Skip to content

Commit f45f7f9

Browse files
caugnercaugner
authored
ci(workflows): disable actions/checkout credential persistance (#44)
1 parent 25247df commit f45f7f9

6 files changed

Lines changed: 33 additions & 0 deletions

File tree

.github/workflows/pr-deployer.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,8 @@ jobs:
1616
steps:
1717
- name: Checkout
1818
uses: actions/checkout@v5
19+
with:
20+
persist-credentials: false
1921

2022
- name: Install Python
2123
id: setup-python

.github/workflows/prod-build.yml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -71,6 +71,7 @@ jobs:
7171
uses: actions/checkout@v5
7272
with:
7373
path: mdn/dex
74+
persist-credentials: false
7475

7576
- name: Checkout (content)
7677
uses: actions/checkout@v5
@@ -83,6 +84,7 @@ jobs:
8384
# but for now it's good enough. We'll need all the history
8485
# so we can figure out each document's last-modified date.
8586
fetch-depth: 0
87+
persist-credentials: false
8688

8789
- name: Checkout (blog)
8890
uses: actions/checkout@v5
@@ -92,20 +94,23 @@ jobs:
9294
path: mdn/blog
9395
lfs: true
9496
token: ${{ secrets.MDN_STUDIO_PAT }}
97+
persist-credentials: false
9598

9699
- name: Checkout (generic-content)
97100
uses: actions/checkout@v5
98101
if: ${{ ! vars.SKIP_BUILD }}
99102
with:
100103
repository: mdn/generic-content
101104
path: mdn/generic-content
105+
persist-credentials: false
102106

103107
- name: Checkout (curriculum)
104108
uses: actions/checkout@v5
105109
if: ${{ ! vars.SKIP_BUILD }}
106110
with:
107111
repository: mdn/curriculum
108112
path: mdn/curriculum
113+
persist-credentials: false
109114

110115
# Our usecase is a bit complicated. When the cron schedule runs this workflow,
111116
# we rely on the env vars defined at the top of the file. But if it's a manual
@@ -130,13 +135,15 @@ jobs:
130135
path: mdn/translated-content
131136
# See matching warning for mdn/content checkout step
132137
fetch-depth: 0
138+
persist-credentials: false
133139

134140
- name: Checkout (translated-content-de)
135141
uses: actions/checkout@v5
136142
if: ${{ ! vars.SKIP_BUILD || ! vars.SKIP_FUNCTION }}
137143
with:
138144
repository: mdn/translated-content-de
139145
path: mdn/translated-content-de
146+
persist-credentials: false
140147

141148
- name: Move de into translated-content
142149
if: ${{ ! vars.SKIP_BUILD || ! vars.SKIP_FUNCTION }}
@@ -157,6 +164,7 @@ jobs:
157164
with:
158165
repository: mdn/mdn-contributor-spotlight
159166
path: mdn/mdn-contributor-spotlight
167+
persist-credentials: false
160168

161169
- uses: actions/checkout@v5
162170
if: ${{ ! vars.SKIP_BUILD }}

.github/workflows/review-deploy.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -36,6 +36,8 @@ jobs:
3636

3737
- name: Checkout
3838
uses: actions/checkout@v5
39+
with:
40+
persist-credentials: false
3941

4042
- name: Setup Node.js environment
4143
uses: actions/setup-node@v4

.github/workflows/stage-build.yml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -97,6 +97,7 @@ jobs:
9797
with:
9898
fetch-depth: 0
9999
path: mdn/dex
100+
persist-credentials: false
100101

101102
- name: Merge main
102103
working-directory: mdn/dex
@@ -121,6 +122,7 @@ jobs:
121122
# but for now it's good enough. We'll need all the history
122123
# so we can figure out each document's last-modified date.
123124
fetch-depth: 0
125+
persist-credentials: false
124126

125127
- name: Checkout (blog)
126128
uses: actions/checkout@v5
@@ -130,20 +132,23 @@ jobs:
130132
path: mdn/blog
131133
lfs: true
132134
token: ${{ secrets.MDN_STUDIO_PAT }}
135+
persist-credentials: false
133136

134137
- name: Checkout (generic-content)
135138
uses: actions/checkout@v5
136139
if: ${{ ! vars.SKIP_BUILD }}
137140
with:
138141
repository: mdn/generic-content
139142
path: mdn/generic-content
143+
persist-credentials: false
140144

141145
- name: Checkout (curriculum)
142146
uses: actions/checkout@v5
143147
if: ${{ ! vars.SKIP_BUILD }}
144148
with:
145149
repository: mdn/curriculum
146150
path: mdn/curriculum
151+
persist-credentials: false
147152

148153
- name: Checkout (translated-content)
149154
uses: actions/checkout@v5
@@ -153,13 +158,15 @@ jobs:
153158
path: mdn/translated-content
154159
# See matching warning for mdn/content checkout step
155160
fetch-depth: 0
161+
persist-credentials: false
156162

157163
- name: Checkout (translated-content-de)
158164
uses: actions/checkout@v5
159165
if: ${{ ! vars.SKIP_BUILD || ! vars.SKIP_FUNCTION }}
160166
with:
161167
repository: mdn/translated-content-de
162168
path: mdn/translated-content-de
169+
persist-credentials: false
163170

164171
- name: Move de into translated-content
165172
if: ${{ ! vars.SKIP_BUILD || ! vars.SKIP_FUNCTION }}
@@ -180,6 +187,7 @@ jobs:
180187
with:
181188
repository: mdn/mdn-contributor-spotlight
182189
path: mdn/mdn-contributor-spotlight
190+
persist-credentials: false
183191

184192
- uses: actions/checkout@v5
185193
if: ${{ ! vars.SKIP_BUILD }}

.github/workflows/test-build.yml

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -90,6 +90,7 @@ jobs:
9090
with:
9191
fetch-depth: 0
9292
path: mdn/dex
93+
persist-credentials: false
9394

9495
- name: Merge main (if possible)
9596
working-directory: mdn/dex
@@ -115,6 +116,7 @@ jobs:
115116
# so we can figure out each document's last-modified date.
116117
fetch-depth: 0
117118
ref: ${{ github.event.inputs.content-ref }}
119+
persist-credentials: false
118120

119121
- name: Checkout (blog)
120122
uses: actions/checkout@v5
@@ -124,20 +126,23 @@ jobs:
124126
path: mdn/blog
125127
lfs: true
126128
token: ${{ secrets.MDN_STUDIO_PAT }}
129+
persist-credentials: false
127130

128131
- name: Checkout (generic-content)
129132
uses: actions/checkout@v5
130133
if: ${{ ! vars.SKIP_BUILD }}
131134
with:
132135
repository: mdn/generic-content
133136
path: mdn/generic-content
137+
persist-credentials: false
134138

135139
- name: Checkout (curriculum)
136140
uses: actions/checkout@v5
137141
if: ${{ ! vars.SKIP_BUILD }}
138142
with:
139143
repository: mdn/curriculum
140144
path: mdn/curriculum
145+
persist-credentials: false
141146

142147
- name: Checkout (translated-content)
143148
uses: actions/checkout@v5
@@ -148,13 +153,15 @@ jobs:
148153
# See matching warning for mdn/content checkout step
149154
fetch-depth: 0
150155
ref: ${{ github.event.inputs.translated-content-ref }}
156+
persist-credentials: false
151157

152158
- name: Checkout (translated-content-de)
153159
uses: actions/checkout@v5
154160
if: ${{ ! vars.SKIP_BUILD || ! vars.SKIP_FUNCTION }}
155161
with:
156162
repository: mdn/translated-content-de
157163
path: mdn/translated-content-de
164+
persist-credentials: false
158165

159166
- name: Move de into translated-content
160167
if: ${{ ! vars.SKIP_BUILD || ! vars.SKIP_FUNCTION }}
@@ -175,6 +182,7 @@ jobs:
175182
with:
176183
repository: mdn/mdn-contributor-spotlight
177184
path: mdn/mdn-contributor-spotlight
185+
persist-credentials: false
178186

179187
- uses: actions/checkout@v5
180188
if: ${{ ! vars.SKIP_BUILD }}
@@ -204,6 +212,7 @@ jobs:
204212
repository: mdn/rari
205213
path: mdn/rari
206214
ref: ${{ github.event.inputs.rari-ref }}
215+
persist-credentials: false
207216

208217
- name: Cache Cargo registry
209218
if: ${{ !( vars.SKIP_BUILD || github.event.inputs.rari-ref == '' ) }}

.github/workflows/testing.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,8 @@ jobs:
1919
steps:
2020
- name: Checkout
2121
uses: actions/checkout@v5
22+
with:
23+
persist-credentials: false
2224

2325
- name: Setup Node.js environment
2426
uses: actions/setup-node@v4
@@ -49,6 +51,8 @@ jobs:
4951
steps:
5052
- name: Checkout
5153
uses: actions/checkout@v5
54+
with:
55+
persist-credentials: false
5256

5357
- name: Setup Node.js environment
5458
uses: actions/setup-node@v4

0 commit comments

Comments
 (0)