Skip to content

ci: disable checkout credential persistence in build/release workflows#37

Merged
sangwa merged 1 commit into
mainfrom
ci/harden-checkout-credentials
Jun 19, 2026
Merged

ci: disable checkout credential persistence in build/release workflows#37
sangwa merged 1 commit into
mainfrom
ci/harden-checkout-credentials

Conversation

@sangwa

@sangwa sangwa commented Jun 19, 2026

Copy link
Copy Markdown
Contributor

What & why

actions/checkout persists GITHUB_TOKEN into .git/config by default. The build/release jobs authenticate to GHCR via docker/login-action (and oras, which reads the docker config) and never push via git, so that persisted token is unused — it only widens the blast radius for anything running later in the job. Set persist-credentials: false on those checkouts.

Addresses an automatic-review finding on #36 (build-thailand.yml checkout), generalized across the workflows it also applies to.

Scope (audited every checkout)

Workflow Change Pushes via git?
build.yml persist-credentials: false no (docker push only)
build-thailand.yml persist-credentials: false no (docker push only)
release.yml persist-credentials: false no (docker/oras push only)
test.yml already false (done in #35) no
deploy-thailand.yml left true (intentional) yes — its checkout is the gitops push target

Checkout still authenticates its initial fetch; persist-credentials: false only stops the token being written to .git/config afterward — so the specific-ref checkout in build-thailand.yml is unaffected.

Validated: actionlint clean, all YAML parses.

Note: independent of #36 (touches different lines of build-thailand.yml) — no merge conflict regardless of order.

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Chores
    • Enhanced security in deployment workflows by preventing GitHub credentials from being persisted in the local git configuration during build and release processes.
    • Applied consistent credential handling practices across build, regional deployment, and release workflows to strengthen overall pipeline security posture.

actions/checkout persists GITHUB_TOKEN into .git/config by default. The build
and release jobs only push to GHCR via docker/login-action (and oras, which
reads the docker config) — they never push via git — so the persisted token is
unused and just widens the blast radius. Set persist-credentials: false on the
checkouts in build.yml, build-thailand.yml and release.yml.

test.yml was already hardened this way; deploy-thailand.yml deliberately keeps
persist-credentials: true because its checkout IS the gitops push target.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jun 19, 2026

Copy link
Copy Markdown

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d37b3e00-dc01-464f-a899-d198708ed372

📥 Commits

Reviewing files that changed from the base of the PR and between f6de284 and 925b620.

📒 Files selected for processing (3)
  • .github/workflows/build-thailand.yml
  • .github/workflows/build.yml
  • .github/workflows/release.yml

Walkthrough

Three GitHub Actions workflow files (build.yml, build-thailand.yml, release.yml) are updated to add persist-credentials: false to their actions/checkout steps. This setting prevents the GitHub token from being written into the local .git/config during workflow execution. No other workflow logic, job structure, or steps are modified.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐇 Hopping through the CI fields so bright,
No credentials left in .git at night,
Three workflows patched with a tidy line,
The token stays safe, the config stays fine,
This bunny seals secrets with delight! ✨

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main change: disabling checkout credential persistence across build and release workflows.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch ci/harden-checkout-credentials

Comment @coderabbitai help to get the list of available commands and usage tips.

@sangwa sangwa merged commit 0d09026 into main Jun 19, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant