From 20ed4678977c1f7bbc3971ebd8394f7fe35d9fc9 Mon Sep 17 00:00:00 2001
From: HuangYi <huang@crypto.com>
Date: Wed, 16 Oct 2024 17:24:24 +0800
Subject: [PATCH 1/2] Problem: persist-credentials might leak github token
 unintentionally

Solution:
- try persist-credentials: false
---
 .github/workflows/build.yml | 32 ++++++++++++++++++++++----------
 1 file changed, 22 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 7c8532f44..37a438501 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -94,15 +94,17 @@ jobs:
         with:
           go-version: 1.22
       - name: Checkout Comment PR Branch
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         if: github.event_name == 'issue_comment'
         with:
           submodules: true
+          persist-credentials: false
           token: ${{ secrets.GITHUB_TOKEN }}
           ref: ${{ steps.pr_data.outputs.ref }}
       - name: Normal check out code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
+          persist-credentials: false
           submodules: true
         if: github.event_name == 'push' || github.event_name == 'pull_request' 
       - id: changed-files
@@ -150,7 +152,9 @@ jobs:
       contents: read
       security-events: write
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: cachix/install-nix-action@v23
         with:
           nix_path: nixpkgs=channel:nixos-22.11
@@ -213,17 +217,19 @@ jobs:
         with:
           go-version: 1.22
       - name: Checkout Comment PR Branch
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         if: github.event_name == 'issue_comment'
         with:
           submodules: true
+          persist-credentials: false
           token: ${{ secrets.GITHUB_TOKEN }}
           ref: ${{ needs.build.outputs.ref }}
       - name: Normal check out code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         if: github.event_name == 'push' || github.event_name == 'pull_request' 
         with:
           submodules: true
+          persist-credentials: false
       - id: changed-files
         uses: tj-actions/changed-files@v41
         with:
@@ -259,17 +265,19 @@ jobs:
         with:
           go-version: 1.22
       - name: Checkout Comment PR Branch
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         if: github.event_name == 'issue_comment'
         with:
           submodules: true
+          persist-credentials: false
           token: ${{ secrets.GITHUB_TOKEN }}
           ref: ${{ needs.build.outputs.ref }}
       - name: Normal check out code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         if: github.event_name == 'push' || github.event_name == 'pull_request' 
         with:
           submodules: true
+          persist-credentials: false
       - id: changed-files
         uses: tj-actions/changed-files@v41
         with:
@@ -305,17 +313,19 @@ jobs:
         with:
           go-version: 1.22
       - name: Checkout Comment PR Branch
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         if: github.event_name == 'issue_comment'
         with:
           submodules: true
+          persist-credentials: false
           token: ${{ secrets.GITHUB_TOKEN }}
           ref: ${{ needs.build.outputs.ref }}
       - name: Normal check out code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         if: github.event_name == 'push' || github.event_name == 'pull_request' 
         with:
           submodules: true
+          persist-credentials: false
       - id: changed-files
         uses: tj-actions/changed-files@v41
         with:
@@ -411,7 +421,9 @@ jobs:
     runs-on: ubuntu-latest
     if: github.event_name == 'push' || github.event_name == 'pull_request'
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - id: changed-files
         uses: tj-actions/changed-files@v41
         with:

From b433feabe07f28dc2de31eca5da9b754d3e6699f Mon Sep 17 00:00:00 2001
From: mmsqe <mavis@crypto.com>
Date: Wed, 30 Oct 2024 12:48:24 +0800
Subject: [PATCH 2/2] refresh

---
 integration_tests/install_solo_machine.nix | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/integration_tests/install_solo_machine.nix b/integration_tests/install_solo_machine.nix
index 76cd5906a..d44a976ee 100644
--- a/integration_tests/install_solo_machine.nix
+++ b/integration_tests/install_solo_machine.nix
@@ -5,17 +5,17 @@ let
     x86_64-linux = {
       url =
         "https://github.com/crypto-com/ibc-solo-machine/releases/download/${version}/ubuntu-latest-${version}.tar.gz";
-      sha256 = "sha256-wQix7ZeYTVD+yIWGr4F+XXnHbvXe2WZeNxG2lIDtmJ4=";
+      sha256 = "sha256-b+A8G7HGl1Kv32X0ybV6RODQjqAHqfAo3DQh1DtY6UQ=";
     };
     x86_64-darwin = {
       url =
         "https://github.com/crypto-com/ibc-solo-machine/releases/download/${version}/macos-latest-${version}.tar.gz";
-      sha256 = "sha256-NYmm44l5exQiG9DbwUM/UZiEmxc0JriXM8/l/xpc+q4=";
+      sha256 = "sha256-9Zo3sGxnjB05X90FFK/3yGbWokxJqVL0teb1x1z5a0U=";
     };
     aarch64-darwin = {
       url =
         "https://github.com/crypto-com/ibc-solo-machine/releases/download/${version}/macos-latest-${version}.tar.gz";
-      sha256 = "sha256-NYmm44l5exQiG9DbwUM/UZiEmxc0JriXM8/l/xpc+q4=";
+      sha256 = "sha256-9Zo3sGxnjB05X90FFK/3yGbWokxJqVL0teb1x1z5a0U=";
     };
   }.${stdenv.system} or (throw
     "Unsupported system: ${stdenv.system}");