opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2026-03-13 08:01:19 +08:00
Code Issues Packages Projects Releases Wiki Activity

ci: specify persist-credentials for actions/checkout

Browse Source 
Explicitly set `persist-credentials: true` for uses of
`actions/checkout` where it's needed (when the job does git operations
using the stored credentials) and `persist-credentials: false` where the
stored credentials are not later used.

This reduces the risk of cached credentials accidentally being leaked
via artifacts.

Signed-off-by: Daniel Hast <hast.daniel@protonmail.com>
This commit is contained in:
Daniel Hast
2025-12-01 07:38:24 -05:00
parent 30495081b7
commit 0752c5327e
8 changed files with 14 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.github/workflows/dev-bump.yml vendored
View File

@@ -18,6 +18,7 @@ jobs:
with:
ref: ${{ github.ref_name }}
token: ${{ secrets.PODMANBOT_TOKEN }}
persist-credentials: true
- name: Bump
id: bump
run: |
@@ -93,6 +94,7 @@ jobs:
with:
ref: main
token: ${{ secrets.PODMANBOT_TOKEN }}
persist-credentials: true
- name: Check version on main
id: check
run: |

1
.github/workflows/first_contrib_cert_generator.yml vendored
View File

@@ -60,6 +60,7 @@ jobs:
with:
repository: containers/automation
path: automation-repo
persist-credentials: false
# Step 3: Update the HTML file locally
- name: Update HTML file

1
.github/workflows/mac-pkg.yml vendored
View File

@@ -100,6 +100,7 @@ jobs:
uses: actions/checkout@v6
with:
ref: ${{steps.getversion.outputs.version}}
persist-credentials: false
- name: Set up Go
# Conditional duplication sucks - GHA doesn't grok YAML anchors/aliases
if: >-

1
.github/workflows/machine-os-pr.yml vendored
View File

@@ -74,6 +74,7 @@ jobs:
repository: containers/podman-machine-os
ref: ${{github.base_ref}}
token: ${{secrets.PODMANBOT_TOKEN}}
persist-credentials: true
- name: Bump version
if: steps.getversion.outputs.update == 'true'

1
.github/workflows/release-artifacts.yml vendored
View File

@@ -103,6 +103,7 @@ jobs:
uses: actions/checkout@v6
with:
ref: ${{steps.getversion.outputs.version}}
persist-credentials: false
- name: Set up Go
if: >-

5
.github/workflows/release.yml vendored
View File

@@ -72,6 +72,7 @@ jobs:
uses: actions/checkout@v6
with:
ref: ${{needs.check.outputs.version}}
persist-credentials: false
- name: Set up Go
uses: actions/setup-go@v6
with:
@@ -109,6 +110,7 @@ jobs:
uses: actions/checkout@v6
with:
ref: ${{needs.check.outputs.version}}
persist-credentials: false
- name: Set up Go
uses: actions/setup-go@v6
with:
@@ -165,6 +167,8 @@ jobs:
Write-Output "version=$version" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
- name: Checkout Podman
uses: actions/checkout@v6
with:
persist-credentials: false
- name: Download Windows zip artifact
uses: actions/download-artifact@v6
- name: Set up Go
@@ -268,6 +272,7 @@ jobs:
uses: actions/checkout@v6
with:
ref: ${{needs.check.outputs.version}}
persist-credentials: false
- name: Get release notes
run: |
ver="$(echo "$VERSION" | sed -e "s/^v//" -e "s/-rc.*//")"

1
.github/workflows/update-podmanio.yml vendored
View File

@@ -78,6 +78,7 @@ jobs:
repository: containers/podman.io
ref: refs/heads/main
token: ${{ secrets.PODMANBOT_TOKEN }}
persist-credentials: true
- name: Check version
if: >-

2
.github/workflows/upload-win-installer.yml vendored
View File

@@ -55,6 +55,8 @@ jobs:
# installer build script is designed to support older releases (uses the archives
# on the release tag).
- uses: actions/checkout@v6
with:
persist-credentials: false
# This step is super-duper critical for the built/signed windows installer .exe file.
# It ensures the referenced $version github release page does NOT already contain
# this file. Windows assigns a UUID to the installer at build time, it's assumed