From 96fd9bf20a4199265cbc1952460f76a852a3e505 Mon Sep 17 00:00:00 2001
From: Shunsuke Suzuki <suzuki-shunsuke@users.noreply.github.com>
Date: Wed, 25 Dec 2024 10:52:06 +0900
Subject: [PATCH] ci: disable actions/checkout's persist-credentials (#3387)

---
 .github/workflows/debug-with-action-tmate.yaml | 1 +
 .github/workflows/macos-test.yaml              | 2 ++
 .github/workflows/wc-ghalint.yaml              | 2 ++
 .github/workflows/wc-integration-test.yaml     | 6 ++++++
 .github/workflows/wc-test-docker-prebuilt.yaml | 2 ++
 .github/workflows/wc-test.yaml                 | 2 ++
 .github/workflows/windows-test.yaml            | 2 ++
 7 files changed, 17 insertions(+)

diff --git a/.github/workflows/debug-with-action-tmate.yaml b/.github/workflows/debug-with-action-tmate.yaml
index a2652cfee..4bbe993aa 100644
--- a/.github/workflows/debug-with-action-tmate.yaml
+++ b/.github/workflows/debug-with-action-tmate.yaml
@@ -19,6 +19,7 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{inputs.ref}}
+          persist-credentials: false
 
       - run: gh pr checkout "${{inputs.pr_number}}"
         if: inputs.pr_number != ''
diff --git a/.github/workflows/macos-test.yaml b/.github/workflows/macos-test.yaml
index 3da9c4052..0cddabc08 100644
--- a/.github/workflows/macos-test.yaml
+++ b/.github/workflows/macos-test.yaml
@@ -13,6 +13,8 @@ jobs:
     runs-on: macos-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version: 1.23.4
diff --git a/.github/workflows/wc-ghalint.yaml b/.github/workflows/wc-ghalint.yaml
index 82a1cf227..1bd4a31b2 100644
--- a/.github/workflows/wc-ghalint.yaml
+++ b/.github/workflows/wc-ghalint.yaml
@@ -11,6 +11,8 @@ jobs:
     permissions: {}
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - uses: aquaproj/aqua-installer@f13c5d2f0357708d85477aabe50fd3f725528745 # v3.1.0
         with:
           aqua_version: v2.40.0
diff --git a/.github/workflows/wc-integration-test.yaml b/.github/workflows/wc-integration-test.yaml
index cb097223f..fc5c68d01 100644
--- a/.github/workflows/wc-integration-test.yaml
+++ b/.github/workflows/wc-integration-test.yaml
@@ -12,6 +12,8 @@ jobs:
       AQUA_GLOBAL_CONFIG: ${{ github.workspace }}/tests/main/aqua-global.yaml:${{ github.workspace }}/tests/main/aqua-global-2.yaml
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version-file: go.mod
@@ -219,6 +221,8 @@ jobs:
       AQUA_LOG_COLOR: always
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version-file: go.mod
@@ -259,6 +263,8 @@ jobs:
       AQUA_GLOBAL_CONFIG: ${{ github.workspace }}/tests/main/aqua-global.yaml:${{ github.workspace }}/tests/main/aqua-global-2.yaml
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version-file: go.mod
diff --git a/.github/workflows/wc-test-docker-prebuilt.yaml b/.github/workflows/wc-test-docker-prebuilt.yaml
index ccc031b5c..cdc2ea4ff 100644
--- a/.github/workflows/wc-test-docker-prebuilt.yaml
+++ b/.github/workflows/wc-test-docker-prebuilt.yaml
@@ -9,4 +9,6 @@ jobs:
     permissions: {}
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - run: docker build -t aquaproj-aqua-dev -f Dockerfile-prebuilt .
diff --git a/.github/workflows/wc-test.yaml b/.github/workflows/wc-test.yaml
index 4101ac176..0dab87a8e 100644
--- a/.github/workflows/wc-test.yaml
+++ b/.github/workflows/wc-test.yaml
@@ -15,6 +15,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version: 1.23.4
diff --git a/.github/workflows/windows-test.yaml b/.github/workflows/windows-test.yaml
index 443955a78..54d9f1a84 100644
--- a/.github/workflows/windows-test.yaml
+++ b/.github/workflows/windows-test.yaml
@@ -30,6 +30,7 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{inputs.ref}}
+          persist-credentials: false
       - run: gh pr checkout "${{inputs.pr_number}}"
         if: inputs.pr_number != ''
         env:
@@ -118,6 +119,7 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{inputs.ref}}
+          persist-credentials: false
       - run: gh pr checkout "${{inputs.pr_number}}"
         if: inputs.pr_number != ''
         env: