checkout_persist_credentials_should_be_false

actions/checkout's input persist-credentials should be false.

Examples

❌

jobs:
  foo:
    runs-on: ubuntu-latest
    steps:
      # persist-credentials is not set
      - uses: actions/checkout@v4

  bar:
    runs-on: ubuntu-latest
    steps:
      # persist-credentials is true
      - uses: actions/checkout@v4
        with:
          persist-credentials: "true"

⭕

jobs:
  foo:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          persist-credentials: "false"

Why?

actions/checkout#485

Persisting token allows every step after actions/checkout to access token. This is a security risk.

💡 Fix using suzuki-shunsuke/disable-checkout-persist-credentials

Adding persist-credentials: false by hand is bothersome. You can do this automatically using suzuki-shunsuke/disable-checkout-persist-credentials.

https://github.com/suzuki-shunsuke/disable-checkout-persist-credentials

How to ignore the violation

If you need to persist token in a specific job, please configure it with the configuration file.

e.g.

ghalint.yaml

excludes:
  - policy_name: checkout_persist_credentials_should_be_false
    workflow_file_path: .github/workflows/actionlint.yaml
    job_name: actionlint

workflow: policy_name, workflow_file_path, job_name are required
action: policy_name and action_file_path are required

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

013.md

013.md

checkout_persist_credentials_should_be_false

Examples

Why?

💡 Fix using suzuki-shunsuke/disable-checkout-persist-credentials

How to ignore the violation

Files

013.md

Latest commit

History

013.md

File metadata and controls

checkout_persist_credentials_should_be_false

Examples

Why?

💡 Fix using suzuki-shunsuke/disable-checkout-persist-credentials

How to ignore the violation