From acbaa18d97eb655ec5d42ae3ddf45c754b904623 Mon Sep 17 00:00:00 2001 From: jrfnl Date: Sat, 3 Jan 2026 04:59:37 +0100 Subject: [PATCH] GH Actions: do not persist credentials > By default, using `actions/checkout` causes a credential to be persisted in the checked-out repo's `.git/config`, so that subsequent `git` operations can be authenticated. > > Subsequent steps may accidentally publicly persist `.git/config`, e.g. by including it in a publicly accessible artifact via `actions/upload-artifact`. > > However, even without this, persisting the credential in the `.git/config` is non-ideal unless actually needed. > > **Remediation** > > Unless needed for `git` operations, `actions/checkout` should be used with `persist-credentials: false`. > > If the persisted credential is needed, it should be made explicit with `persist-credentials: true`. This has now been addressed in all workflows. Refs: * https://unit42.paloaltonetworks.com/github-repo-artifacts-leak-tokens/ * https://docs.zizmor.sh/audits/#artipacked --- .github/workflows/browserslist-db.yml | 1 + .github/workflows/codeql-analysis.yml | 2 ++ .github/workflows/cs.yml | 2 ++ .github/workflows/deploy.yml | 3 +++ .github/workflows/deprecation-check.yml | 2 ++ .github/workflows/generate_csv.yml | 2 ++ .github/workflows/jslint.yml | 2 ++ .github/workflows/jstest.yml | 5 +++++ .github/workflows/lint.yml | 2 ++ .github/workflows/security.yml | 2 ++ .github/workflows/test.yml | 4 ++++ 11 files changed, 27 insertions(+) diff --git a/.github/workflows/browserslist-db.yml b/.github/workflows/browserslist-db.yml index 952a105fa15..ebee1d7c041 100644 --- a/.github/workflows/browserslist-db.yml +++ b/.github/workflows/browserslist-db.yml @@ -24,6 +24,7 @@ jobs: uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: fetch-depth: 0 + persist-credentials: true - name: Update Browserslist database and create PR uses: c2corg/browserslist-update-action@a76abb476199caea5399f9e28ff3f16e491ec566 # @v2.5.0 locked to a specific commit to avoid security issues due to a compromised repo. diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 5328fb5986d..f3893263217 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -27,6 +27,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL diff --git a/.github/workflows/cs.yml b/.github/workflows/cs.yml index c0935efefaa..63df1f0c457 100644 --- a/.github/workflows/cs.yml +++ b/.github/workflows/cs.yml @@ -41,6 +41,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: true - name: Determine the base branch for the file diff id: base_branch diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index d8cd4393a73..6ff60d6e943 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -57,6 +57,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false - name: Install PHP uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # 2.36.0 @@ -176,6 +178,7 @@ jobs: # Personal Access Token for (push) access to the dist version of the repo. token: ${{ secrets.YOASTBOT_CI_PAT_DIST }} fetch-depth: 0 + persist-credentials: true - name: "Create branch/Switch to branch" if: ${{ steps.set_vars.outputs.BRANCH != env.DIST_DEFAULT_BRANCH }} diff --git a/.github/workflows/deprecation-check.yml b/.github/workflows/deprecation-check.yml index 92061b985a0..6c186ffe20e 100644 --- a/.github/workflows/deprecation-check.yml +++ b/.github/workflows/deprecation-check.yml @@ -24,6 +24,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false - name: Place a comment on the PR uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b # v3.0.1 diff --git a/.github/workflows/generate_csv.yml b/.github/workflows/generate_csv.yml index bd79047b706..64fc6c3bbed 100644 --- a/.github/workflows/generate_csv.yml +++ b/.github/workflows/generate_csv.yml @@ -10,6 +10,8 @@ jobs: # Check out the repository - name: Check out repository uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false # Install dependencies - name: Install dependencies diff --git a/.github/workflows/jslint.yml b/.github/workflows/jslint.yml index a3e3f440f28..0d7f109b30e 100644 --- a/.github/workflows/jslint.yml +++ b/.github/workflows/jslint.yml @@ -58,6 +58,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false # The ubuntu images come with Node, npm and yarn pre-installed. # https://github.com/actions/virtual-environments/blob/main/images/linux/Ubuntu2004-Readme.md diff --git a/.github/workflows/jstest.yml b/.github/workflows/jstest.yml index 7fef7b1e50b..b166c4fcacf 100644 --- a/.github/workflows/jstest.yml +++ b/.github/workflows/jstest.yml @@ -78,6 +78,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false # The ubuntu images come with Node, npm and yarn pre-installed. # https://github.com/actions/virtual-environments/blob/main/images/linux/Ubuntu2004-Readme.md @@ -147,6 +149,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false - name: Checks for changes uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # dorny/paths-filter@v3.0.2 @@ -171,6 +175,7 @@ jobs: path: packages/yoastseo/premium-configuration fetch-depth: 0 token: ${{ secrets.YOASTBOT_CI_PAT_DIST }} + persist-credentials: false # The ubuntu images come with Node, npm and yarn pre-installed. # https://github.com/actions/virtual-environments/blob/main/images/linux/Ubuntu2004-Readme.md diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 23937b2c73d..90bb3dfb35e 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -44,6 +44,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false # For the purpose of linting the code, we need the `vendor-prefixed` directory to # be created as the prefixed code should be linted to ensure there are no parse errors diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 0562be2112b..d56d09f4a27 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -27,6 +27,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false # This action checks the `composer.lock` file against known security vulnerabilities in the dependencies. # https://github.com/marketplace/actions/the-php-security-checker diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index d2f2bc54431..6051a22e4ef 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -62,6 +62,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false # The prefix-dependencies task makes use of reflection-based PHP code that only works on PHP > 7.2. - name: Install PHP 7.x for generating the vendor_prefixed directory and dependency injection @@ -197,6 +199,8 @@ jobs: - name: Checkout code uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false # The prefix-dependencies task makes use of reflection-based PHP code that only works on PHP > 7.2. - name: Install PHP 7.x for generating the vendor_prefixed directory and dependency injection