Skip to content

Commit 487811e

Browse files
neutrinocerosneutrinoceros
authored
SEC: avoid leaking credentials (#366)
1 parent 1079441 commit 487811e

4 files changed

Lines changed: 8 additions & 1 deletion

File tree

.github/workflows/publish.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -158,6 +158,7 @@ jobs:
158158
lfs: true
159159
submodules: ${{ inputs.submodules }}
160160
ref: ${{ inputs.checkout_ref }}
161+
persist-credentials: false
161162
- name: Get machine arch
162163
if: ${{ runner.os == 'Linux' }}
163164
id: uname_m
@@ -249,6 +250,7 @@ jobs:
249250
fetch-depth: 0
250251
lfs: true
251252
submodules: ${{ inputs.submodules }}
253+
persist-credentials: false
252254
- name: Install dependencies
253255
if: ${{ inputs.libraries != '' }}
254256
uses: ConorMacBride/install-package@3e7ad059e07782ee54fa35f827df52aae0626f30 # v1.1.0

.github/workflows/publish_pure_python.yml

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -114,17 +114,19 @@ jobs:
114114
if: ${{ inputs.env != '' }}
115115
run: |
116116
echo $SET_ENV_SCRIPT | base64 --decode > set_env.py
117-
pipx run set_env.py "${{ inputs.env }}"
117+
pipx run set_env.py "${INPUTS_ENV}"
118118
rm set_env.py
119119
shell: sh
120120
env:
121121
SET_ENV_SCRIPT: IyAvLy8gc2NyaXB0CiMgcmVxdWlyZXMtcHl0aG9uID0gIj09My4xMiIKIyBkZXBlbmRlbmNpZXMgPSBbCiMgICAgICJweXlhbWw9PTYuMC4yIiwKIyBdCiMgLy8vCmltcG9ydCBqc29uCmltcG9ydCBvcwppbXBvcnQgc3lzCgppbXBvcnQgeWFtbAoKR0lUSFVCX0VOViA9IG9zLmdldGVudigiR0lUSFVCX0VOViIpCmlmIEdJVEhVQl9FTlYgaXMgTm9uZToKICAgIHJhaXNlIFZhbHVlRXJyb3IoIkdJVEhVQl9FTlYgbm90IHNldC4gTXVzdCBiZSBydW4gaW5zaWRlIEdpdEh1YiBBY3Rpb25zLiIpCgpERUxJTUlURVIgPSAiRU9GIgoKCmRlZiBzZXRfZW52KGVudik6CgogICAgZW52ID0geWFtbC5sb2FkKGVudiwgTG9hZGVyPXlhbWwuQmFzZUxvYWRlcikKICAgIHByaW50KGpzb24uZHVtcHMoZW52LCBpbmRlbnQ9MikpCgogICAgaWYgbm90IGlzaW5zdGFuY2UoZW52LCBkaWN0KToKICAgICAgICB0aXRsZSA9ICJgZW52YCBtdXN0IGJlIG1hcHBpbmciCiAgICAgICAgbWVzc2FnZSA9IGYiYGVudmAgbXVzdCBiZSBtYXBwaW5nIG9mIGVudiB2YXJpYWJsZXMgdG8gdmFsdWVzLCBnb3QgdHlwZSB7dHlwZShlbnYpfSIKICAgICAgICBwcmludChmIjo6ZXJyb3IgdGl0bGU9e3RpdGxlfTo6e21lc3NhZ2V9IikKICAgICAgICBleGl0KDEpCgogICAgZm9yIGssIHYgaW4gZW52Lml0ZW1zKCk6CgogICAgICAgIGlmIG5vdCBpc2luc3RhbmNlKHYsIHN0cik6CiAgICAgICAgICAgIHRpdGxlID0gImBlbnZgIHZhbHVlcyBtdXN0IGJlIHN0cmluZ3MiCiAgICAgICAgICAgIG1lc3NhZ2UgPSBmImBlbnZgIHZhbHVlcyBtdXN0IGJlIHN0cmluZ3MsIGJ1dCB2YWx1ZSBvZiB7a30gaGFzIHR5cGUge3R5cGUodil9IgogICAgICAgICAgICBwcmludChmIjo6ZXJyb3IgdGl0bGU9e3RpdGxlfTo6e21lc3NhZ2V9IikKICAgICAgICAgICAgZXhpdCgxKQoKICAgICAgICB2ID0gdi5zcGxpdCgiXG4iKQoKICAgICAgICB3aXRoIG9wZW4oR0lUSFVCX0VOViwgImEiKSBhcyBmOgogICAgICAgICAgICBpZiBsZW4odikgPT0gMToKICAgICAgICAgICAgICAgIGYud3JpdGUoZiJ7a309e3ZbMF19XG4iKQogICAgICAgICAgICBlbHNlOgogICAgICAgICAgICAgICAgZm9yIGxpbmUgaW4gdjoKICAgICAgICAgICAgICAgICAgICBhc3NlcnQgbGluZS5zdHJpcCgpICE9IERFTElNSVRFUgogICAgICAgICAgICAgICAgZi53cml0ZShmIntrfTw8e0RFTElNSVRFUn1cbiIpCiAgICAgICAgICAgICAgICBmb3IgbGluZSBpbiB2OgogICAgICAgICAgICAgICAgICAgIGYud3JpdGUoZiJ7bGluZX1cbiIpCiAgICAgICAgICAgICAgICBmLndyaXRlKGYie0RFTElNSVRFUn1cbiIpCgogICAgICAgIHByaW50KGYie2t9IHdyaXR0ZW4gdG8gR0lUSFVCX0VOViIpCgoKaWYgX19uYW1lX18gPT0gIl9fbWFpbl9fIjoKICAgIHNldF9lbnYoc3lzLmFyZ3ZbMV0pCg==
122+
INPUTS_ENV: ${{ inputs.env }}
122123
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
123124
with:
124125
fetch-depth: 0
125126
lfs: true
126127
submodules: ${{ inputs.submodules }}
127128
ref: ${{ inputs.checkout_ref }}
129+
persist-credentials: false
128130
- name: Install dependencies
129131
if: ${{ inputs.libraries != '' }}
130132
uses: ConorMacBride/install-package@3e7ad059e07782ee54fa35f827df52aae0626f30 # v1.1.0

.github/workflows/pull_from_upstream.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,7 @@ jobs:
1818
# Checkout the repository where the workflow is running
1919
ref: main
2020
fetch-depth: 0
21+
persist-credentials: false
2122

2223
- name: Set up git
2324
run: |

.github/workflows/tox.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -167,6 +167,7 @@ jobs:
167167
lfs: true
168168
submodules: ${{ inputs.submodules }}
169169
ref: ${{ inputs.checkout_ref }}
170+
persist-credentials: false
170171

171172
- name: Cache ${{ matrix.cache_key }}
172173
if: ${{ matrix.cache-path != '' && matrix.cache-key != '' }}
@@ -266,6 +267,7 @@ jobs:
266267
lfs: true
267268
submodules: ${{ inputs.submodules }}
268269
ref: ${{ inputs.checkout_ref }}
270+
persist-credentials: false
269271
- uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
270272
with:
271273
pattern: coverage-data-${{ github.run_id }}-*

0 commit comments

Comments
 (0)