Side-effect of leaking credentials w/ `create_credentials_file` in downstream glob-based copy steps

[svij-sc]

When create_credentials_file=true is passed, the credentials file is created inside the GitHub Actions runner's WORKSPACE directory.

As noted in the code (reference), this design choice allows the exported credentials to be automatically accessible to Docker-based actions without additional user configuration.

However, this default behavior introduces a potential risk:
Many workflows, particularly those generating assets use glob-based copy commands (e.g., cp -r *, etc.) - If users are not careful, this can inadvertently include the credential file in the build context or artifacts, potentially exposing sensitive information in pull requests, releases, etc.

We could consider one of the following alternatives:

• Change the default export location to a less risky directory outside of WORKSPACE. Secondly, provide guidance for the convenience this provides, aforementioned.
• Require an explicit path for create_credentials_file, rather than defaulting to the working directory.

[github-actions]

Hi there @svij-sc 👋!

Thank you for opening an issue. Our team will triage this as soon as we can. Please take a moment to review the troubleshooting steps which lists common error messages and their resolution steps.

[sethvargo]

Hi @svij-sc - thanks for opening an issue. This has already been debated ad-nauseam, and I 100% agree that the current implementation isn't ideal. Unfortunately the only reliable way to ensure the credentials are available to Docker-based actions and (also cleaned up between runs on self-hosted runners) is to put the credentials in $GITHUB_WORKSPACE. If GitHub adds another directory that's supported for sharing state, then we can absolutely switch to that. In the meantime, the best path is to either skip generating credentials or ensure gha-creds-*.json is added to your ignore files as documented in the README.

There's probably more, but: #123, #134, #275, #298, #472.

[svij-sc]

Thanks @sethvargo .
Curious, are there guardrails setup to prevent renaming off gha-creds-*.json?

[sethvargo]

Hey @svij-sc - I provided an updated on #123 with a lot more detail on the current status of things as of last week.

I'm not sure what you mean by "guardrails to prevent renaming". Can you say more?

[svij-sc]

Thanks, I will follow up on #123 if needed.