-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: potential CI injections #15720
fix: potential CI injections #15720
Conversation
with: | ||
persist-credentials: false |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there a way to do this by default so that we don't have to spam it around everywhere? (and remember to add it in the future for new workflows?)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
afaik the only way to achieve this would be by wrapping actions/checkout in a composite GHA and this as the default.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
^ yeah this would be the only way
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also, I don't think it matters that much it was an easy remedy to a lot of warning level errors.
I might try and add it to gha-workflow-validator
so it will annotate these references to make sure there's persist credentials.
d62fb23
AER Report: CI Core ran successfully ✅AER Report: Operator UI CI ran successfully ✅ |
d62fb23
to
ddd920c
Compare
Quality Gate passedIssues Measures |
Changes
actions/checkout
to usepersist-credentials: false
Motivation
https://smartcontract-it.atlassian.net/browse/RE-3341