Skip to content

GH Actions: do not persist credentials #175

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
gmazzap merged 1 commit into from
Dec 13, 2025
Merged

GH Actions: do not persist credentials #175

gmazzap merged 1 commit into from
Dec 13, 2025
+6 −0

Conversation

@jrfnl
Copy link
Collaborator

@jrfnl jrfnl commented Dec 12, 2025

By default, using actions/checkout causes a credential to be persisted in the checked-out repo's .git/config, so that subsequent git operations can be authenticated.

Subsequent steps may accidentally publicly persist .git/config, e.g. by including it in a publicly accessible artifact via actions/upload-artifact.

However, even without this, persisting the credential in the .git/config is non-ideal unless actually needed.

Remediation

Unless needed for git operations, actions/checkout should be used with persist-credentials: false.

If the persisted credential is needed, it should be made explicit with persist-credentials: true.

This has now been addressed in all workflows.

Refs:

@jrfnl
GH Actions: do not persist credentials
653f38e 
> By default, using `actions/checkout` causes a credential to be persisted in the checked-out repo's `.git/config`, so that subsequent `git` operations can be authenticated.
>
> Subsequent steps may accidentally publicly persist `.git/config`, e.g. by including it in a publicly accessible artifact via `actions/upload-artifact`.
>
> However, even without this, persisting the credential in the `.git/config` is non-ideal unless actually needed.
>
> **Remediation**
>
> Unless needed for `git` operations, `actions/checkout` should be used with `persist-credentials: false`.
>
> If the persisted credential is needed, it should be made explicit with `persist-credentials: true`.

This has now been addressed in all workflows.

Refs:
* https://unit42.paloaltonetworks.com/github-repo-artifacts-leak-tokens/
* https://docs.zizmor.sh/audits/#artipacked
@jrfnl jrfnl added this to the 2.7.0 milestone Dec 12, 2025
@jrfnl jrfnl requested a review from gmazzap December 12, 2025 20:31
@jrfnl jrfnl added the github_actions Pull requests that update GitHub Actions code label Dec 12, 2025
@jrfnl
Copy link
Collaborator Author

jrfnl commented Dec 12, 2025

@gmazzap In light of recent security issues, I would also advocate for pinning all action runners to a SHA, but that does mean (much) more frequent Dependabot PRs, so more maintenance work. Happy to create the PR, but would like to hear your opinion first.

@gmazzap
Copy link
Contributor

gmazzap commented Dec 13, 2025

@jrfnl If that is fine for you, it surely is fine for me

@jrfnl
Copy link
Collaborator Author

jrfnl commented Dec 13, 2025

@gmazzap Okay, I'll do that in a separate PR after this one has been merged.

@gmazzap gmazzap merged commit 75e06f3 into master Dec 13, 2025
60 checks passed
@gmazzap gmazzap deleted the feature/ghactions-do-not-persist-credentials branch December 13, 2025 11:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gmazzap gmazzap Awaiting requested review from gmazzap

Assignees

No one assigned

Labels

github_actions Pull requests that update GitHub Actions code

Projects

None yet

Milestone

2.7.0

Development

Successfully merging this pull request may close these issues.

3 participants

@jrfnl @gmazzap