Skip to content

ci: disable persist-credentials on checkouts that don't push#1463

Merged
kixelated merged 1 commit into
mainfrom
claude/friendly-pike-bbc875
May 23, 2026
Merged

ci: disable persist-credentials on checkouts that don't push#1463
kixelated merged 1 commit into
mainfrom
claude/friendly-pike-bbc875

Conversation

@kixelated
Copy link
Copy Markdown
Collaborator

@kixelated kixelated commented May 23, 2026

Summary

By default actions/checkout writes GITHUB_TOKEN into .git/config so subsequent git commands authenticate transparently. Any later step in the same job can read that token, which is why OpenSSF Scorecard / CIS GitHub recommend setting persist-credentials: false whenever the workflow doesn't actually need authenticated git operations. CodeRabbit has been flagging this on every PR.

This adds persist-credentials: false to 18 checkout steps across 8 workflows. The most security-relevant one is check.yml since it runs on pull_request against untrusted code; the rest are defensive hardening on release workflows that only push to crates.io / npm / PyPI / Cachix / Maven Central / docker.io, not back to this repo.

Two checkouts are intentionally left as-is because the persisted credential is load-bearing:

  • release-rs.ymlrelease-plz runs git push using the credential the checkout persisted (it passes token: explicitly).
  • update-flake.ymlDeterminateSystems/update-flake-lock pushes a branch and opens the PR using the persisted credential.

Test plan

  • check.yml still passes on this PR (it's the only workflow that runs on pull_request)
  • CodeRabbit no longer reports persist-credentials findings
  • Sanity-check the release workflows by reading the diff: no step after each modified checkout invokes git push, git commit, or git tag against this repo (the gh CLI calls in .github/scripts/release.sh use GH_TOKEN from step env, not the persisted credential)

🤖 Generated with Claude Code

@kixelated
ci: disable persist-credentials on checkouts that don't push
7349b9b 
Stops GITHUB_TOKEN from being written into .git/config on jobs that
never run authenticated git operations against this repo. Clears
CodeRabbit's repeated finding and matches OpenSSF Scorecard guidance.

release-rs and update-flake are left alone because release-plz and
DeterminateSystems/update-flake-lock both rely on the persisted
credential to push.
@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai Bot commented May 23, 2026

Warning

Review limit reached

@kixelated, we couldn't start this review because you've used your available PR reviews for now.

Your plan currently allows 4 reviews/hour. Refill in 4 minutes and 34 seconds.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more review capacity refills, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than trial, open-source, and free plans. In all cases, review capacity refills continuously over time.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 87587291-4614-4e63-9c6c-599c20df2b7a

📥 Commits

Reviewing files that changed from the base of the PR and between 7b1a332 and 7349b9b.

📒 Files selected for processing (8)
  • .github/workflows/cachix.yml
  • .github/workflows/check.yml
  • .github/workflows/libmoq.yml
  • .github/workflows/moq-gst.yml
  • .github/workflows/moq-relay.yml
  • .github/workflows/release-js.yml
  • .github/workflows/release-kt.yml
  • .github/workflows/release-swift.yml
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch claude/friendly-pike-bbc875
✨ Simplify code
  • Create PR with simplified code
  • Commit simplified code in branch claude/friendly-pike-bbc875

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@kixelated kixelated enabled auto-merge (squash) May 23, 2026 17:28
@kixelated kixelated merged commit 6fbbe18 into main May 23, 2026
1 check passed
@kixelated kixelated deleted the claude/friendly-pike-bbc875 branch May 23, 2026 17:56
kixelated pushed a commit that referenced this pull request May 23, 2026
@claude
Merge origin/main and apply CI patterns to new workflows
512ed25 
Brings in the dry-run + persist-credentials + Determinate-Nix opt-out
changes from main (PRs #1463, #1464, #1465). Resolves the recurring
conflict in moq-relay.yml by keeping this branch's Nix-based rewrite
and layering the new patterns on top.

Extends the dry-run pattern to the four workflows this branch adds plus
moq-gst (which #1464 didn't cover):
- moq-relay, moq-cli, moq-clock, moq-token-cli, moq-gst now trigger
  on pull_request when the workflow itself, its build script, the nix
  derivation, or the flake changes. The build job parses the version
  from Cargo.toml on PRs (release.sh parse-version expects a tag). The
  release job is gated on github.event_name == 'push'.
- release-brew.yml gains a dry-run job that, on PRs touching the
  workflow or any formula template, renders every template against
  synthetic tarballs and runs ruby -c on the output. The publish job
  is gated to workflow_run events only.

Also adds persist-credentials: false to all checkouts that don't push,
and `with: { determinate: false }` to nix-installer-action, matching
the main-branch convention.

https://claude.ai/code/session_015J5tVAQ7ESjBhnzdeXfhgX
kixelated added a commit that referenced this pull request May 23, 2026
@kixelated @claude
fix(packaging): address review findings (systemd flag, hardening, pol…
8ece13b 
…ish)

* packaging/moq-relay/moq-relay.service: ExecStart was passing --config
  but moq-relay's clap parser exposes the TOML path as --file (see
  rs/moq-relay/src/config.rs). The service would have failed to start
  on every install.

* infra/apt/src/worker.ts: stop applying immutable Cache-Control to all
  .gpg files. The only static one is moq-archive-keyring.gpg; Release.gpg
  is rewritten every release and was getting pinned at the edge.

* infra/rpm/publish.sh: reject .rpms whose arch isn't in ARCHES (or
  noarch). Previously an unsupported arch silently produced a directory
  that never got indexed or signed.

* infra/{apt,rpm}/publish.sh: move GNUPGHOME removal into the EXIT trap
  so key material is wiped even when signing fails.

* .github/workflows: set persist-credentials: false on every checkout in
  the workflows this PR introduced (moq-cli, moq-token-cli, apt-repo,
  rpm-repo, and the new moq-gst package-deb / package-rpm jobs). Brings
  them in line with the convention from #1463.

* packaging/moq-relay/relay.toml: the comment claimed anonymous publish
  was anon/** only; config also grants demo/viewer. Fixed.

* rs/justfile: drop the hardcoded amd64 fallback when dpkg isn't
  installed. Map from uname -m so `just rs package` produces the right
  arch label on arm64 hosts.

* rs/moq-gst/package.sh: validate that flag values are present before
  reading $2, so a missing value produces a usage error instead of an
  unbound-variable crash.

* doc/setup/linux.md: create /var/lib/moq-relay before the cp step (it
  doesn't exist until the service starts and creates its StateDirectory)
  and rename the misleading "verify a .deb directly" heading.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@kixelated