fix(devops): do not persist credentials in checkout action (#5543)

# Motivation

An apparently known security issue of `actions/checkout` is the default
of `persist-credentials` set to `true`. It was requested to the Github
developers to change it (see
actions/checkout#485), but it does not seem
that it is a plan in the short-terms.

So, for now we solve it our way.

# Changes

- Set `persist-credentials` to `false` in all the uses of
`actions/checkout`.
- Created new action to `add-and-commit` since the existing
`EndBug/add-and-commit` one does not work well if we do not persist the
credentials according to
[documentation](https://github.com/EndBug/add-and-commit?tab=readme-ov-file#about-actionscheckout)
(see EndBug/add-and-commit#673 too).

# Tests

CIs work as they are supposed to.

---------

Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Max <bitdivine@users.noreply.github.com>

Author: 3 people

.github/actions/add-and-commit/action.yml

@@ -0,0 +1,39 @@
+name: Add and Commit
+description: Set git remote and commit changes (e.g., formatting)
+
+inputs:
+  add:
+    description: Files to add
+    required: false
+    default: '.'
+  message:
+    description: Commit message
+    required: true
+  token:
+    description: GitHub token
+    required: true
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Set git remote silently and locally
+      run: |
+        git config url."https://github-actions:$GITHUB_TOKEN@github.com/".insteadOf "https://github.com/"
+      env:
+        GITHUB_TOKEN: ${{ inputs.token }}
+      shell: bash
+
+    - name: Commit format
+      uses: EndBug/add-and-commit@a94899bca583c204427a224a7af87c02f9b325d5 # v9.1.4
+      with:
+        add: ${{ inputs.add }}
+        default_author: github_actions
+        message: ${{ inputs.message }}
+
+    - name: Unset local git remote config
+      run: |
+        git config --unset-all url."https://github-actions:${GITHUB_TOKEN}@github.com/".insteadOf || true
+        git config --unset-all url."https://github.com/".insteadOf || true
+      env:
+        GITHUB_TOKEN: ${{ inputs.token }}
+      shell: bash

.github/workflows/auto-update-i18n.yml

@@ -26,6 +26,7 @@ jobs:
           repository: ${{ github.event.pull_request.head.repo.full_name }}
           ref: ${{ github.event.pull_request.head.ref }}
           token: ${{ steps.app-token.outputs.token }}
+          persist-credentials: false
 
       - name: Prepare
         uses: ./.github/actions/prepare
@@ -44,8 +45,7 @@ jobs:
 
       - name: Commit i18n
         if: steps.check_changes.outputs.changes_detected == 'true'
-        uses: EndBug/add-and-commit@v9
+        uses: ./.github/actions/add-and-commit
         with:
-          add: .
-          default_author: github_actions
           message: '🤖 Updated i18n files'
+          token: ${{ steps.app-token.outputs.token }}

.github/workflows/backend-checks.yml

@@ -26,6 +26,8 @@ jobs:
       contents: read
     steps:
       - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+        with:
+          persist-credentials: false
       - uses: actions/cache@v4
         with:
           path: |
@@ -42,6 +44,8 @@ jobs:
       contents: read
     steps:
       - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+        with:
+          persist-credentials: false
       - run: sudo snap install yq
       - name: Dependencies are defined in the workspace
         run: ./scripts/lint.cargo-workspace-dependencies.sh
@@ -54,6 +58,8 @@ jobs:
       contents: read
     steps:
       - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+        with:
+          persist-credentials: false
       - uses: ./.github/actions/needs_success
         with:
           needs: '${{ toJson(needs) }}'

.github/workflows/backend-tests.yml

@@ -27,6 +27,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+        with:
+          persist-credentials: false
 
       - name: Build Base Docker Image
         uses: ./.github/actions/docker-build-base
@@ -45,6 +47,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+        with:
+          persist-credentials: false
 
       - name: Build canister WASM
         uses: ./.github/actions/docker-build-backend
@@ -60,6 +64,8 @@ jobs:
     needs: ['docker-build']
     steps:
       - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+        with:
+          persist-credentials: false
 
       - uses: actions/cache@v4
         with:
@@ -87,6 +93,8 @@ jobs:
       contents: read
     steps:
       - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+        with:
+          persist-credentials: false
       - uses: ./.github/actions/needs_success
         with:
           needs: '${{ toJson(needs) }}'

.github/workflows/binding-checks.yml

@@ -34,10 +34,13 @@ jobs:
           repository: ${{ github.event.pull_request.head.repo.full_name }}
           ref: ${{ github.event.pull_request.head.ref }}
           token: ${{ steps.app-token.outputs.token }}
+          persist-credentials: false
 
       - name: Checkout code
         if: steps.check_can_add_commit.outputs.can_add_commit == 'false'
         uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+        with:
+          persist-credentials: false
 
       - uses: dorny/paths-filter@v3
         id: changes
@@ -106,11 +109,10 @@ jobs:
 
       - name: Commit bindings
         if: steps.changes.outputs.src == 'true' && steps.check_can_add_commit.outputs.can_add_commit == 'true' && steps.check_changes.outputs.changes_detected == 'true'
-        uses: EndBug/add-and-commit@v9
+        uses: ./.github/actions/add-and-commit
         with:
-          add: .
-          default_author: github_actions
           message: '🤖 Apply bindings changes'
+          token: ${{ steps.app-token.outputs.token }}
 
       - name: Provide diff
         if: steps.changes.outputs.src == 'true' && steps.check_can_add_commit.outputs.can_add_commit == 'false' && steps.check_changes.outputs.changes_detected == 'true'
@@ -127,6 +129,8 @@ jobs:
       contents: read
     steps:
       - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+        with:
+          persist-credentials: false
       - uses: ./.github/actions/needs_success
         with:
           needs: '${{ toJson(needs) }}'

.github/workflows/bump-version.yml

@@ -34,6 +34,8 @@ jobs:
 
       - name: Checkout repository
         uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+        with:
+          persist-credentials: false
 
       - name: Prepare
         uses: ./.github/actions/prepare

.github/workflows/deploy-to-environment.yml

@@ -118,6 +118,7 @@ jobs:
         uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
         with:
           fetch-depth: 2
+          persist-credentials: false
 
       - name: Set Environment Variables Based on Network
         run: |

.github/workflows/devops-checks.yml

@@ -16,6 +16,8 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+        with:
+          persist-credentials: false
 
       - name: Install shellcheck
         run: ./scripts/setup shellcheck

.github/workflows/e2e-tests.yml

@@ -23,6 +23,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+        with:
+          persist-credentials: false
 
       - name: Fetch base branch
         run: |
@@ -54,13 +56,16 @@ jobs:
       - name: Checkout
         if: ${{ github.event_name != 'pull_request' }}
         uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+        with:
+          persist-credentials: false
 
       - name: Checkout for pull request
         if: ${{ github.event_name == 'pull_request' }}
         uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
         with:
           repository: ${{ github.event.pull_request.head.repo.full_name }}
           ref: ${{ github.event.pull_request.head.ref }}
+          persist-credentials: false
 
       - name: Build oisy-backend WASM
         uses: ./.github/actions/oisy-backend
@@ -93,6 +98,8 @@ jobs:
       - name: Checkout
         if: ${{ github.event_name != 'pull_request' }}
         uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+        with:
+          persist-credentials: false
 
       - name: Checkout for pull request
         if: ${{ github.event_name == 'pull_request' }}
@@ -101,6 +108,7 @@ jobs:
           repository: ${{ github.event.pull_request.head.repo.full_name }}
           ref: ${{ github.event.pull_request.head.ref }}
           token: ${{ steps.app-token.outputs.token }}
+          persist-credentials: false
 
       - name: Download WASM artifact
         uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
@@ -191,6 +199,8 @@ jobs:
       - name: Checkout
         if: ${{ github.event_name != 'pull_request' }}
         uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+        with:
+          persist-credentials: false
 
       - name: Checkout for pull request
         if: ${{ github.event_name == 'pull_request' }}
@@ -199,6 +209,7 @@ jobs:
           repository: ${{ github.event.pull_request.head.repo.full_name }}
           ref: ${{ github.event.pull_request.head.ref }}
           token: ${{ steps.app-token.outputs.token }}
+          persist-credentials: false
 
       - name: Set snapshot status from previous jobs
         run: |
@@ -234,12 +245,12 @@ jobs:
           fi
 
       - name: Commit and push updates
-        uses: EndBug/add-and-commit@v9
+        uses: ./.github/actions/add-and-commit
         if: env.FINAL_CHANGES == 'true' && github.ref != 'refs/heads/main'
         with:
           add: e2e
-          default_author: github_actions
           message: '🤖 Update E2E snapshots'
+          token: ${{ steps.app-token.outputs.token }}
 
       - name: Stage Changes on main
         if: env.FINAL_CHANGES == 'true' && github.ref == 'refs/heads/main'

.github/workflows/formatting-checks.yml

@@ -46,10 +46,13 @@ jobs:
           repository: ${{ github.event.pull_request.head.repo.full_name }}
           ref: ${{ github.event.pull_request.head.ref }}
           token: ${{ steps.app-token.outputs.token }}
+          persist-credentials: false
 
       - name: Checkout code
         if: steps.check_can_add_commit.outputs.can_add_commit == 'false'
         uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+        with:
+          persist-credentials: false
 
       - name: Install rust
         uses: ./.github/actions/install-rust
@@ -77,11 +80,10 @@ jobs:
 
       - name: Commit format
         if: steps.check_can_add_commit.outputs.can_add_commit == 'true' && steps.check_changes.outputs.changes_detected == 'true'
-        uses: EndBug/add-and-commit@v9
+        uses: ./.github/actions/add-and-commit
         with:
-          add: .
-          default_author: github_actions
           message: '🤖 Apply formatting changes'
+          token: ${{ steps.app-token.outputs.token }}
 
       - name: Provide diff
         if: steps.check_can_add_commit.outputs.can_add_commit == 'false' && steps.check_changes.outputs.changes_detected == 'true'