https://git.io/JvXDl
+      # ℹ️ Command-line programs to run using the OS shell.
+      # 📚 https://git.io/JvXDl
 
-    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
-    #    and modify them (or add more) to build your code if your project
-    #    uses a compiled language
+      # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
+      #    and modify them (or add more) to build your code if your project
+      #    uses a compiled language
 
-    #- run: |
-    #   make bootstrap
-    #   make release
+      #- run: |
+      #   make bootstrap
+      #   make release
 
-    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
diff --git a/.github/workflows/Release.yml b/.github/workflows/Release.yml
@@ -2,7 +2,7 @@ name: Release
 on:
   push:
     tags:
-      - '*'
+      - "*"
 
 defaults:
   run:
@@ -17,43 +17,44 @@ jobs:
       targets: linux-x64 linux-arm64 linux-arm osx-x64 osx-arm64 win-x64 win-arm64
 
     steps:
-    - uses: actions/checkout@v4
-      with:
-        ref: ${{ github.ref }}
-
-    - uses: actions/setup-dotnet@v4
-      with:
-        dotnet-version: 10.0.x
-
-    - name: Run tests
-      run: dotnet test
-
-    - name: Publish binaries
-      run: |
-        for target in $targets
-        do
-          dotnet publish src -c Release -r $target -o publish/$target -p:PublishTrimmed=true,PublishReadyToRun=true,PublishReadyToRunComposite=true,PublishSingleFile=true,TieredCompilation=false
-        done
-
-    - name: Create release files
-      working-directory: publish
-      run: |
-        for target in $targets
-        do
-          cd $target
-          zip -9 ../LoadTestToolbox_$(echo ${{ github.ref }} | sed 's/refs\/tags\///')_$target.zip *
-          cd ..
-        done
-
-    - name: Create release
-      uses: softprops/action-gh-release@v2.5.0
-      with:
-        files: publish/LoadTestToolbox_*.zip
-
-    - name: Build NuGet Package
-      run: dotnet pack -c Release -p:ContinuousIntegrationBuild=true
-
-    - name: Push NuGet Package
-      run: dotnet nuget push src/bin/Release/LoadTestToolbox.$(echo ${{ github.ref }} | sed 's/refs\/tags\///').nupkg -k $NUGET_TOKEN -s https://api.nuget.org/v3/index.json
-      env:
-        NUGET_TOKEN: ${{secrets.NUGET_TOKEN}}
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+          ref: ${{ github.ref }}
+
+      - uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: 10.0.x
+
+      - name: Run tests
+        run: dotnet test
+
+      - name: Publish binaries
+        run: |
+          for target in $targets
+          do
+            dotnet publish src -c Release -r $target -o publish/$target -p:PublishTrimmed=true,PublishReadyToRun=true,PublishReadyToRunComposite=true,PublishSingleFile=true,TieredCompilation=false
+          done
+
+      - name: Create release files
+        working-directory: publish
+        run: |
+          for target in $targets
+          do
+            cd $target
+            zip -9 ../LoadTestToolbox_$(echo ${{ github.ref }} | sed 's/refs\/tags\///')_$target.zip *
+            cd ..
+          done
+
+      - name: Create release
+        uses: softprops/action-gh-release@v2.5.0
+        with:
+          files: publish/LoadTestToolbox_*.zip
+
+      - name: Build NuGet Package
+        run: dotnet pack -c Release -p:ContinuousIntegrationBuild=true
+
+      - name: Push NuGet Package
+        run: dotnet nuget push src/bin/Release/LoadTestToolbox.$(echo ${{ github.ref }} | sed 's/refs\/tags\///').nupkg -k $NUGET_TOKEN -s https://api.nuget.org/v3/index.json
+        env:
+          NUGET_TOKEN: ${{secrets.NUGET_TOKEN}}
diff --git a/.github/workflows/Sonar.yml b/.github/workflows/Sonar.yml
@@ -7,46 +7,47 @@ jobs:
     if: github.actor != 'dependabot[bot]'
 
     steps:
-    - name: Checkout code
-      uses: actions/checkout@v4
-      with:
-        fetch-depth: 0
-
-    - name: Setup .NET
-      uses: actions/setup-dotnet@v4
-      with:
-        dotnet-version: 10.0.x
-
-    - name: Install Java
-      uses: actions/setup-java@v4
-      with:
-        distribution: microsoft
-        java-version: 21
-
-    - name: Install Sonar Scanner
-      run: dotnet tool install --global dotnet-sonarscanner
-
-    - name: Install dependencies
-      run: dotnet restore
-
-    - name: Start Sonar Analysis
-      run: dotnet-sonarscanner begin /d:sonar.host.url="https://sonarcloud.io" /d:sonar.token="$SONAR_TOKEN" /o:"ecoapm" /k:"ecoAPM_LoadTestToolbox" /d:sonar.cs.vstest.reportsPaths="test/TestResults/results.trx" /d:sonar.cs.opencover.reportsPaths="test/TestResults/coverage.opencover.xml"
-      env:
-        SONAR_TOKEN: ${{secrets.SONAR_TOKEN}}
-
-    - name: Build
-      run: dotnet build --no-restore
-      env:
-        SONAR_DOTNET_ENABLE_CONCURRENT_EXECUTION: true
-
-    - name: Test
-      run: dotnet test --no-build --logger "trx;LogFileName=results.trx" --collect:"XPlat Code Coverage" -- DataCollectionRunSettings.DataCollectors.DataCollector.Configuration.Format=opencover
-
-    - name: Move Code Coverage
-      run: mv test/TestResults/**/*.xml test/TestResults
-
-    - name: Finish Sonar Analysis
-      run: dotnet-sonarscanner end /d:sonar.token="$SONAR_TOKEN"
-      env:
-        SONAR_TOKEN: ${{secrets.SONAR_TOKEN}}
-        GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+          fetch-depth: 0
+
+      - name: Setup .NET
+        uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: 10.0.x
+
+      - name: Install Java
+        uses: actions/setup-java@v4
+        with:
+          distribution: microsoft
+          java-version: 21
+
+      - name: Install Sonar Scanner
+        run: dotnet tool install --global dotnet-sonarscanner
+
+      - name: Install dependencies
+        run: dotnet restore
+
+      - name: Start Sonar Analysis
+        run: dotnet-sonarscanner begin /d:sonar.host.url="https://sonarcloud.io" /d:sonar.token="$SONAR_TOKEN" /o:"ecoapm" /k:"ecoAPM_LoadTestToolbox" /d:sonar.cs.vstest.reportsPaths="test/TestResults/results.trx" /d:sonar.cs.opencover.reportsPaths="test/TestResults/coverage.opencover.xml"
+        env:
+          SONAR_TOKEN: ${{secrets.SONAR_TOKEN}}
+
+      - name: Build
+        run: dotnet build --no-restore
+        env:
+          SONAR_DOTNET_ENABLE_CONCURRENT_EXECUTION: true
+
+      - name: Test
+        run: dotnet test --no-build --logger "trx;LogFileName=results.trx" --collect:"XPlat Code Coverage" -- DataCollectionRunSettings.DataCollectors.DataCollector.Configuration.Format=opencover
+
+      - name: Move Code Coverage
+        run: mv test/TestResults/**/*.xml test/TestResults
+
+      - name: Finish Sonar Analysis
+        run: dotnet-sonarscanner end /d:sonar.token="$SONAR_TOKEN"
+        env:
+          SONAR_TOKEN: ${{secrets.SONAR_TOKEN}}
+          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
