From 6e3f23cd6796b02e15bbca63a9bfb2ecd9d9ed64 Mon Sep 17 00:00:00 2001 From: Claude Date: Mon, 15 Jun 2026 23:33:45 +0000 Subject: [PATCH] ci: don't persist credentials for read-only nixpkgs checkout The nixpkgs-update workflow checks out NixOS/nixpkgs only to read it and compute a version bump locally; the resulting PR is pushed to the smorin/nixpkgs fork via peter-evans/create-pull-request using its own NIXPKGS_UPDATE_TOKEN, never via the checkout's persisted credentials. Set persist-credentials: false so the default GITHUB_TOKEN is used for the initial clone only and stripped from .git/config afterward, preventing later steps from reading or misusing it. --- .github/workflows/nixpkgs-update.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/nixpkgs-update.yml b/.github/workflows/nixpkgs-update.yml index 1ec04ae..6fde703 100644 --- a/.github/workflows/nixpkgs-update.yml +++ b/.github/workflows/nixpkgs-update.yml @@ -47,6 +47,7 @@ jobs: repository: NixOS/nixpkgs ref: master fetch-depth: 0 + persist-credentials: false - uses: DeterminateSystems/nix-installer-action@ef8a148080ab6020fd15196c2084a2eea5ff2d25 # v22