ci: disable credential persistence in checkout steps#4817
Merged
arkid15r merged 6 commits intoJun 2, 2026
Conversation
Contributor
ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (3)
Summary by CodeRabbit
WalkthroughAdd ChangesGitHub Actions Credential Persistence Hardening
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related PRs
Suggested reviewers
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Collaborator
Author
|
hii @arkid15r please take a look at this whenever you have time. |
4 tasks
|
Contributor
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/run-ci-cd.yaml:
- Around line 174-176: The checkout step named "Check out repository" using
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd should explicitly set
persist-credentials: false to avoid persisting the GITHUB_TOKEN; update that
step (the "Check out repository" step referencing
actions/checkout@de0fac2e45...) to include a with: block containing
persist-credentials: false so the audit-dependencies job does not retain
credentials after checkout.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
Run ID: 2ab5898c-b5e3-4e07-98fe-54d91ba075f4
📒 Files selected for processing (3)
.github/workflows/run-ci-cd.yaml.github/workflows/run-code-ql.yaml.github/workflows/run-fuzz-tests.yaml
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #4817 +/- ##
=======================================
Coverage 98.86% 98.86%
=======================================
Files 538 538
Lines 17157 17157
Branches 2406 2406
=======================================
Hits 16963 16963
Misses 105 105
Partials 89 89
Flags with carried forward coverage won't be shown. Click here to find out more. Continue to review full report in Codecov by Sentry.
🚀 New features to boost your workflow:
|
Contributor
There was a problem hiding this comment.
Caution
Inline review comments failed to post. This is likely due to GitHub's internal server error or limits when posting large numbers of comments. If you are seeing this consistently it is likely a permissions issue. Please check "Moderation" -> "Code review limits" under your organization settings.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/run-ci-cd.yaml:
- Around line 174-176: The checkout step named "Check out repository" using
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd should explicitly set
persist-credentials: false to avoid persisting the GITHUB_TOKEN; update that
step (the "Check out repository" step referencing
actions/checkout@de0fac2e45...) to include a with: block containing
persist-credentials: false so the audit-dependencies job does not retain
credentials after checkout.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
Run ID: 2ab5898c-b5e3-4e07-98fe-54d91ba075f4
📒 Files selected for processing (3)
.github/workflows/run-ci-cd.yaml.github/workflows/run-code-ql.yaml.github/workflows/run-fuzz-tests.yaml
🛑 Comments failed to post (1)
.github/workflows/run-ci-cd.yaml (1)
174-176:
⚠️ Potential issue | 🟠 Major | ⚡ Quick win🧩 Analysis chain
🏁 Script executed:
#!/bin/bash set -euo pipefail python - <<'PY' from pathlib import Path path = Path(".github/workflows/run-ci-cd.yaml") lines = path.read_text().splitlines() for i, line in enumerate(lines): if "uses: actions/checkout@" in line: block = lines[i:i+6] if not any("persist-credentials: false" in entry for entry in block): print(f"{path}:{i+1}") print("\n".join(block)) print("---") PYRepository: OWASP/Nest
Length of output: 331
🏁 Script executed:
#!/bin/bash set -euo pipefail python3 - <<'PY' from pathlib import Path import re path = Path(".github/workflows/run-ci-cd.yaml") lines = path.read_text().splitlines() # Find step list items that are at some indent and start with "- " # Then, within each step, detect uses: actions/checkout@... step_start_re = re.compile(r'^(?P<indent>\s*)-\s+name:\s+.*$') uses_checkout_re = re.compile(r'^\s*uses:\s*actions/checkout@') persist_re = re.compile(r'^\s*persist-credentials:\s*false\s*$') # Also detect "- name:" step; checkout could appear without name, but in this file it seems present. # We'll locate "uses: actions/checkout@" lines and then expand to the owning "- ..." step block by indent. checkout_indices = [i for i,l in enumerate(lines) if 'uses: actions/checkout@' in l] missing = [] def step_block(i): # Determine indent of the "- " line that begins the step. # Walk upward to find the nearest "- " line at same indentation level. # First find the indent of the uses line uses_indent = len(lines[i]) - len(lines[i].lstrip(' ')) # Walk up to find line that starts with "- " at indentation < uses_indent j = i while j >= 0: l = lines[j] if re.match(r'^\s*-\s+', l): dash_indent = len(l) - len(l.lstrip(' ')) if dash_indent < uses_indent: step_indent = dash_indent # Find end: next line with "- " at same step_indent (or smaller) that starts a new step k = j+1 while k < len(lines): lk = lines[k] if re.match(r'^\s*-\s+', lk): ind = len(lk) - len(lk.lstrip(' ')) if ind == step_indent: break k += 1 return j, k j -= 1 return None for idx in checkout_indices: rng = step_block(idx) if rng is None: continue start, end = rng block = lines[start:end] has_persist = any(persist_re.search(b) for b in block) if not has_persist: missing.append((idx+1, start+1, end, lines[idx].strip(), "\n".join(block[:min(len(block),25)]))) print("Missing checkout steps:", len(missing)) for m in missing: line_no, start_line, _, uses_line, preview = m print(f"\n- checkout uses line: {line_no} (step starts at {start_line})") print(uses_line) PYRepository: OWASP/Nest
Length of output: 202
Add
with.persist-credentials: falseto theaudit-dependenciescheckout.
.github/workflows/run-ci-cd.yaml(step starting at line 174;actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83ddat line 175) is missing the flag, leaving that token persistence hardening gap open.Suggested fix
- name: Check out repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.- name: Check out repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false🧰 Tools
🪛 zizmor (1.25.2)
[warning] 174-175: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/run-ci-cd.yaml around lines 174 - 176, The checkout step named "Check out repository" using actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd should explicitly set persist-credentials: false to avoid persisting the GITHUB_TOKEN; update that step (the "Check out repository" step referencing actions/checkout@de0fac2e45...) to include a with: block containing persist-credentials: false so the audit-dependencies job does not retain credentials after checkout.
Collaborator
Author
|
Tysm |
arkid15r
added a commit
that referenced
this pull request
Jun 4, 2026
* chore(about): replace Ansible with Terraform in technologies section (#4800) * Pin dependencies, add audit step (#4802) * Pin dependencies, add audit step * Address review comments * Update code * feat(projects): add health indicators to project cards (#4678) * feat(projects): add project health indicators * fix: resolve merge conflicts * Fix tests * Update code * Update code --------- Co-authored-by: Kate <kate@kgthreads.com> Co-authored-by: Arkadii Yakovets <arkadii.yakovets@owasp.org> Co-authored-by: Arkadii Yakovets <2201626+arkid15r@users.noreply.github.com> * fix: improve mobile responsiveness on issues page (#4712) * fix: improve mobile responsiveness on issues page * fix: fix mobile dropdown caret position and double background on issues page * fix: address coderabbit suggestions for dropdown background and caret positioning * Update code --------- Co-authored-by: Kate Golovanova <kate@kgthreads.com> * test(alb): add deletion protection test coverage (#4796) Co-authored-by: Arkadii Yakovets <2201626+arkid15r@users.noreply.github.com> * chore(deps): bump aquasec/trivy (#4809) Bumps the version-updates group with 1 update in the /docker/trivy directory: aquasec/trivy. Updates `aquasec/trivy` from 0.70.0 to 0.71.0 --- updated-dependencies: - dependency-name: aquasec/trivy dependency-version: 0.71.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: version-updates ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump the version-updates group across 1 directory with 2 updates (#4810) Bumps the version-updates group with 2 updates in the / directory: [pnpm/action-setup](https://github.com/pnpm/action-setup) and [actions/dependency-review-action](https://github.com/actions/dependency-review-action). Updates `pnpm/action-setup` from 6.0.5 to 6.0.7 - [Release notes](https://github.com/pnpm/action-setup/releases) - [Commits](pnpm/action-setup@8912a91...739bfe4) Updates `actions/dependency-review-action` from 4.9.0 to 5.0.0 - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](actions/dependency-review-action@2031cfc...a1d282b) --- updated-dependencies: - dependency-name: pnpm/action-setup dependency-version: 6.0.7 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: version-updates - dependency-name: actions/dependency-review-action dependency-version: 5.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: version-updates ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump @sentry/nextjs in /frontend (#4812) Bumps [@sentry/nextjs](https://github.com/getsentry/sentry-javascript) in `/frontend` from 10.51.0 to 10.52.0. Updates `@sentry/nextjs` from 10.51.0 to 10.52.0 - [Release notes](https://github.com/getsentry/sentry-javascript/releases) - [Changelog](https://github.com/getsentry/sentry-javascript/blob/develop/CHANGELOG.md) - [Commits](getsentry/sentry-javascript@10.51.0...10.52.0) --- updated-dependencies: - dependency-name: "@sentry/nextjs" dependency-version: 10.52.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump db_engine_version to 16.13 * Bump pyjwt to v2.13.0 * Fix staging deployment process * ci: disable credential persistence in checkout steps (#4817) * ci: disable credential persistence in run-ci-cd.yaml * ci: disable credential persistence in run-fuzz-tests.yaml * ci: disable credential persistence in run-code-ql.yaml * ci: disable credential persistence in check-pr-issue.yaml * ci: disable credential persistence in update-nest-test-images.yaml --------- Co-authored-by: Arkadii Yakovets <2201626+arkid15r@users.noreply.github.com> * Bump Django to 6.0.6 * Bump aiohttp to 3.14.0 * chore(deps): bump the version-updates group across 1 directory with 2 updates (#4823) Bumps the version-updates group with 2 updates in the / directory: [hashicorp/setup-terraform](https://github.com/hashicorp/setup-terraform) and [pnpm/action-setup](https://github.com/pnpm/action-setup). Updates `hashicorp/setup-terraform` from 4.0.0 to 4.0.1 - [Release notes](https://github.com/hashicorp/setup-terraform/releases) - [Changelog](https://github.com/hashicorp/setup-terraform/blob/main/CHANGELOG.md) - [Commits](hashicorp/setup-terraform@5e8dbf3...dfe3c3f) Updates `pnpm/action-setup` from 6.0.7 to 6.0.8 - [Release notes](https://github.com/pnpm/action-setup/releases) - [Commits](pnpm/action-setup@739bfe4...0e279bb) --- updated-dependencies: - dependency-name: hashicorp/setup-terraform dependency-version: 4.0.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: version-updates - dependency-name: pnpm/action-setup dependency-version: 6.0.8 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: version-updates ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Arkadii Yakovets <2201626+arkid15r@users.noreply.github.com> * chore(deps): bump @sentry/nextjs in /frontend (#4822) Bumps [@sentry/nextjs](https://github.com/getsentry/sentry-javascript) in `/frontend` from 10.52.0 to 10.53.1. Updates `@sentry/nextjs` from 10.52.0 to 10.53.1 - [Release notes](https://github.com/getsentry/sentry-javascript/releases) - [Changelog](https://github.com/getsentry/sentry-javascript/blob/develop/CHANGELOG.md) - [Commits](getsentry/sentry-javascript@10.52.0...10.53.1) --- updated-dependencies: - dependency-name: "@sentry/nextjs" dependency-version: 10.53.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Arkadii Yakovets <2201626+arkid15r@users.noreply.github.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Adarsh Kumar <162141376+Adarshkumar0509@users.noreply.github.com> Co-authored-by: Arkadii Yakovets <2201626+arkid15r@users.noreply.github.com> Co-authored-by: Shuban Mutagi <shubanmutagi55@gmail.com> Co-authored-by: Kate <kate@kgthreads.com> Co-authored-by: Arkadii Yakovets <arkadii.yakovets@owasp.org> Co-authored-by: Anirudh <86768646+Ani07-05@users.noreply.github.com> Co-authored-by: Tanishq Meshram <tnshqmeshram@gmail.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Resolves #4803
Set
persist-credentials: falseon allactions/checkoutsteps across all workflow files to prevent credential leakage through artifacts or logs.By default,
actions/checkoutpersists GitHub credentials in the local git config after checkout. This is unnecessary for workflows that only perform read-only operations and creates a security risk if credentials are exposed through artifacts or logs.Changes
.github/workflows/run-ci-cd.yamland 21 checkout steps updated.github/workflows/run-fuzz-tests.yaml1 checkout step updated.github/workflows/run-code-ql.yaml1 checkout step updated.github/workflows/check-pr-issue.yaml1 checkout step updated.github/workflows/update-nest-test-images.yaml1 checkout step updatedChecklist
make check-testlocally: all warnings addressed, tests passed