From f70d6052bac16aaa7e62379d81453e54496793e2 Mon Sep 17 00:00:00 2001 From: Marcin Raba Date: Wed, 24 Apr 2024 10:25:48 +0200 Subject: [PATCH] mraba/gh-actions-update: set persist-credentials to false in checkout actions --- .github/workflows/changelog.yml | 1 + .github/workflows/create_req_files.yml | 3 +++ .github/workflows/jira_close.yml | 1 + .github/workflows/jira_issue.yml | 1 + .github/workflows/python-publish.yml | 2 ++ .github/workflows/snyk-pr.yml | 2 ++ 6 files changed, 10 insertions(+) diff --git a/.github/workflows/changelog.yml b/.github/workflows/changelog.yml index bdb2eba1..252405fd 100644 --- a/.github/workflows/changelog.yml +++ b/.github/workflows/changelog.yml @@ -14,6 +14,7 @@ jobs: - name: Checkout uses: actions/checkout@v4 with: + persist-credentials: false fetch-depth: 0 - name: Ensure DESCRIPTION.md is updated diff --git a/.github/workflows/create_req_files.yml b/.github/workflows/create_req_files.yml index f89871eb..618b3024 100644 --- a/.github/workflows/create_req_files.yml +++ b/.github/workflows/create_req_files.yml @@ -12,6 +12,8 @@ jobs: python-version: ["3.7", "3.8", "3.9", "3.10", "3.11"] steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Set up Python uses: actions/setup-python@v5 with: @@ -48,6 +50,7 @@ jobs: steps: - uses: actions/checkout@v4 with: + persist-credentials: false token: ${{ secrets.SNOWFLAKE_GITHUB_TOKEN }} # stored in GitHub secrets - name: Download requirement files uses: actions/download-artifact@v4 diff --git a/.github/workflows/jira_close.yml b/.github/workflows/jira_close.yml index 0dacf7fa..5b170d75 100644 --- a/.github/workflows/jira_close.yml +++ b/.github/workflows/jira_close.yml @@ -11,6 +11,7 @@ jobs: - name: Checkout uses: actions/checkout@v4 with: + persist-credentials: false repository: snowflakedb/gh-actions ref: jira_v1 token: ${{ secrets.SNOWFLAKE_GITHUB_TOKEN }} # stored in GitHub secrets diff --git a/.github/workflows/jira_issue.yml b/.github/workflows/jira_issue.yml index 0cfdd36a..31b93aae 100644 --- a/.github/workflows/jira_issue.yml +++ b/.github/workflows/jira_issue.yml @@ -16,6 +16,7 @@ jobs: - name: Checkout uses: actions/checkout@v4 with: + persist-credentials: false repository: snowflakedb/gh-actions ref: jira_v1 token: ${{ secrets.SNOWFLAKE_GITHUB_TOKEN }} # stored in GitHub secrets diff --git a/.github/workflows/python-publish.yml b/.github/workflows/python-publish.yml index 0b769dcb..ab4be45b 100644 --- a/.github/workflows/python-publish.yml +++ b/.github/workflows/python-publish.yml @@ -22,6 +22,8 @@ jobs: steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Set up Python uses: actions/setup-python@v5 with: diff --git a/.github/workflows/snyk-pr.yml b/.github/workflows/snyk-pr.yml index cee9e7b9..cc5e8644 100644 --- a/.github/workflows/snyk-pr.yml +++ b/.github/workflows/snyk-pr.yml @@ -17,12 +17,14 @@ jobs: - name: Checkout uses: actions/checkout@v4 with: + persist-credentials: false ref: ${{ github.event.pull_request.head.ref }} fetch-depth: 0 - name: Checkout Action uses: actions/checkout@v4 with: + persist-credentials: false repository: snowflakedb/whitesource-actions token: ${{ secrets.whitesource_action_token }} path: whitesource-actions