workflows: checkout without persisting credentials

stefanb · Jan 7, 2024 · 31766b0 · 31766b0
1 parent 773f1f6
commit 31766b0
Show file tree

Hide file tree

Showing 5 changed files with 11 additions and 1 deletion.
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -36,6 +36,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL

diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -18,5 +18,7 @@ jobs:
     steps:
       - name: 'Checkout Repository'
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: 'Dependency Review'
         uses: actions/dependency-review-action@v3
diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml
@@ -15,6 +15,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions/setup-go@v5
         with:
           go-version-file: go.mod

diff --git a/.github/workflows/goreleaser.yml b/.github/workflows/goreleaser.yml
@@ -20,7 +20,9 @@ jobs:
     steps:
       - uses: actions/checkout@v4
         with:
-          fetch-depth: 0
+          fetch-depth: 0 # needs full git history for changelog generation
+          fetch-tags: true
+          persist-credentials: false
 
       - name: Set up Go
         uses: actions/setup-go@v5

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -20,6 +20,8 @@ jobs:
         go: [ 'stable', 'oldstable' ]
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Set up Go
         uses: actions/setup-go@v5