From db9cef3c4fc187e6e1bd96ed3f1a7f4f2bb57dcd Mon Sep 17 00:00:00 2001 From: Rich Trott Date: Sat, 27 Nov 2021 14:12:26 -0800 Subject: [PATCH] build: set persist-credentials: false on workflows Out of extra caution, instruct `actions/checkout` to not save GitHub authentication credentials in the git config for use by future steps. PR-URL: https://github.com/nodejs/node/pull/40972 Reviewed-By: Antoine du Hamel Reviewed-By: Luigi Pinca --- .github/workflows/authors.yml | 1 + .github/workflows/auto-start-ci.yml | 2 ++ .github/workflows/build-tarball.yml | 4 ++++ .github/workflows/build-windows.yml | 2 ++ .github/workflows/commit-lint.yml | 1 + .github/workflows/commit-queue.yml | 1 + .github/workflows/coverage-linux.yml | 2 ++ .github/workflows/coverage-windows.yml | 2 ++ .github/workflows/daily.yml | 2 ++ .../workflows/find-inactive-collaborators.yml | 1 + .github/workflows/find-inactive-tsc.yml | 5 ++++- .github/workflows/license-builder.yml | 2 ++ .github/workflows/linters.yml | 17 +++++++++++++++++ .github/workflows/misc.yml | 2 ++ .github/workflows/test-asan.yml | 2 ++ .github/workflows/test-internet.yml | 2 ++ .github/workflows/test-linux.yml | 2 ++ .github/workflows/test-macos.yml | 2 ++ .github/workflows/tools.yml | 2 ++ 19 files changed, 53 insertions(+), 1 deletion(-) diff --git a/.github/workflows/authors.yml b/.github/workflows/authors.yml index 7374ff66a8c29d..40d68d9af08d37 100644 --- a/.github/workflows/authors.yml +++ b/.github/workflows/authors.yml @@ -14,6 +14,7 @@ jobs: - uses: actions/checkout@v2 with: fetch-depth: '0' # This is required to actually get all the authors + persist-credentials: false - run: "tools/update-authors.js" # Run the AUTHORS tool - uses: gr2m/create-or-update-pull-request-action@v1 # Create a PR or update the Action's existing PR env: diff --git a/.github/workflows/auto-start-ci.yml b/.github/workflows/auto-start-ci.yml index 21a8de921798d1..c7bfd56ae1732c 100644 --- a/.github/workflows/auto-start-ci.yml +++ b/.github/workflows/auto-start-ci.yml @@ -17,6 +17,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 + with: + persist-credentials: false # Install dependencies - name: Install Node.js diff --git a/.github/workflows/build-tarball.yml b/.github/workflows/build-tarball.yml index 7f96504f781406..bebe414216f571 100644 --- a/.github/workflows/build-tarball.yml +++ b/.github/workflows/build-tarball.yml @@ -31,6 +31,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 + with: + persist-credentials: false - name: Set up Python ${{ env.PYTHON_VERSION }} uses: actions/setup-python@v2 with: @@ -57,6 +59,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 + with: + persist-credentials: false - name: Set up Python ${{ env.PYTHON_VERSION }} uses: actions/setup-python@v2 with: diff --git a/.github/workflows/build-windows.yml b/.github/workflows/build-windows.yml index 992319168b7e9c..1155b65cf2c7ac 100644 --- a/.github/workflows/build-windows.yml +++ b/.github/workflows/build-windows.yml @@ -29,6 +29,8 @@ jobs: runs-on: ${{ matrix.windows }} steps: - uses: actions/checkout@v2 + with: + persist-credentials: false - name: Set up Python ${{ env.PYTHON_VERSION }} uses: actions/setup-python@v2 with: diff --git a/.github/workflows/commit-lint.yml b/.github/workflows/commit-lint.yml index 0f0c6d66938d2c..524df2224074fc 100644 --- a/.github/workflows/commit-lint.yml +++ b/.github/workflows/commit-lint.yml @@ -17,6 +17,7 @@ jobs: - uses: actions/checkout@v2 with: fetch-depth: ${{ steps.nb-of-commits.outputs.plusOne }} + persist-credentials: false - run: git reset HEAD^2 - name: Install Node.js uses: actions/setup-node@v2 diff --git a/.github/workflows/commit-queue.yml b/.github/workflows/commit-queue.yml index 54b114b7b7e813..0dc7c4d5c3f9de 100644 --- a/.github/workflows/commit-queue.yml +++ b/.github/workflows/commit-queue.yml @@ -26,6 +26,7 @@ jobs: # Needs the whole git history for ncu to work # See https://github.com/nodejs/node-core-utils/pull/486 fetch-depth: 0 + persist-credentials: false # A personal token is required because pushing with GITHUB_TOKEN will # prevent commits from running CI after they land. It needs # to be set here because `checkout` configures GitHub authentication diff --git a/.github/workflows/coverage-linux.yml b/.github/workflows/coverage-linux.yml index e322e764840989..ba5a553e44b618 100644 --- a/.github/workflows/coverage-linux.yml +++ b/.github/workflows/coverage-linux.yml @@ -28,6 +28,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 + with: + persist-credentials: false - name: Set up Python ${{ env.PYTHON_VERSION }} uses: actions/setup-python@v2 with: diff --git a/.github/workflows/coverage-windows.yml b/.github/workflows/coverage-windows.yml index 4473eb9bd74ae3..3fb1b5c88787e6 100644 --- a/.github/workflows/coverage-windows.yml +++ b/.github/workflows/coverage-windows.yml @@ -30,6 +30,8 @@ jobs: runs-on: windows-latest steps: - uses: actions/checkout@v2 + with: + persist-credentials: false - name: Set up Python ${{ env.PYTHON_VERSION }} uses: actions/setup-python@v2 with: diff --git a/.github/workflows/daily.yml b/.github/workflows/daily.yml index e36a3fb5194125..2f2560dd751c1d 100644 --- a/.github/workflows/daily.yml +++ b/.github/workflows/daily.yml @@ -15,6 +15,8 @@ jobs: container: gcc:11 steps: - uses: actions/checkout@v2 + with: + persist-credentials: false - name: Use Node.js ${{ env.NODE_VERSION }} uses: actions/setup-node@v2 with: diff --git a/.github/workflows/find-inactive-collaborators.yml b/.github/workflows/find-inactive-collaborators.yml index 2fc2b9036fe6ef..942fcd77c81791 100644 --- a/.github/workflows/find-inactive-collaborators.yml +++ b/.github/workflows/find-inactive-collaborators.yml @@ -20,6 +20,7 @@ jobs: - uses: actions/checkout@v2 with: fetch-depth: ${{ env.NUM_COMMITS }} + persist-credentials: false - name: Use Node.js ${{ env.NODE_VERSION }} uses: actions/setup-node@v2 diff --git a/.github/workflows/find-inactive-tsc.yml b/.github/workflows/find-inactive-tsc.yml index 76190f1deb6943..aacb4d1ed56de5 100644 --- a/.github/workflows/find-inactive-tsc.yml +++ b/.github/workflows/find-inactive-tsc.yml @@ -18,13 +18,16 @@ jobs: steps: - name: Checkout the repo uses: actions/checkout@v2 + with: + persist-credentials: false - name: Clone nodejs/TSC repository uses: actions/checkout@v2 with: fetch-depth: 0 - repository: nodejs/TSC path: .tmp + persist-credentials: false + repository: nodejs/TSC - name: Use Node.js ${{ env.NODE_VERSION }} uses: actions/setup-node@v2 diff --git a/.github/workflows/license-builder.yml b/.github/workflows/license-builder.yml index 5f9af7bd7750ac..b959eb8932285b 100644 --- a/.github/workflows/license-builder.yml +++ b/.github/workflows/license-builder.yml @@ -12,6 +12,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 + with: + persist-credentials: false - run: "./tools/license-builder.sh" # Run the license builder tool - uses: gr2m/create-or-update-pull-request-action@v1.x # Create a PR or update the Action's existing PR env: diff --git a/.github/workflows/linters.yml b/.github/workflows/linters.yml index ebd27575c4778b..166846ae3f8705 100644 --- a/.github/workflows/linters.yml +++ b/.github/workflows/linters.yml @@ -20,6 +20,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 + with: + persist-credentials: false - name: Use Node.js ${{ env.NODE_VERSION }} uses: actions/setup-node@v2 with: @@ -33,6 +35,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 + with: + persist-credentials: false - name: Set up Python ${{ env.PYTHON_VERSION }} uses: actions/setup-python@v2 with: @@ -46,6 +50,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 + with: + persist-credentials: false - name: Use Node.js ${{ env.NODE_VERSION }} uses: actions/setup-node@v2 with: @@ -68,6 +74,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 + with: + persist-credentials: false - name: Use Node.js ${{ env.NODE_VERSION }} uses: actions/setup-node@v2 with: @@ -81,6 +89,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 + with: + persist-credentials: false - name: Set up Python ${{ env.PYTHON_VERSION }} uses: actions/setup-python@v2 with: @@ -96,6 +106,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 + with: + persist-credentials: false - name: Use Python ${{ env.PYTHON_VERSION }} uses: actions/setup-python@v2 with: @@ -112,6 +124,8 @@ jobs: runs-on: ubuntu-20.04 steps: - uses: actions/checkout@v2 + with: + persist-credentials: false - run: shellcheck -V - name: Lint Shell scripts run: tools/lint-sh.js . @@ -120,6 +134,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 + with: + persist-credentials: false - uses: mszostok/codeowners-validator@v0.6.0 with: checks: "files,duppatterns" @@ -130,5 +146,6 @@ jobs: - uses: actions/checkout@v2 with: fetch-depth: 2 + persist-credentials: false # GH Actions squashes all PR commits, HEAD^ refers to the base branch. - run: git diff HEAD^ HEAD -G"pr-url:" -- "*.md" | ./tools/lint-pr-url.mjs ${{ github.event.pull_request.html_url }} diff --git a/.github/workflows/misc.yml b/.github/workflows/misc.yml index 64f58f2e96f448..bcf3915059e536 100644 --- a/.github/workflows/misc.yml +++ b/.github/workflows/misc.yml @@ -19,6 +19,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 + with: + persist-credentials: false - name: Use Node.js ${{ env.NODE_VERSION }} uses: actions/setup-node@v2 with: diff --git a/.github/workflows/test-asan.yml b/.github/workflows/test-asan.yml index 8965e38dd09502..29956196d0216f 100644 --- a/.github/workflows/test-asan.yml +++ b/.github/workflows/test-asan.yml @@ -40,6 +40,8 @@ jobs: CONFIG_FLAGS: --enable-asan steps: - uses: actions/checkout@v2 + with: + persist-credentials: false - name: Set up Python ${{ env.PYTHON_VERSION }} uses: actions/setup-python@v2 with: diff --git a/.github/workflows/test-internet.yml b/.github/workflows/test-internet.yml index 44757dd287280c..94f4ab9086be6d 100644 --- a/.github/workflows/test-internet.yml +++ b/.github/workflows/test-internet.yml @@ -28,6 +28,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 + with: + persist-credentials: false - name: Set up Python ${{ env.PYTHON_VERSION }} uses: actions/setup-python@v2 with: diff --git a/.github/workflows/test-linux.yml b/.github/workflows/test-linux.yml index 374bf747790399..ba2244aa116bc3 100644 --- a/.github/workflows/test-linux.yml +++ b/.github/workflows/test-linux.yml @@ -29,6 +29,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 + with: + persist-credentials: false - name: Set up Python ${{ env.PYTHON_VERSION }} uses: actions/setup-python@v2 with: diff --git a/.github/workflows/test-macos.yml b/.github/workflows/test-macos.yml index 2926c3ed2eb568..7da25a825871fd 100644 --- a/.github/workflows/test-macos.yml +++ b/.github/workflows/test-macos.yml @@ -35,6 +35,8 @@ jobs: runs-on: macos-latest steps: - uses: actions/checkout@v2 + with: + persist-credentials: false - name: Set up Python ${{ env.PYTHON_VERSION }} uses: actions/setup-python@v2 with: diff --git a/.github/workflows/tools.yml b/.github/workflows/tools.yml index 1d249832cafaeb..c5d1d7eb1143b0 100644 --- a/.github/workflows/tools.yml +++ b/.github/workflows/tools.yml @@ -50,6 +50,8 @@ jobs: fi steps: - uses: actions/checkout@v2 + with: + persist-credentials: false - run: ${{ matrix.run }} - uses: gr2m/create-or-update-pull-request-action@v1 # Create a PR or update the Action's existing PR env: