Skip to content

github action make checkout option persist-credentials explicit #56826

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 6 commits into from
Closed

github action make checkout option persist-credentials explicit #56826

wants to merge 6 commits into from

Conversation

godartm
Copy link

@godartm godartm commented Aug 29, 2025
edited
Loading

Hello,

The goal of this PR is to make the use of the persist-credentials option in the actions/checkout action explicit.

By default, actions/checkout persists a credential in the checked-out repo’s .git/config, allowing subsequent Git operations to be authenticated.
However, this behavior can be problematic:

  • Subsequent steps may unintentionally expose .git/config publicly, e.g. by uploading it as part of an artifact via actions/upload-artifact.
  • Even without that risk, persisting credentials in .git/config is not ideal unless explicitly required.

Unless Git operations are needed in later steps, actions/checkout should be used with:

steps:
  - uses: actions/checkout@v4
    with:
      persist-credentials: false

Impact

This change only affects the CI/CD workflows and has no impact on end users.

Testing

To validate this change, the CI pipeline must pass across all impacted workflows.
If preferred, I can split this into multiple PRs for easier review and merging.

I can also begin applying this change to other Laravel repositories before proposing it directly to the framework.

Best,

@godartm
Copy link
Author

godartm commented Aug 29, 2025

ci seem to be currently failing on l12 branch instead of the change made here.

Currently waiting to sync fork to confirm its not from my change

@taylorotwell taylorotwell marked this pull request as draft August 29, 2025 14:23
@godartm
Copy link
Author

godartm commented Sep 1, 2025

CI/CD is passing now , i'll open back this PR .

@godartm godartm marked this pull request as ready for review September 1, 2025 08:37
crynobone
crynobone reviewed Sep 2, 2025
View reviewed changes
.github/workflows/tests.yml
@@ -134,6 +134,7 @@ jobs:
- name: Checkout code
uses: actions/checkout@v4
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

missing the changes?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@crynobone I fixed it. I reverted and added it back normally.
When CI failed at first, I thought it might be from actions/upload-artifact, but it was actually the L12 branch

godartm
godartm commented Sep 2, 2025
View reviewed changes
Copy link
Author

@godartm godartm left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since there’s an auto-commit step, I think setting persist-credentials: "false" could break the workflow in .github/workflows/update-assets.yml. So I’d prefer to skip this file.

@godartm
Revert "add missing bits"
ca528f5 
This reverts commit e27d6bb.
@taylorotwell
Copy link
Member

I think it's fine to leave this as-is.

@godartm godartm deleted the ci/improvement-action-checkout branch September 2, 2025 13:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@crynobone crynobone crynobone left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@godartm @taylorotwell @crynobone