From bffaacf36ef65a5f7f986f3c67b176592e80bc52 Mon Sep 17 00:00:00 2001 From: Joey Parrish Date: Wed, 18 Dec 2024 08:25:05 -0800 Subject: [PATCH] ci: Do not persist credentials after checkout (#89) See actions/checkout#485 and https://johnstawinski.com/2024/01/11/playing-with-fire-how-we-executed-a-critical-supply-chain-attack-on-pytorch/ In short, it is a terrible idea to persist even our default credentials after checkout. There's no call for that, so we will now set `persist-credentials: false` on all checkout actions. --- .github/workflows/release-please.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml index b8cd518..e16173f 100644 --- a/.github/workflows/release-please.yml +++ b/.github/workflows/release-please.yml @@ -23,6 +23,7 @@ jobs: - uses: actions/checkout@v4 with: ref: ${{ github.event.after }} + persist-credentials: false if: ${{ steps.release.outputs.release_created }} - run: npm run build