From 9836dd6f7153c0fa326de0cc139ddc85dd04b24b Mon Sep 17 00:00:00 2001 From: Erica Portnoy Date: Fri, 24 Apr 2026 13:24:22 -0700 Subject: [PATCH] use persist-credentials: false in checkout calls --- .github/workflows/changelog_stage.yml | 2 ++ .github/workflows/common_deploy_jobs.yml | 6 ++++++ .github/workflows/packaging_jobs.yml | 2 ++ 3 files changed, 10 insertions(+) diff --git a/.github/workflows/changelog_stage.yml b/.github/workflows/changelog_stage.yml index bbe8a2c54..0521b935d 100644 --- a/.github/workflows/changelog_stage.yml +++ b/.github/workflows/changelog_stage.yml @@ -12,6 +12,8 @@ jobs: # If we change the output filename from `release_notes.md`, it should also be changed in tools/create_github_release.py - name: checkout uses: actions/checkout@v6.0.2 + with: + persist-credentials: false - name: Prepare changelog run: |- CERTBOT_VERSION="$(cd certbot/src && python -c "import certbot; print(certbot.__version__)" && cd ~-)" diff --git a/.github/workflows/common_deploy_jobs.yml b/.github/workflows/common_deploy_jobs.yml index 534618933..61e2c9aaf 100644 --- a/.github/workflows/common_deploy_jobs.yml +++ b/.github/workflows/common_deploy_jobs.yml @@ -41,6 +41,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v6.0.2 + with: + persist-credentials: false - name: Install dependencies run: |- sudo apt-get update @@ -105,6 +107,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v6.0.2 + with: + persist-credentials: false - name: Retrieve Certbot snaps uses: actions/download-artifact@v8.0.1 with: @@ -129,6 +133,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v6.0.2 + with: + persist-credentials: false - name: Login to Docker Hub uses: docker/login-action@v4.1.0 with: diff --git a/.github/workflows/packaging_jobs.yml b/.github/workflows/packaging_jobs.yml index 1484da173..5e82a9956 100644 --- a/.github/workflows/packaging_jobs.yml +++ b/.github/workflows/packaging_jobs.yml @@ -32,6 +32,8 @@ jobs: steps: - name: checkout uses: actions/checkout@v6.0.2 + with: + persist-credentials: false - name: Build the Docker images # We don't filter for the Docker Hub organization to continue to allow # easy testing of these scripts on forks.