ci: disable checkout credential persistence in build/release workflows#37
Conversation
actions/checkout persists GITHUB_TOKEN into .git/config by default. The build and release jobs only push to GHCR via docker/login-action (and oras, which reads the docker config) — they never push via git — so the persisted token is unused and just widens the blast radius. Set persist-credentials: false on the checkouts in build.yml, build-thailand.yml and release.yml. test.yml was already hardened this way; deploy-thailand.yml deliberately keeps persist-credentials: true because its checkout IS the gitops push target. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (3)
WalkthroughThree GitHub Actions workflow files ( Estimated code review effort🎯 1 (Trivial) | ⏱️ ~2 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
What & why
actions/checkoutpersistsGITHUB_TOKENinto.git/configby default. The build/release jobs authenticate to GHCR viadocker/login-action(andoras, which reads the docker config) and never push via git, so that persisted token is unused — it only widens the blast radius for anything running later in the job. Setpersist-credentials: falseon those checkouts.Addresses an automatic-review finding on #36 (build-thailand.yml checkout), generalized across the workflows it also applies to.
Scope (audited every checkout)
build.ymlpersist-credentials: falsebuild-thailand.ymlpersist-credentials: falserelease.ymlpersist-credentials: falsetest.ymlfalse(done in #35)deploy-thailand.ymltrue(intentional)Checkout still authenticates its initial fetch;
persist-credentials: falseonly stops the token being written to.git/configafterward — so the specific-refcheckout inbuild-thailand.ymlis unaffected.Validated: actionlint clean, all YAML parses.
Note: independent of #36 (touches different lines of
build-thailand.yml) — no merge conflict regardless of order.🤖 Generated with Claude Code
Summary by CodeRabbit