From 99e70100c7280393894336ccbd1417d7e6476414 Mon Sep 17 00:00:00 2001 From: stevenhorsman Date: Thu, 29 May 2025 17:15:35 +0100 Subject: [PATCH] workflows: Set persist-credentials: false on checkout By default the checkout action leave the credentials in the checked-out repo's `.git/config`, which means they could get exposed. Use persist-credentials: false to prevent this happening. Note: static-checks.yaml does use git diff after the checkout, but the git docs state that git diff is just local, so doesn't need authentication. Signed-off-by: stevenhorsman --- .github/workflows/actionlint.yaml | 1 + .github/workflows/basic-ci-amd64.yaml | 13 ++++++++++--- .github/workflows/basic-ci-s390x.yaml | 4 ++++ .../workflows/build-checks-preview-riscv64.yaml | 1 + .github/workflows/build-checks.yaml | 1 + .../build-kata-static-tarball-amd64.yaml | 4 ++++ .../build-kata-static-tarball-arm64.yaml | 4 ++++ .../build-kata-static-tarball-ppc64le.yaml | 4 ++++ .../build-kata-static-tarball-riscv64.yaml | 1 + .../build-kata-static-tarball-s390x.yaml | 7 ++++++- .github/workflows/cargo-deny-runner.yaml | 2 ++ .github/workflows/ci-weekly.yaml | 1 + .github/workflows/ci.yaml | 2 ++ .github/workflows/cleanup-resources.yaml | 2 ++ .github/workflows/codeql.yml | 2 ++ .github/workflows/darwin-tests.yaml | 2 ++ .github/workflows/docs-url-alive-check.yaml | 1 + .github/workflows/gatekeeper-skipper.yaml | 1 + .github/workflows/gatekeeper.yaml | 1 + .github/workflows/kata-runtime-classes-sync.yaml | 2 ++ .github/workflows/payload-after-push.yaml | 2 ++ .../workflows/publish-kata-deploy-payload.yaml | 1 + .github/workflows/release-amd64.yaml | 2 ++ .github/workflows/release-arm64.yaml | 2 ++ .github/workflows/release-ppc64le.yaml | 2 ++ .github/workflows/release-s390x.yaml | 2 ++ .github/workflows/release.yaml | 15 +++++++++++++++ .../run-cri-containerd-tests-ppc64le.yaml | 1 + .github/workflows/run-k8s-tests-on-aks.yaml | 1 + .github/workflows/run-k8s-tests-on-amd64.yaml | 1 + .github/workflows/run-k8s-tests-on-arm64.yaml | 1 + .github/workflows/run-k8s-tests-on-ppc64le.yaml | 1 + .github/workflows/run-k8s-tests-on-zvsi.yaml | 1 + .../workflows/run-kata-coco-stability-tests.yaml | 1 + .github/workflows/run-kata-coco-tests.yaml | 3 +++ .../workflows/run-kata-deploy-tests-on-aks.yaml | 1 + .github/workflows/run-kata-deploy-tests.yaml | 1 + .github/workflows/run-kata-monitor-tests.yaml | 1 + .github/workflows/run-metrics.yaml | 1 + .github/workflows/run-runk-tests.yaml | 1 + .github/workflows/shellcheck.yaml | 3 +-- .github/workflows/shellcheck_required.yaml | 2 +- .github/workflows/static-checks.yaml | 3 +++ src/runtime/pkg/govmm/.github/workflows/main.yml | 2 ++ 44 files changed, 100 insertions(+), 7 deletions(-) diff --git a/.github/workflows/actionlint.yaml b/.github/workflows/actionlint.yaml index ec3d85fc93..d53bb19d7d 100644 --- a/.github/workflows/actionlint.yaml +++ b/.github/workflows/actionlint.yaml @@ -28,6 +28,7 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - name: Install actionlint gh extension run: gh extension install https://github.com/cschleiden/gh-actionlint diff --git a/.github/workflows/basic-ci-amd64.yaml b/.github/workflows/basic-ci-amd64.yaml index 71378d76f0..c9e553b864 100644 --- a/.github/workflows/basic-ci-amd64.yaml +++ b/.github/workflows/basic-ci-amd64.yaml @@ -36,6 +36,7 @@ jobs: with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 + persist-credentials: false - name: Rebase atop of the latest target branch run: | @@ -79,6 +80,7 @@ jobs: with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 + persist-credentials: false - name: Rebase atop of the latest target branch run: | @@ -119,7 +121,7 @@ jobs: with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 - + persist-credentials: false - name: Rebase atop of the latest target branch run: | ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch" @@ -161,6 +163,7 @@ jobs: with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 + persist-credentials: false - name: Rebase atop of the latest target branch run: | @@ -195,6 +198,7 @@ jobs: with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 + persist-credentials: false - name: Rebase atop of the latest target branch run: | @@ -236,6 +240,7 @@ jobs: with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 + persist-credentials: false - name: Rebase atop of the latest target branch run: | @@ -279,6 +284,7 @@ jobs: with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 + persist-credentials: false - name: Rebase atop of the latest target branch run: | @@ -319,6 +325,7 @@ jobs: with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 + persist-credentials: false - name: Rebase atop of the latest target branch run: | @@ -362,6 +369,7 @@ jobs: with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 + persist-credentials: false - name: Rebase atop of the latest target branch run: | @@ -400,14 +408,13 @@ jobs: retention-days: 1 run-kata-agent-apis: - strategy: - fail-fast: false runs-on: ubuntu-22.04 steps: - uses: actions/checkout@v4 with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 + persist-credentials: false - name: Rebase atop of the latest target branch run: | diff --git a/.github/workflows/basic-ci-s390x.yaml b/.github/workflows/basic-ci-s390x.yaml index 2ea606bafb..9fcf50da57 100644 --- a/.github/workflows/basic-ci-s390x.yaml +++ b/.github/workflows/basic-ci-s390x.yaml @@ -36,6 +36,7 @@ jobs: with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 + persist-credentials: false - name: Rebase atop of the latest target branch run: | @@ -78,6 +79,7 @@ jobs: with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 + persist-credentials: false - name: Rebase atop of the latest target branch run: | @@ -118,6 +120,7 @@ jobs: with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 + persist-credentials: false - name: Rebase atop of the latest target branch run: | @@ -157,6 +160,7 @@ jobs: with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 + persist-credentials: false - name: Rebase atop of the latest target branch run: | diff --git a/.github/workflows/build-checks-preview-riscv64.yaml b/.github/workflows/build-checks-preview-riscv64.yaml index b5992bf568..7a0b9498ff 100644 --- a/.github/workflows/build-checks-preview-riscv64.yaml +++ b/.github/workflows/build-checks-preview-riscv64.yaml @@ -75,6 +75,7 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - name: Install yq run: | diff --git a/.github/workflows/build-checks.yaml b/.github/workflows/build-checks.yaml index 79b9cf580c..073448b07e 100644 --- a/.github/workflows/build-checks.yaml +++ b/.github/workflows/build-checks.yaml @@ -73,6 +73,7 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - name: Install yq run: | diff --git a/.github/workflows/build-kata-static-tarball-amd64.yaml b/.github/workflows/build-kata-static-tarball-amd64.yaml index 721e257988..b819886f6c 100644 --- a/.github/workflows/build-kata-static-tarball-amd64.yaml +++ b/.github/workflows/build-kata-static-tarball-amd64.yaml @@ -84,6 +84,7 @@ jobs: with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 # This is needed in order to keep the commit ids history + persist-credentials: false - name: Rebase atop of the latest target branch run: | @@ -182,6 +183,7 @@ jobs: with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 # This is needed in order to keep the commit ids history + persist-credentials: false - name: Rebase atop of the latest target branch run: | @@ -272,6 +274,7 @@ jobs: with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 # This is needed in order to keep the commit ids history + persist-credentials: false - name: Rebase atop of the latest target branch run: | @@ -324,6 +327,7 @@ jobs: with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 + persist-credentials: false - name: Rebase atop of the latest target branch run: | ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch" diff --git a/.github/workflows/build-kata-static-tarball-arm64.yaml b/.github/workflows/build-kata-static-tarball-arm64.yaml index e98485e1a1..bac43318a4 100644 --- a/.github/workflows/build-kata-static-tarball-arm64.yaml +++ b/.github/workflows/build-kata-static-tarball-arm64.yaml @@ -65,6 +65,7 @@ jobs: with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 # This is needed in order to keep the commit ids history + persist-credentials: false - name: Rebase atop of the latest target branch run: | @@ -158,6 +159,7 @@ jobs: with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 # This is needed in order to keep the commit ids history + persist-credentials: false - name: Rebase atop of the latest target branch run: | @@ -244,6 +246,7 @@ jobs: with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 # This is needed in order to keep the commit ids history + persist-credentials: false - name: Rebase atop of the latest target branch run: | @@ -294,6 +297,7 @@ jobs: with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 + persist-credentials: false - name: Rebase atop of the latest target branch run: | ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch" diff --git a/.github/workflows/build-kata-static-tarball-ppc64le.yaml b/.github/workflows/build-kata-static-tarball-ppc64le.yaml index d44908a772..4fecbd5abe 100644 --- a/.github/workflows/build-kata-static-tarball-ppc64le.yaml +++ b/.github/workflows/build-kata-static-tarball-ppc64le.yaml @@ -55,6 +55,7 @@ jobs: with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 # This is needed in order to keep the commit ids history + persist-credentials: false - name: Rebase atop of the latest target branch run: | @@ -111,6 +112,7 @@ jobs: with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 # This is needed in order to keep the commit ids history + persist-credentials: false - name: Rebase atop of the latest target branch run: | @@ -183,6 +185,7 @@ jobs: with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 # This is needed in order to keep the commit ids history + persist-credentials: false - name: Rebase atop of the latest target branch run: | @@ -237,6 +240,7 @@ jobs: with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 + persist-credentials: false - name: Rebase atop of the latest target branch run: | ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch" diff --git a/.github/workflows/build-kata-static-tarball-riscv64.yaml b/.github/workflows/build-kata-static-tarball-riscv64.yaml index c22fff6668..e3b07d0117 100644 --- a/.github/workflows/build-kata-static-tarball-riscv64.yaml +++ b/.github/workflows/build-kata-static-tarball-riscv64.yaml @@ -53,6 +53,7 @@ jobs: with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 # This is needed in order to keep the commit ids history + persist-credentials: false - name: Rebase atop of the latest target branch run: | diff --git a/.github/workflows/build-kata-static-tarball-s390x.yaml b/.github/workflows/build-kata-static-tarball-s390x.yaml index 915cb7ae26..b92b3178cf 100644 --- a/.github/workflows/build-kata-static-tarball-s390x.yaml +++ b/.github/workflows/build-kata-static-tarball-s390x.yaml @@ -63,6 +63,7 @@ jobs: with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 # This is needed in order to keep the commit ids history + persist-credentials: false - name: Rebase atop of the latest target branch run: | @@ -144,6 +145,7 @@ jobs: with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 # This is needed in order to keep the commit ids history + persist-credentials: false - name: Rebase atop of the latest target branch run: | @@ -192,7 +194,8 @@ jobs: packages: write steps: - uses: actions/checkout@v4 - + with: + persist-credentials: false - name: Rebase atop of the latest target branch run: | ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch" @@ -266,6 +269,7 @@ jobs: with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 # This is needed in order to keep the commit ids history + persist-credentials: false - name: Rebase atop of the latest target branch run: | @@ -322,6 +326,7 @@ jobs: with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 + persist-credentials: false - name: Rebase atop of the latest target branch run: | ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch" diff --git a/.github/workflows/cargo-deny-runner.yaml b/.github/workflows/cargo-deny-runner.yaml index 3969ec243b..925baf2b68 100644 --- a/.github/workflows/cargo-deny-runner.yaml +++ b/.github/workflows/cargo-deny-runner.yaml @@ -22,6 +22,8 @@ jobs: - name: Checkout Code if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }} uses: actions/checkout@v4 + with: + persist-credentials: false - name: Generate Action if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }} run: bash cargo-deny-generator.sh diff --git a/.github/workflows/ci-weekly.yaml b/.github/workflows/ci-weekly.yaml index 3224c45e5d..57f998e309 100644 --- a/.github/workflows/ci-weekly.yaml +++ b/.github/workflows/ci-weekly.yaml @@ -75,6 +75,7 @@ jobs: with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 + persist-credentials: false - name: Rebase atop of the latest target branch run: | diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 7ff1698a50..8fbba177e7 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -190,6 +190,7 @@ jobs: with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 + persist-credentials: false - name: Rebase atop of the latest target branch run: | @@ -231,6 +232,7 @@ jobs: with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 + persist-credentials: false - name: Rebase atop of the latest target branch run: | diff --git a/.github/workflows/cleanup-resources.yaml b/.github/workflows/cleanup-resources.yaml index 27f42311a4..bd89b6792f 100644 --- a/.github/workflows/cleanup-resources.yaml +++ b/.github/workflows/cleanup-resources.yaml @@ -12,6 +12,8 @@ jobs: runs-on: ubuntu-22.04 steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Log into Azure env: diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index a120cb7d9e..6de0ef4300 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -61,6 +61,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4 + with: + persist-credentials: false # Add any setup steps before running the `github/codeql-action/init` action. # This includes steps like installing compilers or runtimes (`actions/setup-node` diff --git a/.github/workflows/darwin-tests.yaml b/.github/workflows/darwin-tests.yaml index 7e96d6baa3..5d4264e364 100644 --- a/.github/workflows/darwin-tests.yaml +++ b/.github/workflows/darwin-tests.yaml @@ -24,5 +24,7 @@ jobs: go-version: 1.23.7 - name: Checkout code uses: actions/checkout@v4 + with: + persist-credentials: false - name: Build utils run: ./ci/darwin-test.sh diff --git a/.github/workflows/docs-url-alive-check.yaml b/.github/workflows/docs-url-alive-check.yaml index 14eaa80e9b..48830672d6 100644 --- a/.github/workflows/docs-url-alive-check.yaml +++ b/.github/workflows/docs-url-alive-check.yaml @@ -28,6 +28,7 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false path: ./src/github.com/${{ github.repository }} # docs url alive check - name: Docs URL Alive Check diff --git a/.github/workflows/gatekeeper-skipper.yaml b/.github/workflows/gatekeeper-skipper.yaml index a85207f57d..03ec1e0d3f 100644 --- a/.github/workflows/gatekeeper-skipper.yaml +++ b/.github/workflows/gatekeeper-skipper.yaml @@ -46,6 +46,7 @@ jobs: with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 + persist-credentials: false - id: skipper env: TARGET_BRANCH: ${{ inputs.target-branch }} diff --git a/.github/workflows/gatekeeper.yaml b/.github/workflows/gatekeeper.yaml index 687f12aa94..b7cdae154f 100644 --- a/.github/workflows/gatekeeper.yaml +++ b/.github/workflows/gatekeeper.yaml @@ -32,6 +32,7 @@ jobs: with: ref: ${{ github.event.pull_request.head.sha }} fetch-depth: 0 + persist-credentials: false - id: gatekeeper env: TARGET_BRANCH: ${{ github.event.pull_request.base.ref }} diff --git a/.github/workflows/kata-runtime-classes-sync.yaml b/.github/workflows/kata-runtime-classes-sync.yaml index aa7ea7fd77..717cf222d3 100644 --- a/.github/workflows/kata-runtime-classes-sync.yaml +++ b/.github/workflows/kata-runtime-classes-sync.yaml @@ -19,6 +19,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v4 + with: + persist-credentials: false - name: Ensure the split out runtime classes match the all-in-one file run: | pushd tools/packaging/kata-deploy/runtimeclasses/ diff --git a/.github/workflows/payload-after-push.yaml b/.github/workflows/payload-after-push.yaml index dc82b7b04a..f1684fffc7 100644 --- a/.github/workflows/payload-after-push.yaml +++ b/.github/workflows/payload-after-push.yaml @@ -144,6 +144,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4 + with: + persist-credentials: false - name: Login to Kata Containers quay.io uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 diff --git a/.github/workflows/publish-kata-deploy-payload.yaml b/.github/workflows/publish-kata-deploy-payload.yaml index 11d0556218..95a691ea1a 100644 --- a/.github/workflows/publish-kata-deploy-payload.yaml +++ b/.github/workflows/publish-kata-deploy-payload.yaml @@ -48,6 +48,7 @@ jobs: with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 + persist-credentials: false - name: Rebase atop of the latest target branch run: | diff --git a/.github/workflows/release-amd64.yaml b/.github/workflows/release-amd64.yaml index 97950443f4..fb454cd79b 100644 --- a/.github/workflows/release-amd64.yaml +++ b/.github/workflows/release-amd64.yaml @@ -43,6 +43,8 @@ jobs: password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} - uses: actions/checkout@v4 + with: + persist-credentials: false - name: get-kata-tarball uses: actions/download-artifact@v4 with: diff --git a/.github/workflows/release-arm64.yaml b/.github/workflows/release-arm64.yaml index 4d113d55b6..eff43ee2e1 100644 --- a/.github/workflows/release-arm64.yaml +++ b/.github/workflows/release-arm64.yaml @@ -43,6 +43,8 @@ jobs: password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} - uses: actions/checkout@v4 + with: + persist-credentials: false - name: get-kata-tarball uses: actions/download-artifact@v4 with: diff --git a/.github/workflows/release-ppc64le.yaml b/.github/workflows/release-ppc64le.yaml index 0e94c88b68..b80feef909 100644 --- a/.github/workflows/release-ppc64le.yaml +++ b/.github/workflows/release-ppc64le.yaml @@ -43,6 +43,8 @@ jobs: password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} - uses: actions/checkout@v4 + with: + persist-credentials: false - name: get-kata-tarball uses: actions/download-artifact@v4 with: diff --git a/.github/workflows/release-s390x.yaml b/.github/workflows/release-s390x.yaml index 535f5238f1..755da97c73 100644 --- a/.github/workflows/release-s390x.yaml +++ b/.github/workflows/release-s390x.yaml @@ -47,6 +47,8 @@ jobs: password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} - uses: actions/checkout@v4 + with: + persist-credentials: false - name: get-kata-tarball uses: actions/download-artifact@v4 with: diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 4c5efbf999..4c4a505ac8 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -13,6 +13,7 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - name: Create a new release run: | @@ -77,6 +78,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4 + with: + persist-credentials: false - name: Login to Kata Containers ghcr.io uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 @@ -109,6 +112,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4 + with: + persist-credentials: false - name: Set KATA_STATIC_TARBALL env var run: | @@ -169,6 +174,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4 + with: + persist-credentials: false - name: Upload versions.yaml to GitHub run: | @@ -182,6 +189,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4 + with: + persist-credentials: false - name: Generate and upload vendored code tarball run: | @@ -195,6 +204,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4 + with: + persist-credentials: false - name: Download libseccomp tarball and upload it to GitHub run: | @@ -208,6 +219,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4 + with: + persist-credentials: false - name: Install helm uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0 @@ -236,6 +249,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4 + with: + persist-credentials: false - name: Publish a release run: | diff --git a/.github/workflows/run-cri-containerd-tests-ppc64le.yaml b/.github/workflows/run-cri-containerd-tests-ppc64le.yaml index 3c40300063..11a0fda550 100644 --- a/.github/workflows/run-cri-containerd-tests-ppc64le.yaml +++ b/.github/workflows/run-cri-containerd-tests-ppc64le.yaml @@ -37,6 +37,7 @@ jobs: with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 + persist-credentials: false - name: Rebase atop of the latest target branch run: | diff --git a/.github/workflows/run-k8s-tests-on-aks.yaml b/.github/workflows/run-k8s-tests-on-aks.yaml index 117c7b7f46..3505538c60 100644 --- a/.github/workflows/run-k8s-tests-on-aks.yaml +++ b/.github/workflows/run-k8s-tests-on-aks.yaml @@ -89,6 +89,7 @@ jobs: with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 + persist-credentials: false - name: Rebase atop of the latest target branch run: | diff --git a/.github/workflows/run-k8s-tests-on-amd64.yaml b/.github/workflows/run-k8s-tests-on-amd64.yaml index b5ed1a965e..7c23b35b0a 100644 --- a/.github/workflows/run-k8s-tests-on-amd64.yaml +++ b/.github/workflows/run-k8s-tests-on-amd64.yaml @@ -65,6 +65,7 @@ jobs: with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 + persist-credentials: false - name: Rebase atop of the latest target branch run: | diff --git a/.github/workflows/run-k8s-tests-on-arm64.yaml b/.github/workflows/run-k8s-tests-on-arm64.yaml index 63c999dcf6..f2551a6ece 100644 --- a/.github/workflows/run-k8s-tests-on-arm64.yaml +++ b/.github/workflows/run-k8s-tests-on-arm64.yaml @@ -50,6 +50,7 @@ jobs: with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 + persist-credentials: false - name: Rebase atop of the latest target branch run: | diff --git a/.github/workflows/run-k8s-tests-on-ppc64le.yaml b/.github/workflows/run-k8s-tests-on-ppc64le.yaml index 9ec29a7872..788405fb7c 100644 --- a/.github/workflows/run-k8s-tests-on-ppc64le.yaml +++ b/.github/workflows/run-k8s-tests-on-ppc64le.yaml @@ -50,6 +50,7 @@ jobs: with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 + persist-credentials: false - name: Rebase atop of the latest target branch run: | diff --git a/.github/workflows/run-k8s-tests-on-zvsi.yaml b/.github/workflows/run-k8s-tests-on-zvsi.yaml index 60c6d2cb7e..604ee021b5 100644 --- a/.github/workflows/run-k8s-tests-on-zvsi.yaml +++ b/.github/workflows/run-k8s-tests-on-zvsi.yaml @@ -85,6 +85,7 @@ jobs: with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 + persist-credentials: false - name: Rebase atop of the latest target branch run: | diff --git a/.github/workflows/run-kata-coco-stability-tests.yaml b/.github/workflows/run-kata-coco-stability-tests.yaml index 1de2f8922e..e192e6a582 100644 --- a/.github/workflows/run-kata-coco-stability-tests.yaml +++ b/.github/workflows/run-kata-coco-stability-tests.yaml @@ -74,6 +74,7 @@ jobs: with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 + persist-credentials: false - name: Rebase atop of the latest target branch run: | diff --git a/.github/workflows/run-kata-coco-tests.yaml b/.github/workflows/run-kata-coco-tests.yaml index 2e78be8146..6f92f2d685 100644 --- a/.github/workflows/run-kata-coco-tests.yaml +++ b/.github/workflows/run-kata-coco-tests.yaml @@ -75,6 +75,7 @@ jobs: with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 + persist-credentials: false - name: Rebase atop of the latest target branch run: | @@ -160,6 +161,7 @@ jobs: with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 + persist-credentials: false - name: Rebase atop of the latest target branch run: | @@ -250,6 +252,7 @@ jobs: with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 + persist-credentials: false - name: Rebase atop of the latest target branch run: | diff --git a/.github/workflows/run-kata-deploy-tests-on-aks.yaml b/.github/workflows/run-kata-deploy-tests-on-aks.yaml index 7e7cd9eb0a..863ba8a9f2 100644 --- a/.github/workflows/run-kata-deploy-tests-on-aks.yaml +++ b/.github/workflows/run-kata-deploy-tests-on-aks.yaml @@ -64,6 +64,7 @@ jobs: with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 + persist-credentials: false - name: Rebase atop of the latest target branch run: | diff --git a/.github/workflows/run-kata-deploy-tests.yaml b/.github/workflows/run-kata-deploy-tests.yaml index c184051603..9402960953 100644 --- a/.github/workflows/run-kata-deploy-tests.yaml +++ b/.github/workflows/run-kata-deploy-tests.yaml @@ -51,6 +51,7 @@ jobs: with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 + persist-credentials: false - name: Rebase atop of the latest target branch run: | diff --git a/.github/workflows/run-kata-monitor-tests.yaml b/.github/workflows/run-kata-monitor-tests.yaml index 986abae406..687791ac2b 100644 --- a/.github/workflows/run-kata-monitor-tests.yaml +++ b/.github/workflows/run-kata-monitor-tests.yaml @@ -44,6 +44,7 @@ jobs: with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 + persist-credentials: false - name: Rebase atop of the latest target branch run: | diff --git a/.github/workflows/run-metrics.yaml b/.github/workflows/run-metrics.yaml index cd00b58fd0..e7ba0a10f3 100644 --- a/.github/workflows/run-metrics.yaml +++ b/.github/workflows/run-metrics.yaml @@ -51,6 +51,7 @@ jobs: with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 + persist-credentials: false - name: Rebase atop of the latest target branch run: | diff --git a/.github/workflows/run-runk-tests.yaml b/.github/workflows/run-runk-tests.yaml index 26155ea81f..65489aa64f 100644 --- a/.github/workflows/run-runk-tests.yaml +++ b/.github/workflows/run-runk-tests.yaml @@ -28,6 +28,7 @@ jobs: with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 + persist-credentials: false - name: Rebase atop of the latest target branch run: | diff --git a/.github/workflows/shellcheck.yaml b/.github/workflows/shellcheck.yaml index 621eade60d..76e0f77ebf 100644 --- a/.github/workflows/shellcheck.yaml +++ b/.github/workflows/shellcheck.yaml @@ -25,8 +25,7 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 - - - uses: actions/checkout@v4 + persist-credentials: false - name: Run ShellCheck uses: ludeeus/action-shellcheck@00b27aa7cb85167568cb48a3838b75f4265f2bca # master (2024-06-20) with: diff --git a/.github/workflows/shellcheck_required.yaml b/.github/workflows/shellcheck_required.yaml index 861d91a5da..369a03f20c 100644 --- a/.github/workflows/shellcheck_required.yaml +++ b/.github/workflows/shellcheck_required.yaml @@ -26,8 +26,8 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - - uses: actions/checkout@v4 - name: Run ShellCheck uses: ludeeus/action-shellcheck@00b27aa7cb85167568cb48a3838b75f4265f2bca # master (2024-06-20) with: diff --git a/.github/workflows/static-checks.yaml b/.github/workflows/static-checks.yaml index 8b00d0b74b..0ce99659a4 100644 --- a/.github/workflows/static-checks.yaml +++ b/.github/workflows/static-checks.yaml @@ -30,6 +30,7 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - name: Ensure the kernel config version has been updated run: | kernel_dir="tools/packaging/kernel/" @@ -71,6 +72,7 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - name: Install system deps run: | sudo apt-get update && sudo apt-get install -y build-essential musl-tools @@ -108,6 +110,7 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false path: ./src/github.com/${{ github.repository }} - name: Install yq run: | diff --git a/src/runtime/pkg/govmm/.github/workflows/main.yml b/src/runtime/pkg/govmm/.github/workflows/main.yml index 7da7e9e58d..4cde2b00df 100644 --- a/src/runtime/pkg/govmm/.github/workflows/main.yml +++ b/src/runtime/pkg/govmm/.github/workflows/main.yml @@ -18,6 +18,8 @@ jobs: go-version: ${{ matrix.go-version }} - name: Checkout code uses: actions/checkout@v4 + with: + persist-credentials: false - name: golangci-lint uses: golangci/golangci-lint-action@4696ba8babb6127d732c3c6dde519db15edab9ea # v6.5.1 with: