From 9aad666aec8c51b98f36bfaf8371c62c7a9efaf2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Milo=C5=A1=20Prchl=C3=ADk?= <mprchlik@redhat.com>
Date: Tue, 29 Oct 2024 12:46:06 +0100
Subject: [PATCH] Disable credentials persistence in Github checkout action

According to a couple of articles, the default should be `false`, but
it's not, which makes the token exposed to actions that do not need it.
According to a linter I tried just for fun, we should enforce it to
close this hole.

[1] https://github.com/actions/checkout/issues/485
[2] https://github.com/woodruffw/zizmor
---
 .github/workflows/doc-tests.yml  | 2 ++
 .github/workflows/pre-commit.yml | 2 ++
 .github/workflows/release.yml    | 3 +++
 .github/workflows/shellcheck.yml | 1 +
 4 files changed, 8 insertions(+)

diff --git a/.github/workflows/doc-tests.yml b/.github/workflows/doc-tests.yml
index 0e8e21e6ea..1c70979c1b 100644
--- a/.github/workflows/doc-tests.yml
+++ b/.github/workflows/doc-tests.yml
@@ -19,6 +19,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - uses: actions/setup-python@v5
         with:
diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
index cb0e2c3546..75d958d5d4 100644
--- a/.github/workflows/pre-commit.yml
+++ b/.github/workflows/pre-commit.yml
@@ -12,6 +12,8 @@ jobs:
       SKIP: no-commit-to-branch
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - uses: actions/setup-python@v5
       with:
         python-version: |
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 7183aefe03..c316ad7841 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -22,10 +22,13 @@ jobs:
       # Check out the repo
       - uses: actions/checkout@v4
         if: ${{ github.event_name == 'release' }}
+        with:
+          persist-credentials: false
       - uses: actions/checkout@v4
         if: ${{ github.event_name == 'workflow_dispatch' }}
         with:
           ref: ${{ github.event.inputs.ref }}
+          persist-credentials: false
 
       # Setup python
       - uses: actions/setup-python@v5
diff --git a/.github/workflows/shellcheck.yml b/.github/workflows/shellcheck.yml
index 6af26cdf77..5142297b66 100644
--- a/.github/workflows/shellcheck.yml
+++ b/.github/workflows/shellcheck.yml
@@ -20,6 +20,7 @@ jobs:
         uses: actions/checkout@v3
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - id: ShellCheck
         name: Differential ShellCheck