admin/topgrade
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ci: don't persist credentials in actions/checkout (#1422)

Browse Source
This commit is contained in:
Daniel Hast
2025-11-03 06:29:07 -05:00
committed by GitHub
parent bafa15c8f1
commit 9e9e6c9d55
8 changed files with 41 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
.github/workflows/check_config_creation_if_not_exists.yml vendored
View File

@@ -16,6 +16,9 @@ jobs:
steps: steps:
- uses: actions/checkout@v5.0.0 - uses: actions/checkout@v5.0.0
with:
persist-credentials: false
- run: | - run: |
CONFIG_PATH=~/.config/topgrade.toml; CONFIG_PATH=~/.config/topgrade.toml;
if [ -f "$CONFIG_PATH" ]; then rm $CONFIG_PATH; fi if [ -f "$CONFIG_PATH" ]; then rm $CONFIG_PATH; fi

2
.github/workflows/check_i18n.yml vendored
View File

@@ -15,6 +15,8 @@ jobs:
steps: steps:
- name: Checkout code - name: Checkout code
uses: actions/checkout@v5.0.0 uses: actions/checkout@v5.0.0
with:
persist-credentials: false
- name: Install checker - name: Install checker
# Build it with the dev profile as this is faster and the checker still works # Build it with the dev profile as this is faster and the checker still works

2
.github/workflows/check_security_vulnerability.yml vendored
View File

@@ -25,6 +25,8 @@ jobs:
steps: steps:
- name: Checkout code - name: Checkout code
uses: actions/checkout@v5.0.0 uses: actions/checkout@v5.0.0
with:
persist-credentials: false
- name: Run DevSkim scanner - name: Run DevSkim scanner
uses: microsoft/DevSkim-Action@4b5047945a44163b94642a1cecc0d93a3f428cc6 # v1.0.16 uses: microsoft/DevSkim-Action@4b5047945a44163b94642a1cecc0d93a3f428cc6 # v1.0.16

6
.github/workflows/ci.yml vendored
View File

@@ -20,6 +20,8 @@ jobs:
steps: steps:
- name: Checkout code - name: Checkout code
uses: actions/checkout@v5.0.0 uses: actions/checkout@v5.0.0
with:
persist-credentials: false
- name: Run cargo fmt - name: Run cargo fmt
env: env:
@@ -34,6 +36,8 @@ jobs:
steps: steps:
- name: Checkout code - name: Checkout code
uses: actions/checkout@v5.0.0 uses: actions/checkout@v5.0.0
with:
persist-credentials: false
- name: Check if `Step` enum is sorted - name: Check if `Step` enum is sorted
run: | run: |
@@ -125,6 +129,8 @@ jobs:
steps: steps:
- name: Checkout code - name: Checkout code
uses: actions/checkout@v5.0.0 uses: actions/checkout@v5.0.0
with:
persist-credentials: false
- name: Setup Rust Cache - name: Setup Rust Cache
uses: Swatinem/rust-cache@f13886b937689c021905a6b90929199931d60db1 # v2.8.1 uses: Swatinem/rust-cache@f13886b937689c021905a6b90929199931d60db1 # v2.8.1

4
.github/workflows/create_release_assets.yml vendored
View File

@@ -28,6 +28,8 @@ jobs:
runs-on: ${{ matrix.platform }} runs-on: ${{ matrix.platform }}
steps: steps:
- uses: actions/checkout@v5.0.0 - uses: actions/checkout@v5.0.0
with:
persist-credentials: false
- name: Install needed components - name: Install needed components
run: | run: |
@@ -158,6 +160,8 @@ jobs:
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
steps: steps:
- uses: actions/checkout@v5.0.0 - uses: actions/checkout@v5.0.0
with:
persist-credentials: false
- name: Install needed components - name: Install needed components
run: | run: |

3
.github/workflows/dependency-review.yml vendored
View File

@@ -18,5 +18,8 @@ jobs:
steps: steps:
- name: 'Checkout Repository' - name: 'Checkout Repository'
uses: actions/checkout@v5.0.0 uses: actions/checkout@v5.0.0
with:
persist-credentials: false
- name: 'Dependency Review' - name: 'Dependency Review'
uses: actions/dependency-review-action@40c09b7dc99638e5ddb0bfd91c1673effc064d8a # v4.8.1 uses: actions/dependency-review-action@40c09b7dc99638e5ddb0bfd91c1673effc064d8a # v4.8.1

15
.github/workflows/release-plz.yml vendored
View File

@@ -16,14 +16,12 @@ jobs:
contents: write contents: write
id-token: write # For trusted publishing id-token: write # For trusted publishing
steps: steps:
- &checkout - name: Checkout repository
name: Checkout repository
uses: actions/checkout@v5 uses: actions/checkout@v5
with: with:
fetch-depth: 0 fetch-depth: 0
persist-credentials: false persist-credentials: false
- &install-rust - name: Install Rust toolchain
name: Install Rust toolchain
uses: dtolnay/rust-toolchain@stable uses: dtolnay/rust-toolchain@stable
- name: Run release-plz - name: Run release-plz
id: release-plz id: release-plz
@@ -53,8 +51,13 @@ jobs:
group: release-plz-${{ github.ref }} group: release-plz-${{ github.ref }}
cancel-in-progress: false cancel-in-progress: false
steps: steps:
- *checkout - name: Checkout repository
- *install-rust uses: actions/checkout@v5
with:
fetch-depth: 0
persist-credentials: false
- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@stable
- name: Run release-plz - name: Run release-plz
uses: release-plz/action@v0.5 uses: release-plz/action@v0.5
with: with:

12
.github/workflows/release_to_pypi.yml vendored
View File

@@ -16,6 +16,9 @@ jobs:
target: [x86_64, x86, aarch64] target: [x86_64, x86, aarch64]
steps: steps:
- uses: actions/checkout@v5.0.0 - uses: actions/checkout@v5.0.0
with:
persist-credentials: false
- name: Build wheels - name: Build wheels
uses: PyO3/maturin-action@86b9d133d34bc1b40018696f782949dac11bd380 # v1.49.4 uses: PyO3/maturin-action@86b9d133d34bc1b40018696f782949dac11bd380 # v1.49.4
with: with:
@@ -35,6 +38,9 @@ jobs:
target: [x64, x86] target: [x64, x86]
steps: steps:
- uses: actions/checkout@v5.0.0 - uses: actions/checkout@v5.0.0
with:
persist-credentials: false
- name: Build wheels - name: Build wheels
uses: PyO3/maturin-action@86b9d133d34bc1b40018696f782949dac11bd380 # v1.49.4 uses: PyO3/maturin-action@86b9d133d34bc1b40018696f782949dac11bd380 # v1.49.4
with: with:
@@ -53,6 +59,9 @@ jobs:
target: [x86_64, aarch64] target: [x86_64, aarch64]
steps: steps:
- uses: actions/checkout@v5.0.0 - uses: actions/checkout@v5.0.0
with:
persist-credentials: false
- name: Build wheels - name: Build wheels
uses: PyO3/maturin-action@86b9d133d34bc1b40018696f782949dac11bd380 # v1.49.4 uses: PyO3/maturin-action@86b9d133d34bc1b40018696f782949dac11bd380 # v1.49.4
with: with:
@@ -68,6 +77,9 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v5.0.0 - uses: actions/checkout@v5.0.0
with:
persist-credentials: false
- name: Build sdist - name: Build sdist
uses: PyO3/maturin-action@86b9d133d34bc1b40018696f782949dac11bd380 # v1.49.4 uses: PyO3/maturin-action@86b9d133d34bc1b40018696f782949dac11bd380 # v1.49.4
with: with: