ci: use at least v6 of checkout action in workflows

anujm1 · anujm1 · commit d3ddb1b8b5b6 · 2026-03-05T20:58:55.000+05:30
checkout action by default causes a credential to be persisted on disk [1]. Versions before v6 used to store it in .git/config in checked-out repository. v6 fixed this and stored credentials to an area [2] which is later cleaned up. Use v6 of the action to include the change and be more secure. Set persist-credentials to false nonetheless as recommended by zizmor. [1] https://docs.zizmor.sh/audits/#artipacked [1] https://github.com/orgs/community/discussions/179107#discussioncomment-14906259 Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
diff --git a/.github/actions/lava-test-plans/action.yml b/.github/actions/lava-test-plans/action.yml
@@ -23,8 +23,9 @@ inputs:
 runs:
   using: "composite"
   steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
+          persist-credentials: false
           repository: qualcomm-linux/lava-test-plans
           path: lava-test-plans
           ref: 1ab5e2f1d6cc3559ca4685941cc9fd17ab132c2d
diff --git a/.github/workflows/build-yocto.yml b/.github/workflows/build-yocto.yml
@@ -34,7 +34,9 @@ jobs:
           wget -qO ${KAS_CONTAINER} https://raw.githubusercontent.com/siemens/kas/refs/tags/$LATEST/kas-container
           chmod +x ${KAS_CONTAINER}
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - name: Run kas lock
         run: |
@@ -57,7 +59,9 @@ jobs:
     if: github.repository_owner == 'qualcomm-linux'
     runs-on: [self-hosted, qcom-u2404, amd64]
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - name: Download kas lockfile
         uses: actions/download-artifact@v7
@@ -116,7 +120,9 @@ jobs:
             yamlfile: ":ci/linux-qcom-rt-6.18.yml:ci/qcom-distro-kvm.yml"
     name: ${{ matrix.machine }}/${{ matrix.distro.name }}${{ matrix.kernel.dirname }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - name: Run kas build
         uses: ./.github/actions/compile
@@ -237,7 +243,9 @@ jobs:
                 yamlfile: ":ci/linux-qcom-6.18.yml:ci/u-boot-qcom.yml"
     name: ${{ matrix.machine }}/${{ matrix.distro.name }}${{ matrix.kernel.dirname }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - name: Run kas build
         uses: ./.github/actions/compile
diff --git a/.github/workflows/repolinter.yml b/.github/workflows/repolinter.yml
@@ -13,7 +13,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+
       - name: Verify repolinter config file is present
         id: check_files
         uses: andstor/file-existence-action@v3
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -40,9 +40,10 @@ jobs:
           - machine: qcom-armv7a
             kernel: _linux-qcom-6.18
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Run lava-test-plans
         uses: ./.github/actions/lava-test-plans
@@ -60,9 +61,10 @@ jobs:
     outputs:
       jobmatrix: ${{ steps.listjobs.outputs.jobmatrix }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: "List jobs"
         id: listjobs
@@ -165,9 +167,10 @@ jobs:
         run: |
           echo "${RESULT}"
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Run lava-test-plans
         uses: ./.github/actions/lava-test-plans
@@ -186,9 +189,10 @@ jobs:
     outputs:
       jobmatrix: ${{ steps.listjobs.outputs.jobmatrix }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: "List jobs"
         id: listjobs
@@ -240,9 +244,10 @@ jobs:
       summary_id: ${{ steps.generate-summary.outputs.artifact_id }}
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Generate Summary
         id: generate-summary
