ci: do not persiste git credentials in GitHub Actions (#11640)

DataDog · Dec 9, 2024 · b875079 · b875079
1 parent 5bc8f81
commit b875079
Show file tree

Hide file tree

Showing 19 changed files with 65 additions and 6 deletions.
diff --git a/.github/workflows/build-and-publish-image.yml b/.github/workflows/build-and-publish-image.yml
@@ -28,6 +28,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - name: Set up QEMU
       uses: docker/setup-qemu-action@v2
     - name: Set up Docker Buildx

diff --git a/.github/workflows/build_deploy.yml b/.github/workflows/build_deploy.yml
@@ -34,6 +34,7 @@ jobs:
       - uses: actions/checkout@v4
         # Include all history and tags
         with:
+          persist-credentials: false
           fetch-depth: 0
       - uses: actions-rust-lang/setup-rust-toolchain@v1
       - uses: actions/setup-python@v5
@@ -58,6 +59,8 @@ jobs:
       image: python:3.9-alpine
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions/download-artifact@v4
         with:
           name: source-dist

diff --git a/.github/workflows/build_python_3.yml b/.github/workflows/build_python_3.yml
@@ -20,6 +20,8 @@ jobs:
       include: ${{steps.set-matrix.outputs.include}}
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions/setup-python@v5
         with:
           python-version: '3.8'
@@ -51,6 +53,7 @@ jobs:
       - uses: actions/checkout@v4
         # Include all history and tags
         with:
+          persist-credentials: false
           fetch-depth: 0
 
       - uses: actions/setup-python@v5

diff --git a/.github/workflows/changelog.yml b/.github/workflows/changelog.yml
@@ -15,6 +15,7 @@ jobs:
       - uses: actions/checkout@v4
         # Include all history and tags
         with:
+          persist-credentials: false
           fetch-depth: 0
 
       # Ensure a new reno release note was added in this PR.

diff --git a/.github/workflows/codeowners.yml b/.github/workflows/codeowners.yml
@@ -12,6 +12,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
         with:
+          persist-credentials: false
           fetch-depth: 0
       - name: Get changed files
         id: changed-files

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -27,6 +27,8 @@ jobs:
     steps:
     - name: Checkout repository
       uses: actions/checkout@v4
+      with:
+        persist-credentials: false
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL

diff --git a/.github/workflows/django-overhead-profile.yml b/.github/workflows/django-overhead-profile.yml
@@ -33,6 +33,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
         with:
+          persist-credentials: false
           path: ddtrace
 
       - uses: actions/setup-python@v5
@@ -51,4 +52,3 @@ jobs:
         with:
           name: django-overhead-profile${{ matrix.suffix }}
           path: ${{ github.workspace }}/prefix/artifacts
-
diff --git a/.github/workflows/encoders-profile.yml b/.github/workflows/encoders-profile.yml
@@ -21,6 +21,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
         with:
+          persist-credentials: false
           path: ddtrace
 
       - uses: actions/setup-python@v5
@@ -43,4 +44,3 @@ jobs:
         with:
           name: encoders-profile
           path: ${{ github.workspace }}/prefix/artifacts
-
diff --git a/.github/workflows/flask-overhead-profile.yml b/.github/workflows/flask-overhead-profile.yml
@@ -21,6 +21,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
         with:
+          persist-credentials: false
           path: ddtrace
 
       - uses: actions/setup-python@v5
@@ -39,4 +40,3 @@ jobs:
         with:
           name: flask-overhead-profile
           path: ${{ github.workspace }}/prefix/artifacts
-
diff --git a/.github/workflows/generate-package-versions.yml b/.github/workflows/generate-package-versions.yml
@@ -16,6 +16,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Setup Python 3.7
         uses: actions/setup-python@v5

diff --git a/.github/workflows/pr-name.yml b/.github/workflows/pr-name.yml
@@ -11,6 +11,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
         with:
+          persist-credentials: false
           fetch-depth: 0
       - uses: actions/setup-node@v4
         name: Install Node.js

diff --git a/.github/workflows/requirements-locks.yml b/.github/workflows/requirements-locks.yml
@@ -15,6 +15,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
         with:
+          persist-credentials: false
           fetch-depth: 0
 
       - name: Fixup git permissions

diff --git a/.github/workflows/rust-ci.yml b/.github/workflows/rust-ci.yml
@@ -14,6 +14,8 @@ jobs:
         extension: ["src/core"]
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Install latest stable toolchain and rustfmt
         run: rustup update stable && rustup default stable && rustup component add rustfmt clippy
       - name: Run cargo build

diff --git a/.github/workflows/set-target-milestone.yml b/.github/workflows/set-target-milestone.yml
@@ -15,6 +15,7 @@ jobs:
       - uses: actions/checkout@v4
         # Include all history and tags
         with:
+          persist-credentials: false
           fetch-depth: 0
       - uses: actions/setup-python@v5
         name: Install Python
@@ -32,7 +33,7 @@ jobs:
         with:
           github-token: ${{secrets.GITHUB_TOKEN}}
           script: |
-            const title = "${{ steps.milestones.outputs.milestone }}";
+            const title = "${{ steps.milestones.outputs.milestone }}"
 
             const milestones = await github.rest.issues.listMilestones({
               owner: context.repo.owner,
@@ -52,6 +53,6 @@ jobs:
             await github.rest.issues.update({
               owner: context.repo.owner,
               repo: context.repo.repo,
-              issue_number: ${{ github.event.pull_request.number }},
+              issue_number: context.pull_request.number,
               milestone: milestone.number,
             });
diff --git a/.github/workflows/system-tests.yml b/.github/workflows/system-tests.yml
@@ -18,6 +18,7 @@ jobs:
       - name: Checkout system tests
         uses: actions/checkout@v4
         with:
+          persist-credentials: false
           repository: 'DataDog/system-tests'
 
       - name: Build agent
@@ -62,11 +63,13 @@ jobs:
       - name: Checkout system tests
         uses: actions/checkout@v4
         with:
+          persist-credentials: false
           repository: 'DataDog/system-tests'
 
       - name: Checkout dd-trace-py
         uses: actions/checkout@v4
         with:
+          persist-credentials: false
           path: 'binaries/dd-trace-py'
           fetch-depth: 0
           # NB this ref is necessary to keep the checkout out of detached HEAD state, which setuptools_scm requires for
@@ -112,6 +115,7 @@ jobs:
       - name: Checkout system tests
         uses: actions/checkout@v4
         with:
+          persist-credentials: false
           repository: 'DataDog/system-tests'
 
       - name: Build runner
@@ -280,10 +284,12 @@ jobs:
       - name: Checkout system tests
         uses: actions/checkout@v4
         with:
+          persist-credentials: false
           repository: 'DataDog/system-tests'
       - name: Checkout dd-trace-py
         uses: actions/checkout@v4
         with:
+          persist-credentials: false
           path: 'binaries/dd-trace-py'
           fetch-depth: 0
           ref: ${{ github.event.pull_request.head.sha || github.sha }}