Skip to content

Fix credential persistence vulnerability in release.md#5308

Merged
pelikhan merged 2 commits into
mainfrom
copilot/fix-credential-vulnerability
Dec 2, 2025
Merged

Fix credential persistence vulnerability in release.md#5308
pelikhan merged 2 commits into
mainfrom
copilot/fix-credential-vulnerability

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Dec 2, 2025
edited
Loading

Zizmor flagged an artipacked vulnerability in the release workflow's checkout step. Without persist-credentials: false, the GitHub token persists to .git/config and could leak through artifact uploads.

Changes

  • Added persist-credentials: false to the checkout step in the release job
- name: Checkout
  uses: actions/checkout@v5
  with:
    fetch-depth: 0
    persist-credentials: false

Verified with gh aw compile release --zizmor — artipacked finding is resolved.

Original prompt

This section details on the original issue you should resolve

<issue_title>[plan] Fix credential persistence vulnerability in release.md</issue_title>
<issue_description>## Objective

Address the Medium severity security issue (artipacked) in .github/workflows/release.md to prevent credential exposure through GitHub Actions artifacts.

Context

Priority: 🔴 HIGH (Only Medium severity security finding in the scan)

The zizmor security scanner identified a credential persistence vulnerability at line 5876:9 in the "Checkout" step. This could allow credentials to be persisted in workflow artifacts, potentially exposing sensitive data to unauthorized users with artifact access.

Reference: (redacted)#artipacked

Approach

  1. Review the checkout step in release.md at line 5876
  2. Identify what credentials are being persisted
  3. Consult zizmor documentation for recommended remediation strategies
  4. Implement one of the following mitigations:
    • Use persist-credentials: false in checkout action
    • Avoid uploading sensitive directories to artifacts
    • Sanitize artifacts before upload
  5. Test the workflow to ensure it still functions correctly

Files to Modify

  • .github/workflows/release.md (line ~5876)

Acceptance Criteria

  • Credential persistence vulnerability eliminated
  • Workflow still functions as intended
  • Zizmor scan passes without artipacked finding
  • Release process tested and verified working

Testing

# Re-run zizmor scan on the modified workflow
gh aw compile release --zizmor

Related to #5294

AI generated by Plan Command for discussion #5280

Comments on the Issue (you are @copilot in this section)

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

@pelikhan
Fix credential persistence vulnerability in release.md by adding pers…
6fff2d6 
…ist-credentials: false

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix credential persistence vulnerability in release.md Fix credential persistence vulnerability in release.md Dec 2, 2025
Copilot AI requested a review from pelikhan December 2, 2025 14:54
@pelikhan pelikhan marked this pull request as ready for review December 2, 2025 14:56
@pelikhan pelikhan merged commit 688a639 into main Dec 2, 2025
99 checks passed
@pelikhan pelikhan deleted the copilot/fix-credential-vulnerability branch December 2, 2025 14:56
This was referenced May 19, 2026
Merged
Merged
Open
Merged
Merged
Open
Merged
Merged
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@pelikhan pelikhan pelikhan approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[plan] Fix credential persistence vulnerability in release.md

2 participants

@pelikhan