From f8d1662a629c51535f6c8db823f38320abc8c3b3 Mon Sep 17 00:00:00 2001 From: Harsh Shandilya Date: Mon, 9 Dec 2024 17:47:35 +0530 Subject: [PATCH] ifix(ci): do not persist checkout credentials when not required --- .github/reusable-workflows/setup-gradle/action.yml | 5 +++++ .github/workflows/ci.yml | 2 ++ .github/workflows/release.yml | 1 + 3 files changed, 8 insertions(+) diff --git a/.github/reusable-workflows/setup-gradle/action.yml b/.github/reusable-workflows/setup-gradle/action.yml index fa483163..af5f6836 100644 --- a/.github/reusable-workflows/setup-gradle/action.yml +++ b/.github/reusable-workflows/setup-gradle/action.yml @@ -17,6 +17,10 @@ inputs: description: 'dependency-graph input for gradle/actions/setup-gradle' required: false default: 'disabled' + persist-credentials: + description: 'Control the actions/checkout persist-credentials setting' + required: false + default: false runs: using: "composite" steps: @@ -26,6 +30,7 @@ runs: fetch-depth: ${{ inputs.fetch-depth }} token: ${{ inputs.token }} lfs: true + persist-credentials: ${{ inputs.persist-credentials }} - name: Set up JDK uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4.5.0 diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 872410e2..fd36db12 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -49,6 +49,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Dependency Review uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ba87d646..f0c1763c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -21,6 +21,7 @@ jobs: token: ${{ secrets.POST_RELEASE_GH_TOKEN }} fetch-depth: 0 cache-read-only: ${{ github.ref != 'refs/heads/main' }} + persist-credentials: true - name: Set up Git author shell: bash