Skip to content

harden: scope checkout token (persist-credentials: false)#45

Merged
askalf merged 2 commits into
mainfrom
harden/scope-checkout-token
Jul 11, 2026
Merged

harden: scope checkout token (persist-credentials: false)#45
askalf merged 2 commits into
mainfrom
harden/scope-checkout-token

Conversation

@askalf

@askalf askalf commented Jul 11, 2026

Copy link
Copy Markdown
Owner

Adds persist-credentials: false to the credential-persisting actions/checkout steps flagged in a workflow-token audit. By default actions/checkout writes the GITHUB_TOKEN into .git/config, leaving a write-capable credential on disk that any later build/install step can read. These jobs run untrusted build/install code after checkout, so the token was needlessly exposed. GHCR/npm auth here is unaffected (OIDC and GH_TOKEN env), so scoping the checkout token out is a pure hardening.

Workflows / jobs fixed:

  • .github/workflows/release-assets.yml (job attach) — checkout runs before npm pack; the persisted token was readable by that build step.
  • .github/workflows/publish.yml (job publish) — checkout runs before npm ci / npm test; the persisted token was readable by those install/test steps. Publishing is via npm OIDC trusted publishing, not the checkout credential.

@askalf
askalf merged commit 095a004 into main Jul 11, 2026
4 checks passed
@askalf
askalf deleted the harden/scope-checkout-token branch July 11, 2026 23:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant