Skip to content

GH Actions: do not persist credentials#22855

Merged
jrfnl merged 1 commit intotrunkfrom
JRF/ghactions-do-not-persist-credentials
Jan 3, 2026
Merged

GH Actions: do not persist credentials#22855
jrfnl merged 1 commit intotrunkfrom
JRF/ghactions-do-not-persist-credentials

Conversation

@jrfnl
Copy link
Contributor

@jrfnl jrfnl commented Jan 3, 2026

Context

  • Improve CI security

Summary

This PR can be summarized in the following changelog entry:

  • Improve CI security

Relevant technical choices:

By default, using actions/checkout causes a credential to be persisted in the checked-out repo's .git/config, so that subsequent git operations can be authenticated.

Subsequent steps may accidentally publicly persist .git/config, e.g. by including it in a publicly accessible artifact via actions/upload-artifact.

However, even without this, persisting the credential in the .git/config is non-ideal unless actually needed.

Remediation

Unless needed for git operations, actions/checkout should be used with persist-credentials: false.

If the persisted credential is needed, it should be made explicit with persist-credentials: true.

This has now been addressed in all workflows.

Refs:

Test instructions

Test instructions for the acceptance test before the PR gets merged

This PR can be acceptance tested by following these steps:

  • N/A

@jrfnl
GH Actions: do not persist credentials
acbaa18 
> By default, using `actions/checkout` causes a credential to be persisted in the checked-out repo's `.git/config`, so that subsequent `git` operations can be authenticated.
>
> Subsequent steps may accidentally publicly persist `.git/config`, e.g. by including it in a publicly accessible artifact via `actions/upload-artifact`.
>
> However, even without this, persisting the credential in the `.git/config` is non-ideal unless actually needed.
>
> **Remediation**
>
> Unless needed for `git` operations, `actions/checkout` should be used with `persist-credentials: false`.
>
> If the persisted credential is needed, it should be made explicit with `persist-credentials: true`.

This has now been addressed in all workflows.

Refs:
* https://unit42.paloaltonetworks.com/github-repo-artifacts-leak-tokens/
* https://docs.zizmor.sh/audits/#artipacked
@jrfnl jrfnl added this to the 26.8 milestone Jan 3, 2026
@jrfnl jrfnl added yoast cs/qa changelog: non-user-facing Needs to be included in the 'Non-userfacing' category in the changelog labels Jan 3, 2026
@jrfnl jrfnl merged commit 182e607 into trunk Jan 3, 2026
43 checks passed
@jrfnl jrfnl deleted the JRF/ghactions-do-not-persist-credentials branch January 3, 2026 04:19
@coveralls
Copy link

coveralls commented Jan 3, 2026

Pull Request Test Coverage Report for Build 4f55b76dbc1953f7523060476efc96d1b74e012c

Warning: This coverage report may be inaccurate.

This pull request's base commit is no longer the HEAD commit of its target branch. This means it includes changes from outside the original pull request, including, potentially, unrelated coverage changes.

Details

  • 0 of 0 changed or added relevant lines in 0 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage remained the same at 53.324%
Totals Coverage Status
Change from base Build f90d6c5db10521a972a6f782f873e0d23e2aebba: 0.0%
Covered Lines: 32854
Relevant Lines: 61792
💛 - Coveralls

@jrfnl jrfnl mentioned this pull request Jan 3, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

changelog: non-user-facing Needs to be included in the 'Non-userfacing' category in the changelog yoast cs/qa

Projects

None yet

Milestone

26.8

Development

Successfully merging this pull request may close these issues.

2 participants

@jrfnl @coveralls