Security: Disable GitHub Actions credential persistence for checkout steps

2026-06-27 22:46:09 +00:00 · 2026-05-28 21:41:18 +12:00
parent c1c98442df
commit 2ce675cc10
6 changed files with 17 additions and 3 deletions
--- a/.github/workflows/build-docker-edge.yml
+++ b/.github/workflows/build-docker-edge.yml
@@ -11,6 +11,7 @@ jobs:
      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      with:
          fetch-depth: 0 # required for github-action-get-previous-tag
+          persist-credentials: false

    - name: Set up QEMU
      uses: docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3 # v4.1.0
@@ -42,11 +43,14 @@ jobs:
    - name: Calculate next patch version
      id: next-version
      run: |
-        TAG="${{ steps.previous-tag.outputs.tag }}"
+        TAG="${STEPS_PREVIOUS_TAG_OUTPUTS_TAG}"
        VERSION="${TAG#v}"
        BASE="${VERSION%.*}"
        PATCH="${VERSION##*.}"
-        echo "version=v${BASE}.$((PATCH + 1))-${{ steps.short-sha.outputs.sha }}" >> "$GITHUB_OUTPUT"
+        echo "version=v${BASE}.$((PATCH + 1))-${STEPS_SHORT_SHA_OUTPUTS_SHA}" >> "$GITHUB_OUTPUT"
+      env:
+        STEPS_PREVIOUS_TAG_OUTPUTS_TAG: ${{ steps.previous-tag.outputs.tag }}
+        STEPS_SHORT_SHA_OUTPUTS_SHA: ${{ steps.short-sha.outputs.sha }}

    - name: Build and push
      uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
--- a/.github/workflows/build-docker.yml
+++ b/.github/workflows/build-docker.yml
@@ -9,6 +9,8 @@ jobs:
    steps:
    - name: Checkout repository
      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        persist-credentials: false

    - name: Set up QEMU
      uses: docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3 # v4.1.0
--- a/.github/workflows/build-release.yml
+++ b/.github/workflows/build-release.yml
@@ -22,12 +22,14 @@ jobs:
            goos: windows
    steps:
    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        persist-credentials: false

    # build the assets
    - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
      with:
        node-version: 22
-    - run: echo "Building assets for ${{ github.ref_name }}"
+    - run: echo "Building assets for ${GITHUB_REF_NAME}"
    - run: npm ci
    - run: npm run package

--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -39,6 +39,8 @@ jobs:
    steps:
    - name: Checkout repository
      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        persist-credentials: false

    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
--- a/.github/workflows/tests-rqlite.yml
+++ b/.github/workflows/tests-rqlite.yml
@@ -18,6 +18,8 @@ jobs:
          HTTP_ADV_ADDR: "localhost:4001"
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
      - name: Setup Go
        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -17,6 +17,8 @@ jobs:
        go-version: ${{ matrix.go-version }}
        cache: false
    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        persist-credentials: false
    - name: Set up Go environment
      uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
      with: