Skip to content

Commit

Permalink
Don't persist credentials when not needed, and save verbose test results
Browse files Browse the repository at this point in the history
persist-credentials defaults to true (see
actions/checkout#485).  It looks like
pull_request workflows run without token access, but it's not clear from
https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
if that means persist-credentials doesn't leave a secret in the .git
directory where a malicious PR could access it.
  • Loading branch information
flwyd committed Feb 4, 2024
1 parent 8b74bc6 commit 99d2496
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 2 deletions.
9 changes: 8 additions & 1 deletion .github/workflows/ci.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -38,12 +38,18 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- uses: actions/setup-go@v5
with:
go-version-file: go.mod
cache: true
- name: Test
run: go test ./...
run: go test -v ./... | tee "${RUNNER_TEMP}/go-test-results.txt"
- uses: actions/upload-artifact@v4
with:
name: go-test-results
path: "${{ env.RUNNER_TEMP }}/go-test-results.txt"

build:
needs: test
Expand All @@ -62,6 +68,7 @@ jobs:
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
fetch-depth: 0
fetch-tags: true
- uses: actions/setup-go@v5
Expand Down
6 changes: 5 additions & 1 deletion .github/workflows/release.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -33,12 +33,14 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- uses: actions/setup-go@v5
with:
go-version: '>=1.18'
cache: true
- name: Test
run: go test ./...
run: go test -v ./...

build:
needs: test
Expand All @@ -56,6 +58,8 @@ jobs:

steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- uses: actions/setup-go@v5
with:
go-version: '>=1.18'
Expand Down

0 comments on commit 99d2496

Please sign in to comment.