Skip to content

Commit 8762467

Browse files
vszakatspps83
authored andcommitted
GHA: set persist-credentials: false
Suggested by zizmor GHA analysis tool. Also: - Move GH variables within single-quotes. - Prefer single-quotes in shell code. (tidy-up) Ref: actions/checkout#485 Ref: actions/checkout#1687 Ref: https://woodruffw.github.io/zizmor/ Closes curl#15746
1 parent e7d8eee commit 8762467

13 files changed

+72
-5
lines changed

.github/workflows/checkdocs.yml

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -37,6 +37,8 @@ jobs:
3737
# runs-on: ubuntu-latest
3838
# steps:
3939
# - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
40+
# with:
41+
# persist-credentials: false
4042
# name: checkout
4143
#
4244
# - name: install prereqs
@@ -89,6 +91,8 @@ jobs:
8991
runs-on: ubuntu-latest
9092
steps:
9193
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
94+
with:
95+
persist-credentials: false
9296
name: checkout
9397

9498
- name: Run mdlinkcheck
@@ -98,6 +102,8 @@ jobs:
98102
runs-on: ubuntu-latest
99103
steps:
100104
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
105+
with:
106+
persist-credentials: false
101107
name: checkout
102108

103109
- name: trim all man page *.md files
@@ -124,6 +130,8 @@ jobs:
124130
runs-on: ubuntu-latest
125131
steps:
126132
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
133+
with:
134+
persist-credentials: false
127135
name: checkout
128136

129137
- name: badwords
@@ -136,6 +144,8 @@ jobs:
136144
runs-on: ubuntu-latest
137145
steps:
138146
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
147+
with:
148+
persist-credentials: false
139149
name: checkout
140150

141151
- name: render nroff versions
@@ -149,6 +159,8 @@ jobs:
149159
timeout-minutes: 5
150160
steps:
151161
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
162+
with:
163+
persist-credentials: false
152164
name: checkout
153165

154166
- name: spacecheck

.github/workflows/checksrc.yml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -36,6 +36,8 @@ jobs:
3636
runs-on: ubuntu-latest
3737
steps:
3838
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
39+
with:
40+
persist-credentials: false
3941
name: checkout
4042

4143
- name: check
@@ -45,6 +47,8 @@ jobs:
4547
runs-on: ubuntu-24.04
4648
steps:
4749
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
50+
with:
51+
persist-credentials: false
4852
name: checkout
4953

5054
- name: install
@@ -81,6 +85,8 @@ jobs:
8185
runs-on: ubuntu-latest
8286
steps:
8387
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
88+
with:
89+
persist-credentials: false
8490
name: checkout
8591

8692
- name: REUSE Compliance Check
@@ -91,6 +97,8 @@ jobs:
9197
timeout-minutes: 5
9298
steps:
9399
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
100+
with:
101+
persist-credentials: false
94102
name: checkout
95103

96104
- name: shellcheck

.github/workflows/codeql-analysis.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -48,6 +48,8 @@ jobs:
4848
steps:
4949
- name: Checkout repository
5050
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
51+
with:
52+
persist-credentials: false
5153

5254
# Initializes the CodeQL tools for scanning.
5355
- name: Initialize CodeQL

.github/workflows/configure-vs-cmake.yml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,8 @@ jobs:
3333
runs-on: ubuntu-latest
3434
steps:
3535
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
36+
with:
37+
persist-credentials: false
3638

3739
- name: run configure --with-openssl
3840
run: |
@@ -71,6 +73,8 @@ jobs:
7173
echo '::group::brew packages installed'; ls -l "$(brew --prefix)/opt"; echo '::endgroup::'
7274
7375
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
76+
with:
77+
persist-credentials: false
7478

7579
- name: run configure --with-openssl
7680
run: |
@@ -108,6 +112,8 @@ jobs:
108112
run: sudo apt-get --quiet 2 --option Dpkg::Use-Pty=0 install mingw-w64
109113

110114
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
115+
with:
116+
persist-credentials: false
111117

112118
- name: run configure --with-schannel
113119
run: |

.github/workflows/curl-for-win.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -48,6 +48,7 @@ jobs:
4848
steps:
4949
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
5050
with:
51+
persist-credentials: false
5152
path: 'curl'
5253
fetch-depth: 8
5354
- name: 'build'
@@ -75,6 +76,7 @@ jobs:
7576
steps:
7677
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
7778
with:
79+
persist-credentials: false
7880
path: 'curl'
7981
fetch-depth: 8
8082
- name: 'build'
@@ -101,6 +103,7 @@ jobs:
101103
steps:
102104
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
103105
with:
106+
persist-credentials: false
104107
path: 'curl'
105108
fetch-depth: 8
106109
- name: 'build'
@@ -116,6 +119,7 @@ jobs:
116119
steps:
117120
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
118121
with:
122+
persist-credentials: false
119123
path: 'curl'
120124
fetch-depth: 8
121125
- name: 'build'

.github/workflows/distcheck.yml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,8 @@ jobs:
2525
timeout-minutes: 15
2626
steps:
2727
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
28+
with:
29+
persist-credentials: false
2830

2931
- run: sudo apt-get purge -y curl libcurl4 libcurl4-doc
3032
name: 'remove preinstalled curl libcurl4{-doc}'
@@ -129,6 +131,8 @@ jobs:
129131
needs: maketgz-and-verify-in-tree
130132
steps:
131133
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
134+
with:
135+
persist-credentials: false
132136

133137
- uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4
134138
with:
@@ -141,6 +145,8 @@ jobs:
141145
runs-on: ubuntu-latest
142146
steps:
143147
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
148+
with:
149+
persist-credentials: false
144150

145151
- run: sudo apt-get purge -y curl libcurl4 libcurl4-doc
146152
name: 'remove preinstalled curl libcurl4{-doc}'

.github/workflows/hacktoberfest-accepted.yml

Lines changed: 6 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,7 @@ jobs:
2828
steps:
2929
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
3030
with:
31+
persist-credentials: false
3132
fetch-depth: 100
3233

3334
- name: Check whether repo participates in Hacktoberfest
@@ -40,13 +41,13 @@ jobs:
4041

4142
- name: Search relevant commit message lines starting with Closes/Merges
4243
run: |
43-
git log --format=email ${{ github.event.before }}..${{ github.event.after }} | \
44-
grep -Ei "^Close[sd]? " | sort | uniq | tee log
44+
git log --format=email '${{ github.event.before }}..${{ github.event.after }}' | \
45+
grep -Ei '^Close[sd]? ' | sort | uniq | tee log
4546
if: steps.check.outputs.label == 'hacktoberfest'
4647

4748
- name: Search for Number-based PR references
4849
run: |
49-
grep -Eo "#([0-9]+)" log | cut -d# -f2 | sort | uniq | xargs -t -n1 -I{} \
50+
grep -Eo '#([0-9]+)' log | cut -d# -f2 | sort | uniq | xargs -t -n1 -I{} \
5051
gh pr view {} --json number,createdAt \
5152
--jq '{number, opened: .createdAt} | [.number, .opened] | join(":")' | tee /dev/stderr | \
5253
grep -Eo '^([0-9]+):[0-9]{4}-(09-30T|10-|11-01T)' | cut -d: -f1 | sort | uniq | xargs -t -n1 -I {} \
@@ -57,8 +58,8 @@ jobs:
5758

5859
- name: Search for URL-based PR references
5960
run: |
60-
grep -Eo "github.com/(.+)/(.+)/pull/([0-9]+)" log | sort | uniq | xargs -t -n1 -I{} \
61-
gh pr view "https://{}" --json number,createdAt \
61+
grep -Eo 'github.com/(.+)/(.+)/pull/([0-9]+)' log | sort | uniq | xargs -t -n1 -I{} \
62+
gh pr view 'https://{}' --json number,createdAt \
6263
--jq '{number, opened: .createdAt} | [.number, .opened] | join(":")' | tee /dev/stderr | \
6364
grep -Eo '^([0-9]+):[0-9]{4}-(09-30T|10-|11-01T)' | cut -d: -f1 | sort | uniq | xargs -t -n1 -I {} \
6465
gh pr edit {} --add-label 'hacktoberfest-accepted'

.github/workflows/http3-linux.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -450,6 +450,8 @@ jobs:
450450
name: 'build quiche and boringssl'
451451

452452
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
453+
with:
454+
persist-credentials: false
453455

454456
- run: autoreconf -fi
455457
if: ${{ matrix.build.configure }}

.github/workflows/linux-old.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -74,6 +74,8 @@ jobs:
7474
dpkg -i libc6_*_amd64.deb
7575
7676
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
77+
with:
78+
persist-credentials: false
7779

7880
- name: 'cmake build-only (out-of-tree, libssh2)'
7981
run: |

.github/workflows/linux.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -320,6 +320,8 @@ jobs:
320320
name: 'install dependencies'
321321

322322
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
323+
with:
324+
persist-credentials: false
323325

324326
- name: 'Fix kernel mmap rnd bits'
325327
# Asan in llvm 14 provided in ubuntu 22.04 is incompatible with

0 commit comments

Comments
 (0)