Skip to content

16 occurrences of actions/checkout without persist-credentials: false #1696

Description

@sdghsdkjlas27-dotcom

DESCRIPTION:
actions/checkout defaults to persist-credentials: true, leaving the GitHub token in local git config. Subsequent steps that run untrusted code (or vulnerable third-party actions) can exfiltrate GITHUB_TOKEN. The repo never sets persist-credentials: false.

REPRODUCTION:

  1. Inspect any workflow checkout step.
  2. No persist-credentials: false.

IMPACT:
Token theft; privilege escalation.

RELATED FILES:
.github/workflows/{bashate,actionlint,checkmake,copyrights,hadolint,make,markdown-lint,pdd,rake,reuse,shellcheck,titles,typos,up,xcop,yamllint,zerocracy}.yml

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions