Merge pull request #6975 from dcampbell24/zizmor-fix-01

Set persist-credentials: false

Author: sylvestre

.github/workflows/CICD.yml

@@ -37,6 +37,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - uses: EmbarkStudios/cargo-deny-action@v2
 
   style_deps:
@@ -54,6 +56,8 @@ jobs:
           - { os: windows-latest , features: feat_os_windows }
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - uses: dtolnay/rust-toolchain@nightly
     ## note: requires 'nightly' toolchain b/c `cargo-udeps` uses the `rustc` '-Z save-analysis' option
     ## * ... ref: <https://github.com/est31/cargo-udeps/issues/73>
@@ -106,6 +110,8 @@ jobs:
 #          - { os: windows-latest , features: feat_os_windows }
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - uses: dtolnay/rust-toolchain@master
       with:
         toolchain: stable
@@ -159,6 +165,8 @@ jobs:
           - { os: ubuntu-latest , features: feat_os_unix }
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - uses: dtolnay/rust-toolchain@master
       with:
         toolchain: ${{ env.RUST_MIN_SRV }}
@@ -227,6 +235,8 @@ jobs:
           - { os: ubuntu-latest , features: feat_os_unix }
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - uses: dtolnay/rust-toolchain@stable
     - uses: Swatinem/rust-cache@v2
     - name: "`cargo update` testing"
@@ -250,6 +260,8 @@ jobs:
           - { os: ubuntu-latest , features: feat_os_unix }
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - uses: dtolnay/rust-toolchain@stable
     - uses: taiki-e/install-action@nextest
     - uses: Swatinem/rust-cache@v2
@@ -304,6 +316,8 @@ jobs:
           - { os: windows-latest , features: feat_os_windows }
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - uses: dtolnay/rust-toolchain@stable
     - uses: taiki-e/install-action@nextest
     - uses: Swatinem/rust-cache@v2
@@ -331,6 +345,8 @@ jobs:
           - { os: windows-latest , features: feat_os_windows }
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - uses: dtolnay/rust-toolchain@nightly
     - uses: taiki-e/install-action@nextest
     - uses: Swatinem/rust-cache@v2
@@ -355,6 +371,8 @@ jobs:
           - { os: ubuntu-latest , features: feat_os_unix }
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - uses: dtolnay/rust-toolchain@stable
     - uses: Swatinem/rust-cache@v2
     - name: Run sccache-cache
@@ -485,6 +503,8 @@ jobs:
           - { os: windows-latest , target: aarch64-pc-windows-msvc     , features: feat_os_windows, use-cross: use-cross , skip-tests: true }
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - uses: dtolnay/rust-toolchain@master
       with:
         toolchain: ${{ env.RUST_MIN_SRV }}
@@ -780,6 +800,8 @@ jobs:
         ## VARs setup
         echo "TEST_SUMMARY_FILE=busybox-result.json" >> $GITHUB_OUTPUT
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - uses: Swatinem/rust-cache@v2
     - name: Run sccache-cache
       uses: mozilla-actions/sccache-action@v0.0.7
@@ -860,6 +882,8 @@ jobs:
         TEST_SUMMARY_FILE="toybox-result.json"
         outputs TEST_SUMMARY_FILE
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - uses: dtolnay/rust-toolchain@master
       with:
         toolchain: ${{ env.RUST_MIN_SRV }}
@@ -935,6 +959,8 @@ jobs:
         os: [ubuntu-latest, macos-latest, windows-latest]
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - uses: dtolnay/rust-toolchain@stable
     - uses: Swatinem/rust-cache@v2
     - name: build and test all programs individually

.github/workflows/CheckScripts.yml

@@ -30,6 +30,8 @@ jobs:
       contents: read
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Run ShellCheck
         uses: ludeeus/action-shellcheck@master
         env:
@@ -46,6 +48,8 @@ jobs:
       contents: read
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Setup shfmt
         uses: mfinelli/setup-shfmt@v3
       - name: Run shfmt

.github/workflows/FixPR.yml

@@ -27,6 +27,8 @@ jobs:
           - { os: ubuntu-latest , features: feat_os_unix }
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - name: Initialize job variables
       id: vars
       shell: bash
@@ -86,6 +88,8 @@ jobs:
           - { os: ubuntu-latest , features: feat_os_unix }
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - name: Initialize job variables
       id: vars
       shell: bash

.github/workflows/GnuTests.yml

@@ -65,6 +65,7 @@ jobs:
       uses: actions/checkout@v4
       with:
         path: '${{ steps.vars.outputs.path_UUTILS }}'
+        persist-credentials: false
     - uses: dtolnay/rust-toolchain@master
       with:
         toolchain: stable
@@ -79,6 +80,7 @@ jobs:
         path: '${{ steps.vars.outputs.path_GNU }}'
         ref: ${{ steps.vars.outputs.repo_GNU_ref }}
         submodules: false
+        persist-credentials: false
 
     - name: Override submodule URL and initialize submodules
       # Use github instead of upstream git server

.github/workflows/android.yml

@@ -79,6 +79,8 @@ jobs:
         sudo udevadm control --reload-rules
         sudo udevadm trigger --name-match=kvm
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - name: Collect information about runner
       if: always()
       continue-on-error: true

.github/workflows/code-quality.yml

@@ -32,6 +32,8 @@ jobs:
           - { os: ubuntu-latest , features: feat_os_unix }
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - uses: dtolnay/rust-toolchain@master
       with:
         toolchain: stable
@@ -75,6 +77,8 @@ jobs:
           - { os: windows-latest , features: feat_os_windows }
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - uses: dtolnay/rust-toolchain@master
       with:
         toolchain: stable
@@ -120,6 +124,8 @@ jobs:
           - { os: ubuntu-latest , features: feat_os_unix }
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - name: Initialize workflow variables
       id: vars
       shell: bash
@@ -156,6 +162,8 @@ jobs:
     steps:
       - name: Clone repository
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Check
         run: npx --yes @taplo/cli fmt --check

.github/workflows/freebsd.yml

@@ -35,6 +35,8 @@ jobs:
       RUSTC_WRAPPER: "sccache"
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - uses: Swatinem/rust-cache@v2
     - name: Run sccache-cache
       uses: mozilla-actions/sccache-action@v0.0.7
@@ -127,6 +129,8 @@ jobs:
       RUSTC_WRAPPER: "sccache"
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - uses: Swatinem/rust-cache@v2
     - name: Run sccache-cache
       uses: mozilla-actions/sccache-action@v0.0.7

.github/workflows/fuzzing.yml

@@ -22,6 +22,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - uses: dtolnay/rust-toolchain@nightly
     - name: Install `cargo-fuzz`
       run: cargo install cargo-fuzz
@@ -62,6 +64,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - uses: dtolnay/rust-toolchain@nightly
     - name: Install `cargo-fuzz`
       run: cargo install cargo-fuzz