ci: add persist-credentials: false to checkout steps#10306
Open
knqyf263 wants to merge 2 commits intoaquasecurity:mainfrom
Open
ci: add persist-credentials: false to checkout steps#10306knqyf263 wants to merge 2 commits intoaquasecurity:mainfrom
knqyf263 wants to merge 2 commits intoaquasecurity:mainfrom
Conversation
Set persist-credentials: false on actions/checkout steps that don't require git push, preventing the GITHUB_TOKEN from being stored in .git/config and reducing the attack surface for credential theft. Checkout steps that require persistent credentials (backport.yaml, release.yaml trivy-repo checkout, and mkdocs workflows) are intentionally excluded.
knqyf263
added
the
kind/security
knqyf263
added
the
autoready
github-actions
bot
removed
the
autoready
DmitriyLewen
reviewed
Mar 3, 2026
.github/workflows/release.yaml
Outdated
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
| with: | ||
| fetch-depth: 0 | ||
| persist-credentials: false |
Contributor
There was a problem hiding this comment.
IIUC we will see an error in mage helm:updateVersion.
git push will be failed:
Line 47 in 8c9a92b
Comment on lines
38
to
41
| - name: Checkout trivy-repo | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
| with: | ||
| repository: ${{ github.repository_owner }}/trivy-repo |
Contributor
There was a problem hiding this comment.
nit:
Do we want to explicitly specify persist-credentials: true and add a comment for why we need to keep credentials:
- name: Checkout trivy-repo
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: true # deploy-rpm.sh and deploy-deb.sh require permissions to push changes into trivy-repo
repository: ${{ github.repository_owner }}/trivy-repo
...Same for backport.yaml
DmitriyLewen
approved these changes
Mar 4, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Set
persist-credentials: falseonactions/checkoutsteps that don't require git push, preventing theGITHUB_TOKENfrom being stored in.git/configand reducing the attack surface for credential theft by compromised dependencies or scripts.Reference: https://github.com/goreleaser/example-secure/blob/main/.github/workflows/release.yml
Changed workflows (19 checkout steps across 9 files):
test.yaml(7 steps)cache-test-assets.yaml(3 steps)publish-chart.yaml(2 steps)release.yaml(2 steps: deploy-packages 1st checkout, update-chart-version)reusable-release.yaml(1 step)scan.yaml(1 step)spdx-cron.yaml(1 step)triage.yaml(1 step)auto-update-labels.yaml(1 step)Intentionally excluded (require git push):
backport.yaml— backport script pushes branchesrelease.yamltrivy-repo checkout — deploy scripts push to trivy-repomkdocs-dev.yaml/mkdocs-latest.yaml/test-docs.yaml— mike deploys with--pushRelated issues
Checklist