From 1e92a7c550bee479bc195f4999f52b1312c57a11 Mon Sep 17 00:00:00 2001 From: askalf <263217947+askalf@users.noreply.github.com> Date: Sat, 11 Jul 2026 18:30:40 -0400 Subject: [PATCH] harden(auto-release): scope release token out of npm test MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The checkout persisted GITHUB_TOKEN (contents:write + actions:write) into .git/config, where `npm ci && npm test` then ran with it available — a compromised devDependency or test could read and reuse it. Set persist-credentials: false and push the tag with an explicit in-URL token, matching publish.yml's OIDC posture and marketplace-watch's push pattern. --- .github/workflows/auto-release.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/auto-release.yml b/.github/workflows/auto-release.yml index ba12e01..53257b6 100644 --- a/.github/workflows/auto-release.yml +++ b/.github/workflows/auto-release.yml @@ -34,6 +34,7 @@ jobs: - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 + persist-credentials: false # tag push below supplies the token explicitly - name: Read version from package.json id: version @@ -125,13 +126,16 @@ jobs: - name: Create annotated tag if: steps.gate.outputs.skip != 'true' && steps.bumped.outputs.skip != 'true' env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} TAG: ${{ steps.version.outputs.tag }} run: | set -euo pipefail git config user.name 'askalf' git config user.email 'support@askalf.org' git tag -a "$TAG" -m "Release $TAG" - git push origin "$TAG" + # Push with an explicit token so it never lands in .git/config during the + # install+test step above (checkout runs persist-credentials: false). + git push "https://x-access-token:${GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}.git" "$TAG" - name: Create GitHub release if: steps.gate.outputs.skip != 'true' && steps.bumped.outputs.skip != 'true'