Mirror-Tools
/
shaka-packager
mirror of https://github.com/shaka-project/shaka-packager.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

ci: Do not persist credentials after checkout (#1464) 

See actions/checkout#485 and
https://johnstawinski.com/2024/01/11/playing-with-fire-how-we-executed-a-critical-supply-chain-attack-on-pytorch/

In short, it is a terrible idea to persist even our default credentials
after checkout. There's no call for that, so we will now set
`persist-credentials: false` on all checkout actions.
This commit is contained in:
Joey Parrish 2024-12-18 08:25:39 -08:00 committed by GitHub
parent 4e6a79f5d7
commit 57330eda4a
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
8 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.github/workflows/build-docker.yaml vendored
View File

@ -31,6 +31,7 @@ jobs:
with: with:
ref: ${{ inputs.ref }} ref: ${{ inputs.ref }}
submodules: recursive submodules: recursive
persist-credentials: false
- name: Build - name: Build
shell: bash shell: bash

1
.github/workflows/build-docs.yaml vendored
View File

@ -43,6 +43,7 @@ jobs:
uses: actions/checkout@v4 uses: actions/checkout@v4
with: with:
ref: ${{ inputs.ref }} ref: ${{ inputs.ref }}
persist-credentials: false
- name: Generate docs - name: Generate docs
run: | run: |

2
.github/workflows/build.yaml vendored
View File

@ -47,6 +47,7 @@ jobs:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with: with:
ref: ${{ inputs.ref }} ref: ${{ inputs.ref }}
persist-credentials: false
- name: Configure Build Matrix - name: Configure Build Matrix
id: configure id: configure
@ -99,6 +100,7 @@ jobs:
ref: ${{ inputs.ref }} ref: ${{ inputs.ref }}
submodules: recursive submodules: recursive
fetch-tags: true fetch-tags: true
persist-credentials: false
- name: Install Linux deps - name: Install Linux deps
if: runner.os == 'Linux' if: runner.os == 'Linux'

1
.github/workflows/lint.yaml vendored
View File

@ -33,6 +33,7 @@ jobs:
# We must use 'fetch-depth: 2', or else the linter won't have another # We must use 'fetch-depth: 2', or else the linter won't have another
# revision to compare to. # revision to compare to.
fetch-depth: 2 fetch-depth: 2
persist-credentials: false
- name: Lint - name: Lint
shell: bash shell: bash

1
.github/workflows/publish-docker.yaml vendored
View File

@ -48,6 +48,7 @@ jobs:
ref: ${{ inputs.tag }} ref: ${{ inputs.tag }}
submodules: recursive submodules: recursive
fetch-tags: true fetch-tags: true
persist-credentials: false
- name: Log in to Docker Hub - name: Log in to Docker Hub
uses: docker/login-action@v3 uses: docker/login-action@v3

1
.github/workflows/publish-npm.yaml vendored
View File

@ -44,6 +44,7 @@ jobs:
uses: actions/checkout@v4 uses: actions/checkout@v4
with: with:
ref: ${{ inputs.tag }} ref: ${{ inputs.tag }}
persist-credentials: false
- uses: actions/setup-node@v4 - uses: actions/setup-node@v4
with: with:

1
.github/workflows/release-please.yaml vendored
View File

@ -55,6 +55,7 @@ jobs:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with: with:
fetch-tags: true fetch-tags: true
persist-credentials: false
- name: Compute latest - name: Compute latest
id: compute id: compute

2
.github/workflows/test-linux-distros.yaml vendored
View File

@ -32,6 +32,7 @@ jobs:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with: with:
ref: ${{ inputs.ref }} ref: ${{ inputs.ref }}
persist-credentials: false
- name: Configure Build Matrix - name: Configure Build Matrix
id: configure id: configure
@ -69,6 +70,7 @@ jobs:
with: with:
ref: ${{ inputs.ref }} ref: ${{ inputs.ref }}
submodules: recursive submodules: recursive
persist-credentials: false
- name: Build in Docker - name: Build in Docker
run: ./packager/testing/test_dockers.sh "${{ matrix.os_name }}" run: ./packager/testing/test_dockers.sh "${{ matrix.os_name }}"