-
Notifications
You must be signed in to change notification settings - Fork 125
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Disable credentials persistence in Github checkout action #3325
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
happz
added
code | no functional change
"No Functional Change" intended. Patch should not change tmt's behavior in any way.
test coverage
Improvements or additions to test coverage of tmt itself
labels
Oct 29, 2024
happz
requested review from
psss,
lukaszachy,
thrix and
janhavlin
as code owners
October 29, 2024 11:49
martinhoyer
approved these changes
Oct 29, 2024
KwisatzHaderach
approved these changes
Oct 29, 2024
therazix
approved these changes
Oct 29, 2024
lukaszachy
approved these changes
Oct 29, 2024
psss
reviewed
Oct 30, 2024
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks ok, but is this needed if we're not using any token to clone git repositories?
psss
approved these changes
Oct 30, 2024
happz
added
the
status | ready for merge
The only missing piece is to do the rebase the current 'main' and let the CI finish.
label
Oct 31, 2024
happz
force-pushed
the
github-actions-persist-credentials
branch
from
October 31, 2024 13:13
7381b97
to
0da6deb
Compare
psss
force-pushed
the
github-actions-persist-credentials
branch
from
November 1, 2024 10:00
0da6deb
to
09a263e
Compare
According to a couple of articles, the default should be `false`, but it's not, which makes the token exposed to actions that do not need it. According to a linter I tried just for fun, we should enforce it to close this hole. [1] actions/checkout#485 [2] https://github.com/woodruffw/zizmor
psss
force-pushed
the
github-actions-persist-credentials
branch
from
November 1, 2024 10:03
09a263e
to
4186dfd
Compare
Checks, which are affected by this change are green, merging. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
code | no functional change
"No Functional Change" intended. Patch should not change tmt's behavior in any way.
status | ready for merge
The only missing piece is to do the rebase the current 'main' and let the CI finish.
test coverage
Improvements or additions to test coverage of tmt itself
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
According to a couple of articles, the default should be
false
, but it's not, which makes the token exposed to actions that do not need it. According to a linter I tried just for fun, we should enforce it to close this hole.[1] actions/checkout#485
[2] https://github.com/woodruffw/zizmor
Pull Request Checklist