Prevent credential persistence in checkout actions

maennchen · josevalim · commit dfe857e7df4c · 2026-02-25T12:59:01.000+01:00
Add `persist-credentials: false` to all `actions/checkout` usages to prevent Git credentials from being persisted in the repository after checkout completes. See: https://docs.zizmor.sh/audits/#artipacked
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -49,6 +49,8 @@ jobs:
       ERLC_OPTS: ${{ matrix.erlc_opts || '' }}
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - uses: erlef/setup-beam@e6d7c94229049569db56a7ad5a540c051a010af9 # v1.20.4
         with:
@@ -128,6 +130,8 @@ jobs:
         run: git config --global core.autocrlf input
 
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - uses: erlef/setup-beam@e6d7c94229049569db56a7ad5a540c051a010af9 # v1.20.4
         with:
diff --git a/.github/workflows/license_compliance.yml b/.github/workflows/license_compliance.yml
@@ -28,6 +28,8 @@ jobs:
       - name: Checkout project
         id: checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Run OSS Review Toolkit
         id: ort
diff --git a/.github/workflows/markdown.yml b/.github/workflows/markdown.yml
@@ -34,6 +34,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Run markdownlint-cli2
         uses: DavidAnson/markdownlint-cli2-action@07035fd053f7be764496c0f8d8f9f41f98305101 # v22.0.0
diff --git a/.github/workflows/ort/action.yml b/.github/workflows/ort/action.yml
@@ -46,6 +46,7 @@ runs:
         repository: oss-review-toolkit/ort-config
         ref: "main"
         path: ".ort-config"
+        persist-credentials: false
 
     - name: Setup ORT Config
       id: setup-ort-config
diff --git a/.github/workflows/posix_compliance.yml b/.github/workflows/posix_compliance.yml
@@ -33,6 +33,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Install ShellCheck
         run: |
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -45,6 +45,8 @@ jobs:
 
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         if: github.ref_type == 'branch'
+        with:
+          persist-credentials: false
 
       - name: Update ${{ github.ref_name }}-latest
         if: github.ref_type == 'branch'
@@ -82,6 +84,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: "Build Release"
         uses: ./.github/workflows/release_pre_built
@@ -203,6 +207,8 @@ jobs:
       - name: Checkout project
         id: checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: "Download Build Artifacts"
         id: download-build-artifacts
diff --git a/.github/workflows/release_notifications.yml b/.github/workflows/release_notifications.yml
@@ -18,6 +18,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - uses: erlef/setup-beam@e6d7c94229049569db56a7ad5a540c051a010af9 # v1.20.4
         with:
diff --git a/.github/workflows/release_pre_built/action.yml b/.github/workflows/release_pre_built/action.yml
@@ -59,6 +59,7 @@ runs:
         repository: elixir-lang/ex_doc
         ref: ${{ env.EX_DOC_REF }}
         path: ex_doc
+        persist-credentials: false
     - name: Build ex_doc
       if: ${{ inputs.build_docs }}
       shell: bash
