ci: Do not persist credentials after checkout #62

joeyparrish · 2024-12-18T16:22:12Z

See actions/checkout#485 and https://johnstawinski.com/2024/01/11/playing-with-fire-how-we-executed-a-critical-supply-chain-attack-on-pytorch/

In short, it is a terrible idea to persist even our default credentials after checkout. There's no call for that, so we will now set persist-credentials: false on all checkout actions.

See actions/checkout#485 and https://johnstawinski.com/2024/01/11/playing-with-fire-how-we-executed-a-critical-supply-chain-attack-on-pytorch/ In short, it is a terrible idea to persist even our default credentials after checkout. There's no call for that, so we will now set `persist-credentials: false` on all checkout actions.

joeyparrish requested review from JulianDomingo, theodab and mariocynicys December 18, 2024 16:22

theodab approved these changes Dec 19, 2024

View reviewed changes

joeyparrish merged commit af2cb81 into shaka-project:main Dec 19, 2024
11 checks passed

joeyparrish deleted the no-persist-credentials branch December 19, 2024 18:08

This was referenced Dec 20, 2024

Workflows disabled pending vulnerability investigation shaka-project/shaka-streamer#216

Closed

GitHub Actions Workflow compromised - no damage done #57

Closed

github-actions bot added the status: archived Archived and locked; will not be updated label Feb 17, 2025

github-actions bot locked as resolved and limited conversation to collaborators Feb 17, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ci: Do not persist credentials after checkout #62

ci: Do not persist credentials after checkout #62

joeyparrish commented Dec 18, 2024

ci: Do not persist credentials after checkout #62

ci: Do not persist credentials after checkout #62

Conversation

joeyparrish commented Dec 18, 2024