GHA: set persist-credentials: false

Suggested by zizmor GHA analysis tool. Also: - Move GH variables within single-quotes. - Prefer single-quotes in shell code. (tidy-up) Ref: https://github.com/actions/checkout/issues/485 Ref: https://github.com/actions/checkout/pull/1687 Ref: https://woodruffw.github.io/zizmor/ Closes #15746
2025-09-10 22:22:43 +03:00 · 2024-12-15 00:45:04 +01:00 · 2024-12-15 00:45:04 +01:00 · ba9fe58d43
commit ba9fe58d43
parent 9991f255dd
13 changed files with 72 additions and 5 deletions
--- a/.github/workflows/checkdocs.yml
+++ b/.github/workflows/checkdocs.yml
@ -37,6 +37,8 @@ jobs:
  #    runs-on: ubuntu-latest
  #    steps:
  #      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
+  #        with:
+  #          persist-credentials: false
  #        name: checkout
  #
  #      - name: install prereqs
@ -89,6 +91,8 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
        name: checkout

      - name: Run mdlinkcheck
@ -98,6 +102,8 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
        name: checkout

      - name: trim all man page *.md files
@ -124,6 +130,8 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
        name: checkout

      - name: badwords
@ -136,6 +144,8 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
        name: checkout

      - name: render nroff versions
@ -149,6 +159,8 @@ jobs:
    timeout-minutes: 5
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
        name: checkout

      - name: spacecheck
--- a/.github/workflows/checksrc.yml
+++ b/.github/workflows/checksrc.yml
@ -36,6 +36,8 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
        name: checkout

      - name: check
@ -45,6 +47,8 @@ jobs:
    runs-on: ubuntu-24.04
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
        name: checkout

      - name: install
@ -81,6 +85,8 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
        name: checkout

      - name: REUSE Compliance Check
@ -91,6 +97,8 @@ jobs:
    timeout-minutes: 5
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
        name: checkout

      - name: shellcheck
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@ -48,6 +48,8 @@ jobs:
    steps:
      - name: Checkout repository
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false

      # Initializes the CodeQL tools for scanning.
      - name: Initialize CodeQL
--- a/.github/workflows/configure-vs-cmake.yml
+++ b/.github/workflows/configure-vs-cmake.yml
@ -33,6 +33,8 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false

      - name: run configure --with-openssl
        run: |
@ -71,6 +73,8 @@ jobs:
         echo '::group::brew packages installed'; ls -l "$(brew --prefix)/opt"; echo '::endgroup::'

      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false

      - name: run configure --with-openssl
        run: |
@ -108,6 +112,8 @@ jobs:
        run: sudo apt-get --quiet 2 --option Dpkg::Use-Pty=0 install mingw-w64

      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false

      - name: run configure --with-schannel
        run: |
--- a/.github/workflows/curl-for-win.yml
+++ b/.github/workflows/curl-for-win.yml
@ -48,6 +48,7 @@ jobs:
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
        with:
+          persist-credentials: false
          path: 'curl'
          fetch-depth: 8
      - name: 'build'
@ -75,6 +76,7 @@ jobs:
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
        with:
+          persist-credentials: false
          path: 'curl'
          fetch-depth: 8
      - name: 'build'
@ -101,6 +103,7 @@ jobs:
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
        with:
+          persist-credentials: false
          path: 'curl'
          fetch-depth: 8
      - name: 'build'
@ -116,6 +119,7 @@ jobs:
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
        with:
+          persist-credentials: false
          path: 'curl'
          fetch-depth: 8
      - name: 'build'
--- a/.github/workflows/distcheck.yml
+++ b/.github/workflows/distcheck.yml
@ -25,6 +25,8 @@ jobs:
    timeout-minutes: 15
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false

      - run: sudo apt-get purge -y curl libcurl4 libcurl4-doc
        name: 'remove preinstalled curl libcurl4{-doc}'
@ -129,6 +131,8 @@ jobs:
    needs: maketgz-and-verify-in-tree
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false

      - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4
        with:
@ -141,6 +145,8 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false

      - run: sudo apt-get purge -y curl libcurl4 libcurl4-doc
        name: 'remove preinstalled curl libcurl4{-doc}'
--- a/.github/workflows/hacktoberfest-accepted.yml
+++ b/.github/workflows/hacktoberfest-accepted.yml
@ -28,6 +28,7 @@ jobs:
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
        with:
+          persist-credentials: false
          fetch-depth: 100

      - name: Check whether repo participates in Hacktoberfest
@ -40,13 +41,13 @@ jobs:

      - name: Search relevant commit message lines starting with Closes/Merges
        run: |
-          git log --format=email ${{ github.event.before }}..${{ github.event.after }} | \
-            grep -Ei "^Close[sd]? " | sort | uniq | tee log
+          git log --format=email '${{ github.event.before }}..${{ github.event.after }}' | \
+            grep -Ei '^Close[sd]? ' | sort | uniq | tee log
        if: steps.check.outputs.label == 'hacktoberfest'

      - name: Search for Number-based PR references
        run: |
-          grep -Eo "#([0-9]+)" log | cut -d# -f2 | sort | uniq | xargs -t -n1 -I{} \
+          grep -Eo '#([0-9]+)' log | cut -d# -f2 | sort | uniq | xargs -t -n1 -I{} \
            gh pr view {} --json number,createdAt \
              --jq '{number, opened: .createdAt} | [.number, .opened] | join(":")' | tee /dev/stderr | \
            grep -Eo '^([0-9]+):[0-9]{4}-(09-30T|10-|11-01T)' | cut -d: -f1 | sort | uniq | xargs -t -n1 -I {} \
@ -57,8 +58,8 @@ jobs:

      - name: Search for URL-based PR references
        run: |
-          grep -Eo "github.com/(.+)/(.+)/pull/([0-9]+)" log | sort | uniq | xargs -t -n1 -I{} \
-            gh pr view "https://{}" --json number,createdAt \
+          grep -Eo 'github.com/(.+)/(.+)/pull/([0-9]+)' log | sort | uniq | xargs -t -n1 -I{} \
+            gh pr view 'https://{}' --json number,createdAt \
              --jq '{number, opened: .createdAt} | [.number, .opened] | join(":")' | tee /dev/stderr | \
            grep -Eo '^([0-9]+):[0-9]{4}-(09-30T|10-|11-01T)' | cut -d: -f1 | sort | uniq | xargs -t -n1 -I {} \
              gh pr edit {} --add-label 'hacktoberfest-accepted'
--- a/.github/workflows/http3-linux.yml
+++ b/.github/workflows/http3-linux.yml
@ -450,6 +450,8 @@ jobs:
        name: 'build quiche and boringssl'

      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false

      - run: autoreconf -fi
        if: ${{ matrix.build.configure }}
--- a/.github/workflows/linux-old.yml
+++ b/.github/workflows/linux-old.yml
@ -74,6 +74,8 @@ jobs:
          dpkg -i libc6_*_amd64.deb

      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false

      - name: 'cmake build-only (out-of-tree, libssh2)'
        run: |
--- a/.github/workflows/linux.yml
+++ b/.github/workflows/linux.yml
@ -320,6 +320,8 @@ jobs:
        name: 'install dependencies'

      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false

      - name: 'Fix kernel mmap rnd bits'
        # Asan in llvm 14 provided in ubuntu 22.04 is incompatible with
--- a/.github/workflows/macos.yml
+++ b/.github/workflows/macos.yml
@ -208,6 +208,8 @@ jobs:
          fi

      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false

      - name: 'toolchain versions'
        run: |
@ -416,6 +418,8 @@ jobs:
          while [[ $? == 0 ]]; do for i in 1 2 3; do brew update && brew bundle install --no-lock --file /tmp/Brewfile && break 2 || { echo Error: wait to try again; sleep 10; } done; false Too many retries; done

      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false

      - name: 'toolchain versions'
        run: |
--- a/.github/workflows/non-native.yml
+++ b/.github/workflows/non-native.yml
@ -45,6 +45,8 @@ jobs:
        arch: ['x86_64']
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
      - name: 'cmake'
        uses: cross-platform-actions/action@a0672d7f6de3a78e7784bbaf491c7303f68d94b3 # v0.26.0
        with:
@ -83,6 +85,8 @@ jobs:
        arch: ['x86_64']
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
      - name: 'cmake'
        uses: cross-platform-actions/action@a0672d7f6de3a78e7784bbaf491c7303f68d94b3 # v0.26.0
        with:
@ -126,6 +130,8 @@ jobs:
      fail-fast: false
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
      - name: 'autotools'
        if: ${{ matrix.build == 'autotools' }}
        uses: cross-platform-actions/action@a0672d7f6de3a78e7784bbaf491c7303f68d94b3 # v0.26.0
@ -193,6 +199,8 @@ jobs:
    timeout-minutes: 30
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
      - name: 'autotools'
        uses: vmactions/omnios-vm@16b5996777bc675acd3d537f13df536a526cd16d # v1
        with:
--- a/.github/workflows/windows.yml
+++ b/.github/workflows/windows.yml
@ -55,6 +55,8 @@ jobs:
      - run: git config --global core.autocrlf input
        shell: pwsh
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
      - uses: cygwin/cygwin-install-action@006ad0b0946ca6d0a3ea2d4437677fa767392401 # v4
        with:
          platform: ${{ matrix.platform }}
@ -187,6 +189,8 @@ jobs:
        shell: pwsh

      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false

      - uses: msys2/setup-msys2@d44ca8e88d8b43d56cf5670f91747359d5537f97 # v2
        if: ${{ matrix.sys == 'msys' }}
@ -409,6 +413,8 @@ jobs:

      - run: git config --global core.autocrlf input
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false

      - name: 'configure'
        timeout-minutes: 5
@ -495,6 +501,8 @@ jobs:
        run: sudo apt-get --quiet 2 --option Dpkg::Use-Pty=0 install mingw-w64 ${{ matrix.build == 'cmake' && 'ninja-build' || '' }}

      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false

      - name: 'autoreconf'
        if: ${{ matrix.build == 'autotools' }}
@ -662,6 +670,8 @@ jobs:
      fail-fast: false
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false

      - name: 'vcpkg cache setup'
        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7