opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2026-03-13 08:01:19 +08:00
Code Issues Packages Projects Releases Wiki Activity

ci: specify persist-credentials for actions/checkout

Browse Source 
Explicitly set `persist-credentials: true` for uses of
`actions/checkout` where it's needed (when the job does git operations
using the stored credentials) and `persist-credentials: false` where the
stored credentials are not later used.

This reduces the risk of cached credentials accidentally being leaked
via artifacts.

Signed-off-by: Daniel Hast <hast.daniel@protonmail.com>
This commit is contained in:
Daniel Hast
2025-12-01 07:38:24 -05:00
parent 30495081b7
commit 0752c5327e
8 changed files with 14 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
.github/workflows/release.yml vendored
View File

@@ -72,6 +72,7 @@ jobs:
uses: actions/checkout@v6
with:
ref: ${{needs.check.outputs.version}}
persist-credentials: false
- name: Set up Go
uses: actions/setup-go@v6
with:
@@ -109,6 +110,7 @@ jobs:
uses: actions/checkout@v6
with:
ref: ${{needs.check.outputs.version}}
persist-credentials: false
- name: Set up Go
uses: actions/setup-go@v6
with:
@@ -165,6 +167,8 @@ jobs:
Write-Output "version=$version" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
- name: Checkout Podman
uses: actions/checkout@v6
with:
persist-credentials: false
- name: Download Windows zip artifact
uses: actions/download-artifact@v6
- name: Set up Go
@@ -268,6 +272,7 @@ jobs:
uses: actions/checkout@v6
with:
ref: ${{needs.check.outputs.version}}
persist-credentials: false
- name: Get release notes
run: |
ver="$(echo "$VERSION" | sed -e "s/^v//" -e "s/-rc.*//")"