DESCRIPTION:
actions/checkout defaults to persist-credentials: true, leaving the GitHub token in local git config. Subsequent steps that run untrusted code (or vulnerable third-party actions) can exfiltrate GITHUB_TOKEN. The repo never sets persist-credentials: false.
REPRODUCTION:
- Inspect any workflow checkout step.
- No persist-credentials: false.
IMPACT:
Token theft; privilege escalation.
RELATED FILES:
.github/workflows/{bashate,actionlint,checkmake,copyrights,hadolint,make,markdown-lint,pdd,rake,reuse,shellcheck,titles,typos,up,xcop,yamllint,zerocracy}.yml
DESCRIPTION:
actions/checkout defaults to persist-credentials: true, leaving the GitHub token in local git config. Subsequent steps that run untrusted code (or vulnerable third-party actions) can exfiltrate GITHUB_TOKEN. The repo never sets persist-credentials: false.
REPRODUCTION:
IMPACT:
Token theft; privilege escalation.
RELATED FILES:
.github/workflows/{bashate,actionlint,checkmake,copyrights,hadolint,make,markdown-lint,pdd,rake,reuse,shellcheck,titles,typos,up,xcop,yamllint,zerocracy}.yml