Set 'persist-credentials' to false

2025-02-25 18:55:22 -06:00 · 2024-11-16 18:30:17 +00:00
parent 15b46dc81e
commit 58b2a94770
7 changed files with 45 additions and 1 deletions
--- a/.github/workflows/builddoc.yml
+++ b/.github/workflows/builddoc.yml
@@ -22,6 +22,8 @@ jobs:

    steps:
    - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
    - name: Set up Python
      uses: actions/setup-python@v5
      with:
--- a/.github/workflows/create-release.yml
+++ b/.github/workflows/create-release.yml
@@ -28,6 +28,8 @@ jobs:
      id-token: write  # for PyPI trusted publishing
    steps:
      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
      - name: Set up Python
        uses: actions/setup-python@v5
        with:
@@ -97,7 +99,7 @@ jobs:
              headers: {Authorization: `bearer ${oidc_request_token}`},
            });
            const oidc_token = (await oidc_resp.json()).value;
-  
+
            // exchange the OIDC token for an API token
            const mint_resp = await fetch('https://pypi.org/_/oidc/github/mint-token', {
              method: 'post',
@@ -127,6 +129,8 @@ jobs:
      contents: write  # for softprops/action-gh-release to create GitHub release
    steps:
      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
      - name: Get release version
        id: get_version
        uses: actions/github-script@v7
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -24,6 +24,8 @@ jobs:

    steps:
    - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
    - name: Get Ruff version from pyproject.toml
      run: |
        RUFF_VERSION=$(awk -F'[="]' '/\[project\.optional-dependencies\]/ {p=1} /ruff/ {if (p) print $4}' pyproject.toml)
@@ -48,6 +50,8 @@ jobs:

    steps:
    - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
    - name: Set up Python
      uses: actions/setup-python@v5
      with:
@@ -68,6 +72,8 @@ jobs:

    steps:
    - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
    - name: Set up Python
      uses: actions/setup-python@v5
      with:
@@ -88,6 +94,8 @@ jobs:

    steps:
    - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
    - name: Set up Python
      uses: actions/setup-python@v5
      with:
@@ -108,6 +116,8 @@ jobs:

    steps:
    - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
    - name: Set up Python
      uses: actions/setup-python@v5
      with:
@@ -128,6 +138,8 @@ jobs:

    steps:
    - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
    - name: Set up Python
      uses: actions/setup-python@v5
      with:
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -47,6 +47,8 @@ jobs:

    steps:
    - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
    - name: Set up Python ${{ matrix.python }}
      uses: actions/setup-python@v5
      with:
@@ -85,6 +87,8 @@ jobs:

    steps:
    - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
    - name: Set up Python ${{ matrix.python }} (deadsnakes)
      uses: deadsnakes/action@v3.2.0
      with:
@@ -117,6 +121,8 @@ jobs:

    steps:
    - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
    - name: Set up Python ${{ matrix.python }} (deadsnakes)
      uses: deadsnakes/action@v3.2.0
      with:
@@ -150,6 +156,8 @@ jobs:

    steps:
    - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
    - name: Set up Python ${{ matrix.python }} (deadsnakes)
      uses: deadsnakes/action@v3.2.0
      with:
@@ -179,6 +187,8 @@ jobs:

    steps:
    - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
    - name: Set up Python
      uses: actions/setup-python@v5
      with:
@@ -211,6 +221,8 @@ jobs:
        wget --no-verbose https://github.com/w3c/epubcheck/releases/download/v${EPUBCHECK_VERSION}/epubcheck-${EPUBCHECK_VERSION}.zip
        unzip epubcheck-${EPUBCHECK_VERSION}.zip
    - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
    - name: Set up Python
      uses: actions/setup-python@v5
      with:
@@ -243,6 +255,8 @@ jobs:

    steps:
    - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
    - name: Set up Python
      uses: actions/setup-python@v5
      with:
@@ -275,6 +289,8 @@ jobs:

    steps:
    - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
    - name: Set up Python
      uses: actions/setup-python@v5
      with:
@@ -303,6 +319,8 @@ jobs:

    steps:
    - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
    - name: Set up Python
      uses: actions/setup-python@v5
      with:
--- a/.github/workflows/nodejs.yml
+++ b/.github/workflows/nodejs.yml
@@ -34,6 +34,8 @@ jobs:

    steps:
    - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
    - name: Use Node.js ${{ env.node-version }}
      uses: actions/setup-node@v4
      with:
--- a/.github/workflows/transifex.yml
+++ b/.github/workflows/transifex.yml
@@ -16,6 +16,8 @@ jobs:

    steps:
    - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
    - name: Set up Python
      uses: actions/setup-python@v5
      with:
@@ -45,6 +47,8 @@ jobs:

    steps:
    - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
    - name: Set up Python
      uses: actions/setup-python@v5
      with:
--- a/doc/tutorial/deploying.rst
+++ b/doc/tutorial/deploying.rst
@@ -188,6 +188,8 @@ contents:
         contents: write
       steps:
       - uses: actions/checkout@v4
+         with:
+           persist-credentials: false
       - name: Build HTML
         uses: ammaraskar/sphinx-action@master
       - name: Upload artifacts