GHA: set persist-credentials: false

Suggested by zizmor GHA analysis tool. Also: - Move GH variables within single-quotes. - Prefer single-quotes in shell code. (tidy-up) Ref: actions/checkout#485 Ref: actions/checkout#1687 Ref: https://woodruffw.github.io/zizmor/ Closes #15746
curl · Dec 16, 2024 · ba9fe58 · ba9fe58
1 parent 9991f25
commit ba9fe58
Show file tree

Hide file tree

Showing 13 changed files with 72 additions and 5 deletions.
diff --git a/.github/workflows/checkdocs.yml b/.github/workflows/checkdocs.yml
@@ -37,6 +37,8 @@ jobs:
   #    runs-on: ubuntu-latest
   #    steps:
   #      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
+  #        with:
+  #          persist-credentials: false
   #        name: checkout
   #
   #      - name: install prereqs
@@ -89,6 +91,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
         name: checkout
 
       - name: Run mdlinkcheck
@@ -98,6 +102,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
         name: checkout
 
       - name: trim all man page *.md files
@@ -124,6 +130,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
         name: checkout
 
       - name: badwords
@@ -136,6 +144,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
         name: checkout
 
       - name: render nroff versions
@@ -149,6 +159,8 @@ jobs:
     timeout-minutes: 5
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
         name: checkout
 
       - name: spacecheck

diff --git a/.github/workflows/checksrc.yml b/.github/workflows/checksrc.yml
@@ -36,6 +36,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
         name: checkout
 
       - name: check
@@ -45,6 +47,8 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
         name: checkout
 
       - name: install
@@ -81,6 +85,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
         name: checkout
 
       - name: REUSE Compliance Check
@@ -91,6 +97,8 @@ jobs:
     timeout-minutes: 5
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
         name: checkout
 
       - name: shellcheck

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -48,6 +48,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL

diff --git a/.github/workflows/configure-vs-cmake.yml b/.github/workflows/configure-vs-cmake.yml
@@ -33,6 +33,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
 
       - name: run configure --with-openssl
         run: |
@@ -71,6 +73,8 @@ jobs:
          echo '::group::brew packages installed'; ls -l "$(brew --prefix)/opt"; echo '::endgroup::'
 
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
 
       - name: run configure --with-openssl
         run: |
@@ -108,6 +112,8 @@ jobs:
         run: sudo apt-get --quiet 2 --option Dpkg::Use-Pty=0 install mingw-w64
 
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
 
       - name: run configure --with-schannel
         run: |

diff --git a/.github/workflows/curl-for-win.yml b/.github/workflows/curl-for-win.yml
@@ -48,6 +48,7 @@ jobs:
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
+          persist-credentials: false
           path: 'curl'
           fetch-depth: 8
       - name: 'build'
@@ -75,6 +76,7 @@ jobs:
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
+          persist-credentials: false
           path: 'curl'
           fetch-depth: 8
       - name: 'build'
@@ -101,6 +103,7 @@ jobs:
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
+          persist-credentials: false
           path: 'curl'
           fetch-depth: 8
       - name: 'build'
@@ -116,6 +119,7 @@ jobs:
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
+          persist-credentials: false
           path: 'curl'
           fetch-depth: 8
       - name: 'build'

diff --git a/.github/workflows/distcheck.yml b/.github/workflows/distcheck.yml
@@ -25,6 +25,8 @@ jobs:
     timeout-minutes: 15
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
 
       - run: sudo apt-get purge -y curl libcurl4 libcurl4-doc
         name: 'remove preinstalled curl libcurl4{-doc}'
@@ -129,6 +131,8 @@ jobs:
     needs: maketgz-and-verify-in-tree
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
 
       - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4
         with:
@@ -141,6 +145,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
 
       - run: sudo apt-get purge -y curl libcurl4 libcurl4-doc
         name: 'remove preinstalled curl libcurl4{-doc}'

diff --git a/.github/workflows/hacktoberfest-accepted.yml b/.github/workflows/hacktoberfest-accepted.yml
@@ -28,6 +28,7 @@ jobs:
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
+          persist-credentials: false
           fetch-depth: 100
 
       - name: Check whether repo participates in Hacktoberfest
@@ -40,13 +41,13 @@ jobs:
 
       - name: Search relevant commit message lines starting with Closes/Merges
         run: |
-          git log --format=email ${{ github.event.before }}..${{ github.event.after }} | \
-            grep -Ei "^Close[sd]? " | sort | uniq | tee log
+          git log --format=email '${{ github.event.before }}..${{ github.event.after }}' | \
+            grep -Ei '^Close[sd]? ' | sort | uniq | tee log
         if: steps.check.outputs.label == 'hacktoberfest'
 
       - name: Search for Number-based PR references
         run: |
-          grep -Eo "#([0-9]+)" log | cut -d# -f2 | sort | uniq | xargs -t -n1 -I{} \
+          grep -Eo '#([0-9]+)' log | cut -d# -f2 | sort | uniq | xargs -t -n1 -I{} \
             gh pr view {} --json number,createdAt \
               --jq '{number, opened: .createdAt} | [.number, .opened] | join(":")' | tee /dev/stderr | \
             grep -Eo '^([0-9]+):[0-9]{4}-(09-30T|10-|11-01T)' | cut -d: -f1 | sort | uniq | xargs -t -n1 -I {} \
@@ -57,8 +58,8 @@ jobs:
 
       - name: Search for URL-based PR references
         run: |
-          grep -Eo "github.com/(.+)/(.+)/pull/([0-9]+)" log | sort | uniq | xargs -t -n1 -I{} \
-            gh pr view "https://{}" --json number,createdAt \
+          grep -Eo 'github.com/(.+)/(.+)/pull/([0-9]+)' log | sort | uniq | xargs -t -n1 -I{} \
+            gh pr view 'https://{}' --json number,createdAt \
               --jq '{number, opened: .createdAt} | [.number, .opened] | join(":")' | tee /dev/stderr | \
             grep -Eo '^([0-9]+):[0-9]{4}-(09-30T|10-|11-01T)' | cut -d: -f1 | sort | uniq | xargs -t -n1 -I {} \
               gh pr edit {} --add-label 'hacktoberfest-accepted'

diff --git a/.github/workflows/http3-linux.yml b/.github/workflows/http3-linux.yml
@@ -450,6 +450,8 @@ jobs:
         name: 'build quiche and boringssl'
 
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
 
       - run: autoreconf -fi
         if: ${{ matrix.build.configure }}

diff --git a/.github/workflows/linux-old.yml b/.github/workflows/linux-old.yml
@@ -74,6 +74,8 @@ jobs:
           dpkg -i libc6_*_amd64.deb
 
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
 
       - name: 'cmake build-only (out-of-tree, libssh2)'
         run: |

diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml
@@ -320,6 +320,8 @@ jobs:
         name: 'install dependencies'
 
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
 
       - name: 'Fix kernel mmap rnd bits'
         # Asan in llvm 14 provided in ubuntu 22.04 is incompatible with

diff --git a/.github/workflows/macos.yml b/.github/workflows/macos.yml
@@ -208,6 +208,8 @@ jobs:
           fi
 
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
 
       - name: 'toolchain versions'
         run: |
@@ -416,6 +418,8 @@ jobs:
           while [[ $? == 0 ]]; do for i in 1 2 3; do brew update && brew bundle install --no-lock --file /tmp/Brewfile && break 2 || { echo Error: wait to try again; sleep 10; } done; false Too many retries; done
 
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
 
       - name: 'toolchain versions'
         run: |

diff --git a/.github/workflows/non-native.yml b/.github/workflows/non-native.yml
@@ -45,6 +45,8 @@ jobs:
         arch: ['x86_64']
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
       - name: 'cmake'
         uses: cross-platform-actions/action@a0672d7f6de3a78e7784bbaf491c7303f68d94b3 # v0.26.0
         with:
@@ -83,6 +85,8 @@ jobs:
         arch: ['x86_64']
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
       - name: 'cmake'
         uses: cross-platform-actions/action@a0672d7f6de3a78e7784bbaf491c7303f68d94b3 # v0.26.0
         with:
@@ -126,6 +130,8 @@ jobs:
       fail-fast: false
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
       - name: 'autotools'
         if: ${{ matrix.build == 'autotools' }}
         uses: cross-platform-actions/action@a0672d7f6de3a78e7784bbaf491c7303f68d94b3 # v0.26.0
@@ -193,6 +199,8 @@ jobs:
     timeout-minutes: 30
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
       - name: 'autotools'
         uses: vmactions/omnios-vm@16b5996777bc675acd3d537f13df536a526cd16d # v1
         with:

diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml
@@ -55,6 +55,8 @@ jobs:
       - run: git config --global core.autocrlf input
         shell: pwsh
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
       - uses: cygwin/cygwin-install-action@006ad0b0946ca6d0a3ea2d4437677fa767392401 # v4
         with:
           platform: ${{ matrix.platform }}
@@ -187,6 +189,8 @@ jobs:
         shell: pwsh
 
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
 
       - uses: msys2/setup-msys2@d44ca8e88d8b43d56cf5670f91747359d5537f97 # v2
         if: ${{ matrix.sys == 'msys' }}
@@ -409,6 +413,8 @@ jobs:
 
       - run: git config --global core.autocrlf input
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
 
       - name: 'configure'
         timeout-minutes: 5
@@ -495,6 +501,8 @@ jobs:
         run: sudo apt-get --quiet 2 --option Dpkg::Use-Pty=0 install mingw-w64 ${{ matrix.build == 'cmake' && 'ninja-build' || '' }}
 
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
 
       - name: 'autoreconf'
         if: ${{ matrix.build == 'autotools' }}
@@ -662,6 +670,8 @@ jobs:
       fail-fast: false
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
 
       - name: 'vcpkg cache setup'
         uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7