From 99d2496869e25444f7d4d455abc9b0ac5cd044a5 Mon Sep 17 00:00:00 2001
From: Trevor Stone <github@trevorstone.org>
Date: Sat, 3 Feb 2024 21:06:19 -0700
Subject: [PATCH] Don't persist credentials when not needed, and save verbose
 test results

persist-credentials defaults to true (see
https://github.com/actions/checkout/issues/485).  It looks like
pull_request workflows run without token access, but it's not clear from
https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
if that means persist-credentials doesn't leave a secret in the .git
directory where a malicious PR could access it.
---
 .github/workflows/ci.yaml      | 9 ++++++++-
 .github/workflows/release.yaml | 6 +++++-
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 93a643c..0bc28b0 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -38,12 +38,18 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions/setup-go@v5
         with:
           go-version-file: go.mod
           cache: true
       - name: Test
-        run: go test ./...
+        run: go test -v ./... | tee "${RUNNER_TEMP}/go-test-results.txt"
+      - uses: actions/upload-artifact@v4
+        with:
+          name: go-test-results
+          path: "${{ env.RUNNER_TEMP }}/go-test-results.txt"
 
   build:
     needs: test
@@ -62,6 +68,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
         with:
+          persist-credentials: false
           fetch-depth: 0
           fetch-tags: true
       - uses: actions/setup-go@v5
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index f90e361..7790057 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -33,12 +33,14 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions/setup-go@v5
         with:
           go-version: '>=1.18'
           cache: true
       - name: Test
-        run: go test ./...
+        run: go test -v ./...
 
   build:
     needs: test
@@ -56,6 +58,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions/setup-go@v5
         with:
           go-version: '>=1.18'