From c23a52790089a734126f305b8be86b3687126c84 Mon Sep 17 00:00:00 2001 From: yihuang Date: Wed, 30 Oct 2024 13:06:20 +0800 Subject: [PATCH] Problem: persist-credentials might leak github token unintentionally (#1090) * Problem: persist-credentials might leak github token unintentionally Solution: - try persist-credentials: false * refresh --------- Signed-off-by: yihuang Co-authored-by: mmsqe --- .github/workflows/build.yml | 12 ++++++++++++ integration_tests/install_solo_machine.nix | 6 +++--- 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 9b3a0e612..37a438501 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -98,11 +98,13 @@ jobs: if: github.event_name == 'issue_comment' with: submodules: true + persist-credentials: false token: ${{ secrets.GITHUB_TOKEN }} ref: ${{ steps.pr_data.outputs.ref }} - name: Normal check out code uses: actions/checkout@v4 with: + persist-credentials: false submodules: true if: github.event_name == 'push' || github.event_name == 'pull_request' - id: changed-files @@ -151,6 +153,8 @@ jobs: security-events: write steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: cachix/install-nix-action@v23 with: nix_path: nixpkgs=channel:nixos-22.11 @@ -217,6 +221,7 @@ jobs: if: github.event_name == 'issue_comment' with: submodules: true + persist-credentials: false token: ${{ secrets.GITHUB_TOKEN }} ref: ${{ needs.build.outputs.ref }} - name: Normal check out code @@ -224,6 +229,7 @@ jobs: if: github.event_name == 'push' || github.event_name == 'pull_request' with: submodules: true + persist-credentials: false - id: changed-files uses: tj-actions/changed-files@v41 with: @@ -263,6 +269,7 @@ jobs: if: github.event_name == 'issue_comment' with: submodules: true + persist-credentials: false token: ${{ secrets.GITHUB_TOKEN }} ref: ${{ needs.build.outputs.ref }} - name: Normal check out code @@ -270,6 +277,7 @@ jobs: if: github.event_name == 'push' || github.event_name == 'pull_request' with: submodules: true + persist-credentials: false - id: changed-files uses: tj-actions/changed-files@v41 with: @@ -309,6 +317,7 @@ jobs: if: github.event_name == 'issue_comment' with: submodules: true + persist-credentials: false token: ${{ secrets.GITHUB_TOKEN }} ref: ${{ needs.build.outputs.ref }} - name: Normal check out code @@ -316,6 +325,7 @@ jobs: if: github.event_name == 'push' || github.event_name == 'pull_request' with: submodules: true + persist-credentials: false - id: changed-files uses: tj-actions/changed-files@v41 with: @@ -412,6 +422,8 @@ jobs: if: github.event_name == 'push' || github.event_name == 'pull_request' steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - id: changed-files uses: tj-actions/changed-files@v41 with: diff --git a/integration_tests/install_solo_machine.nix b/integration_tests/install_solo_machine.nix index 76cd5906a..d44a976ee 100644 --- a/integration_tests/install_solo_machine.nix +++ b/integration_tests/install_solo_machine.nix @@ -5,17 +5,17 @@ let x86_64-linux = { url = "https://github.com/crypto-com/ibc-solo-machine/releases/download/${version}/ubuntu-latest-${version}.tar.gz"; - sha256 = "sha256-wQix7ZeYTVD+yIWGr4F+XXnHbvXe2WZeNxG2lIDtmJ4="; + sha256 = "sha256-b+A8G7HGl1Kv32X0ybV6RODQjqAHqfAo3DQh1DtY6UQ="; }; x86_64-darwin = { url = "https://github.com/crypto-com/ibc-solo-machine/releases/download/${version}/macos-latest-${version}.tar.gz"; - sha256 = "sha256-NYmm44l5exQiG9DbwUM/UZiEmxc0JriXM8/l/xpc+q4="; + sha256 = "sha256-9Zo3sGxnjB05X90FFK/3yGbWokxJqVL0teb1x1z5a0U="; }; aarch64-darwin = { url = "https://github.com/crypto-com/ibc-solo-machine/releases/download/${version}/macos-latest-${version}.tar.gz"; - sha256 = "sha256-NYmm44l5exQiG9DbwUM/UZiEmxc0JriXM8/l/xpc+q4="; + sha256 = "sha256-9Zo3sGxnjB05X90FFK/3yGbWokxJqVL0teb1x1z5a0U="; }; }.${stdenv.system} or (throw "Unsupported system: ${stdenv.system}");