Specify whether to persist credentials on checkout action

Signed-off-by: Kyle Harding <kyle@balena.io>
github · Sep 27, 2024 · 10a8488 · 10a8488
1 parent bf8ab46
commit 10a8488
Show file tree

Hide file tree

Showing 7 changed files with 41 additions and 23 deletions.
diff --git a/.github/actions/codeql-analysis/action.yml b/.github/actions/codeql-analysis/action.yml
@@ -3,12 +3,14 @@ description: 'Perform code scanning for vulnerabilities'
 inputs:
   languages:
     description: 'CodeQL Languages'
-    required: true    
+    required: true
 runs:
   using: "composite"
   steps:
     - name: 'Checkout repository'
       uses: actions/checkout@v3
+      with:
+        persist-credentials: false
     - name: 'Initialize CodeQL'
       uses: github/codeql-action/init@v2
       with:

diff --git a/.github/actions/publish-docker/action.yml b/.github/actions/publish-docker/action.yml
@@ -1,15 +1,15 @@
 name: 'Publish Docker'
 description: 'Publish to Docker'
 inputs:
-  docker_username:  
+  docker_username:
     description: 'Docker user'
     required: true
-  docker_password:  
+  docker_password:
     description: 'Docker Password'
     required: true
-  tag:  
+  tag:
     description: 'Image tag '
-    required: true  
+    required: true
     default: 'user/app:latest'
 outputs:
   imageid:
@@ -19,6 +19,8 @@ runs:
   using: "composite"
   steps:
     - uses: actions/checkout@v2
+      with:
+        persist-credentials: false
     - name: Setup node
       uses: actions/setup-node@v3
       with:
@@ -28,7 +30,7 @@ runs:
     - name: Set up Docker Buildx
       uses: docker/setup-buildx-action@v1
     - name: Login to DockerHub
-      uses: docker/login-action@v1 
+      uses: docker/login-action@v1
       with:
         username: ${{ inputs.DOCKER_USERNAME }}
         password: ${{ inputs.DOCKER_PASSWORD }}
@@ -59,4 +61,4 @@ runs:
         file: ./Dockerfile
         push: true
         tags:  |
-            ${{ inputs.tag }}  
+            ${{ inputs.tag }}
diff --git a/.github/workflows/create-pre-release.yml b/.github/workflows/create-pre-release.yml
@@ -26,7 +26,7 @@ on:
           - rc
           - snapshot
         required: false
-     
+
 env:
   REGISTRY: ghcr.io
   IMAGE_NAME: ${{ github.repository }}
@@ -39,6 +39,8 @@ jobs:
       release: ${{ steps.prerelease.outputs.release }}
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Setup node
         uses: actions/setup-node@v4
         with:
@@ -48,7 +50,7 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: Log in to the Container registry
-        uses: docker/login-action@v3 
+        uses: docker/login-action@v3
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
@@ -65,7 +67,7 @@ jobs:
         run: |
           docker image inspect ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:main-enterprise
       - run: echo "${{ github.ref }}"
-      - name: Tag a final release 
+      - name: Tag a final release
         id: prerelease
         uses: actionsdesk/semver@0.6.0-rc.10
         with:

diff --git a/.github/workflows/create-release.yml b/.github/workflows/create-release.yml
@@ -17,6 +17,8 @@ jobs:
       release: ${{ steps.finalrelease.outputs.release }}
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Setup node
         uses: actions/setup-node@v4
         with:
@@ -26,7 +28,7 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: Log in to the Container registry
-        uses: docker/login-action@v3 
+        uses: docker/login-action@v3
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
@@ -72,6 +74,8 @@ jobs:
     steps:
       - name: Clone repo
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Prepare
         run: |

diff --git a/.github/workflows/deploy-k8s.yml b/.github/workflows/deploy-k8s.yml
@@ -1,13 +1,13 @@
 name: Deploy to Kubernetes
-on: 
+on:
   workflow_dispatch:
     inputs:
       status:
-        description: 'Status of the previous workflow'     
+        description: 'Status of the previous workflow'
         required: true
         default: 'passed'
       release:
-        description: 'Release tag from the previous workflow'     
+        description: 'Release tag from the previous workflow'
         required: true
 env:
   DOCKER_IMAGE_NAME: yadhav/safe-settings
@@ -20,7 +20,7 @@ env:
 
 permissions:
   id-token: write
-  
+
 jobs:
   deploy-to-k8s:
     if: ${{ github.event.inputs.status == 'passed' }}
@@ -29,11 +29,13 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: azure/login@v1
         with:
           client-id: ${{ secrets.AZURE_CLIENT_ID }}
           tenant-id: ${{ secrets.AZURE_TENANT_ID }}
-          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} 
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
       - uses: azure/aks-set-context@v3
         with:
           resource-group: ${{env.AZURE_RESOURCE_GROUP}}
@@ -67,4 +69,4 @@ jobs:
           images: ${{env.IMAGE_REGISTRY_URL}}/yadhav/safe-settings:${{ github.event.inputs.release }}
           imagepullsecrets: |
             image-pull-secret
-          kubectl-version: 'latest'        
+          kubectl-version: 'latest'
diff --git a/.github/workflows/node-ci.yml b/.github/workflows/node-ci.yml
@@ -12,6 +12,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Setup node
         uses: actions/setup-node@v4
         with:

diff --git a/.github/workflows/rc-release.yml b/.github/workflows/rc-release.yml
@@ -1,5 +1,5 @@
 # Simple workflow for deploying static content to GitHub Pages
-name: RC Release 
+name: RC Release
 
 on:
   pull_request:
@@ -24,38 +24,42 @@ jobs:
       GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - name: Use Node.js
       uses: actions/setup-node@v4
       with:
         node-version: 16.x
         cache: npm
     - run: npm ci
     - run: npm run build --if-present
-#    - run: npm test -- -u   
-    - name: Tag a rc release 
+#    - run: npm test -- -u
+    - name: Tag a rc release
       if: ${{ !github.event.pull_request.head.repo.fork }}
       id: rcrelease
       uses: actionsdesk/semver@0.6.0-rc.10
       with:
         prerelease: withBuildNumber
         prelabel: rc
         commitish: ${{ github.head_ref }}
-  
+
   image:
     name: Build and push Docker image
     runs-on: ubuntu-latest
     needs: rcrelease
     permissions:
       contents: read
       packages: write
-    
+
     env:
       REGISTRY: ghcr.io
       IMAGE_NAME: ${{ github.repository }}
 
     steps:
       - name: Check out the repo
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - run: echo ${{ github.actor }}
 
@@ -86,7 +90,7 @@ jobs:
           platforms: linux/amd64,linux/arm64
           provenance: false
           sbom: false
-  
+
 #   package:
 #     needs: [rcrelease]
 #     runs-on: ubuntu-latest