Summary
Follow up on the security finding raised during review of #828: ensure every GitHub Actions checkout step in this repository explicitly disables credential persistence by setting persist-credentials: false where repository code is executed afterwards.
Why this matters
actions/checkout persists the workflow token in the local git configuration by default. When a job checks out repository code and then runs that code, the checked-out code has an avoidable opportunity to read the token. Setting persist-credentials: false reduces that exposure.
Affected areas identified in the repository scan
.github/workflows/single-mongo.yml (Line 38)
.github/workflows/tests-auth.yml (Line 28)
.github/workflows/tests-oldest.yml (Line 37)
Required changes
- Review every workflow in this repository that uses
actions/checkout.
- For each applicable checkout step, add:
with:
persist-credentials: false
- If any workflow genuinely requires persisted git credentials after checkout, document the reason inline in the workflow and keep the exception as narrow as possible.
- Also review locally defined reusable workflows under
.github/workflows/, because callers may inherit the checkout behaviour from those shared job definitions.
Acceptance criteria
- All applicable
actions/checkout steps in repository workflows explicitly set persist-credentials: false.
- Any intentional exception is documented in the workflow with a clear justification.
- Existing CI behaviour remains unchanged apart from the credential-handling hardening.
Backlinks
Requested by @fizyk.
Summary
Follow up on the security finding raised during review of #828: ensure every GitHub Actions checkout step in this repository explicitly disables credential persistence by setting
persist-credentials: falsewhere repository code is executed afterwards.Why this matters
actions/checkoutpersists the workflow token in the local git configuration by default. When a job checks out repository code and then runs that code, the checked-out code has an avoidable opportunity to read the token. Settingpersist-credentials: falsereduces that exposure.Affected areas identified in the repository scan
.github/workflows/single-mongo.yml(Line 38).github/workflows/tests-auth.yml(Line 28).github/workflows/tests-oldest.yml(Line 37)Required changes
actions/checkout.with:persist-credentials: false.github/workflows/, because callers may inherit the checkout behaviour from those shared job definitions.Acceptance criteria
actions/checkoutsteps in repository workflows explicitly setpersist-credentials: false.Backlinks
Requested by @fizyk.