Don't persist GitHub authentication token in .git/config on CI
#2187
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
When `actions/checkout` is used to check out the repository on CI, it persists credentials related to the GitHub token in the local scope configuration at `.git/config`, unless `persist-credentials` is explicitly set to `false`. This facilitates subsequent remote operations on the repository that could otherwise fail, but we have no such operations in any of our workflows. As an added layer of protection to keep these credentials from leaking into logs (or otherwise being displayed or subject to exfiltration) in case there is ever unintended coupling between the operation of the test suite (or any step subsequent to checkout that is used to prepare or run tests or other checks) and the cloned `gitoxide` repository itself, this: - Adds `persist-credentials: false` in a `with` mapping on every step that uses `actions/checkout`. - Adds a new CI job that checks that every `actions/checkout` step in any job in any workflow sets `persist-credentials` to `false`. In addition to usual testing on CI, the `release.yml` workflow is among the workflows changed here, and it has also been tested: https://github.com/EliahKagan/gitoxide/actions/runs/17899238656 See also: - https://github.com/actions/checkout/blob/main/README.md (Covers what happens with/without `persist-credentials: false`). - actions/checkout#485
This also tests the job by manually trying out several ways it should fail to make sure it does, but I squashed those out. The can be seen at #105 and are summarized as follows: * Test that we always have `actions/checkout` not persist credentials * Check that we catch `actions/checkout` with no `with` * Improve `check-no-persist-credentials` output and maintainability * Check that we catch checkout `with` without `persist-credentials` * Check that we catch `persist-credentials` not set to boolean false * Having tested the new check, restore `persist-credentials: false`
Member
Author
|
I just realized that the way I did the partial squash was different from the way I described it, so the commit that is described as refining the new check is actually the one that adds the new check (with all the refinements included). That is, I had planned to have three commits and I ended up having two, with the first commit claiming to contain some changes that only come in as of the second commit. That might be better anyway, but it's not better that the commit messages are both slightly wrong; sorry about that, and I hope it doesn't cause any confusion. I think the actual changes are fine, and this issue with the messages doesn't hurt gitbutlerapp/gitbutler#10399 either. |
Member
|
I noticed it when looking at this PR but also didn't think it was worth fixing 😅. |
EliahKagan
added a commit
to EliahKagan/gitoxide
that referenced
this pull request
Sep 26, 2025
- Give the workflow a shorter name - Also trigger on "run-ci" branches (in addition to main) - Also allow to be triggered from Actions tab - Comment out currently unneeded permissions - Use v5 of actions/checkout (rather than v4) - Don't persist auth token after checkout (see GitoxideLabs#2187)
EliahKagan
added a commit
to EliahKagan/gitoxide
that referenced
this pull request
Sep 26, 2025
- Give the workflow a shorter name - Also trigger on "run-ci" branches (in addition to main) - Also allow to be triggered from Actions tab - Comment out currently unneeded permissions - Use v5 of actions/checkout (rather than v4) - Don't persist auth token after checkout (see GitoxideLabs#2187)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When
actions/checkoutis used to check out the repository on CI, it persists credentials related to the GitHub token in the local scope configuration at.git/config, unlesspersist-credentialsis explicitly set tofalse. This facilitates subsequent remote operations on the repository that could otherwise fail, but we have no such operations in any of our workflows.As an added layer of protection to keep these credentials from leaking into logs (or otherwise being displayed or subject to exfiltration) in case there is ever unintended coupling between the operation of the test suite (or any step subsequent to checkout that is used to prepare or run tests or other checks) and the cloned
gitoxiderepository itself, this:persist-credentials: falsein awithmapping on every step that usesactions/checkout.actions/checkoutstep in any job in any workflow setspersist-credentialstofalse.In addition to usual testing on CI, the
release.ymlworkflow is among the workflows changed here, and it has also been tested: https://github.com/EliahKagan/gitoxide/actions/runs/17899238656See also:
(covers what happens with/without
persist-credentials: false)persist-credentialsor change the default tofalseactions/checkout#485