Refine check-no-persist-credentials CI job

EliahKagan · EliahKagan · commit 741cb6b3553a · 2025-09-21T20:04:22.000-04:00
This also tests the job by manually trying out several ways it should fail to make sure it does, but I squashed those out. The can be seen at EliahKagan#105 and are summarized as follows: * Test that we always have `actions/checkout` not persist credentials * Check that we catch `actions/checkout` with no `with` * Improve `check-no-persist-credentials` output and maintainability * Check that we catch checkout `with` without `persist-credentials` * Check that we catch `persist-credentials` not set to boolean false * Having tested the new check, restore `persist-credentials: false`
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -561,6 +561,33 @@ jobs:
           git status
           git diff --exit-code
 
+  # Check that all `actions/checkout` in CI jobs have `persist-credentials: false`.
+  check-no-persist-credentials:
+    runs-on: ubuntu-latest
+
+    env:
+      GLOB: .github/workflows/*.@(yaml|yml)
+
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
+          sparse-checkout: '.github/workflows'
+      - name: List workflows to be scanned
+        run: |
+          shopt -s extglob
+          printf '%s\n' ${{ env.GLOB }}
+      - name: Scan workflows
+        run: |
+          shopt -s extglob
+          yq '.jobs.*.steps[]
+            | select(.uses == "actions/checkout@*" and .with.["persist-credentials"]? != false)
+            | {"file": filename, "line": line, "name": (.name // .uses)}
+            | .file + ":" + (.line | tostring) + ": " + .name
+          ' -- ${{ env.GLOB }} >query-output.txt
+          cat query-output.txt
+          test -z "$(<query-output.txt)"  # Report failure if we found anything.
+
   # Check that only jobs intended not to block PR auto-merge are omitted as
   # dependencies of the `tests-pass` job below, so that whenever a job is
   # added, a decision is made about whether it must pass for PRs to merge.
@@ -615,6 +642,7 @@ jobs:
       - lint
       - cargo-deny
       - check-packetline
+      - check-no-persist-credentials
       - check-blocking
 
     if: always()  # Always run even if dependencies fail.
