Description
The actions/checkout action stores the GITHUB_TOKEN in .git/config by default (persist-credentials: true). This means any subsequent step in the workflow can access the token, even if it doesn't need git push capabilities.
Setting persist-credentials: false on checkout steps that don't require git push reduces the attack surface by preventing credential theft through compromised dependencies or scripts.
Reference: https://github.com/goreleaser/example-secure/blob/main/.github/workflows/release.yml
Expected Behavior
All actions/checkout steps that don't need to perform git push should have persist-credentials: false set.
Steps to Address
Add persist-credentials: false to checkout steps in workflows that only read code (test, build, scan, etc.), while keeping credentials available for workflows that need to push (backport, deploy, mkdocs).
Description
The
actions/checkoutaction stores theGITHUB_TOKENin.git/configby default (persist-credentials: true). This means any subsequent step in the workflow can access the token, even if it doesn't need git push capabilities.Setting
persist-credentials: falseon checkout steps that don't require git push reduces the attack surface by preventing credential theft through compromised dependencies or scripts.Reference: https://github.com/goreleaser/example-secure/blob/main/.github/workflows/release.yml
Expected Behavior
All
actions/checkoutsteps that don't need to perform git push should havepersist-credentials: falseset.Steps to Address
Add
persist-credentials: falseto checkout steps in workflows that only read code (test, build, scan, etc.), while keeping credentials available for workflows that need to push (backport, deploy, mkdocs).