[Code Quality] Fix artipacked security issue - Prevent credential persistence in workflow artifacts #14438
Description
Description
Two workflows are uploading artifacts that may contain GitHub token credentials, creating a medium-severity security issue identified by zizmor security scanner.
Affected Workflows:
daily-copilot-token-report.lock.yml(Line 115)hourly-ci-cleaner.lock.yml(Line 817)
Security Risk: When workflows use actions/checkout and then upload artifacts, GITHUB_TOKEN credentials can persist in the artifact archive, potentially exposing secrets to unauthorized users with artifact access.
Suggested Changes
- Review artifact upload steps in both workflows to ensure GITHUB_TOKEN is not included
- Option A: Exclude
.gitdirectory and credential files from artifact uploads - Option B: Use
actions/checkoutwithpersist-credentials: falsebefore artifact creation - Option C: Clean up credentials before artifact upload
Example Fix Pattern
---
# In workflow frontmatter
jobs:
main:
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false # Prevent token persistence
# ... work steps ...
- name: Upload Artifacts
uses: actions/upload-artifact@v4
with:
name: results
path: |
output/
!.git/ # Exclude git directoryFiles Affected
.github/workflows/daily-copilot-token-report.md(source).github/workflows/hourly-ci-cleaner.md(source)- Compiled
.lock.ymlfiles will be regenerated after fix
Success Criteria
- Review both workflows' artifact upload steps
- Implement credential exclusion strategy
- Run
make recompileto regenerate lock files - Verify with
zizmorthat artipacked issues are resolved - All tests pass (
make test-unit)
Source
Extracted from Static Analysis Report discussion #14429
Zizmor finding:
- Issue: artipacked
- Severity: Medium
- Reference: Credential persistence through GitHub Actions artifacts
Priority
High - Security issue affecting credential safety, should be fixed during release focus period
AI generated by Discussion Task Miner - Code Quality Improvement Agent
- expires on Feb 9, 2026, 1:29 AM UTC