Skip to content

Set persist-credentials to false#37

Merged
williamdes merged 1 commit into
phpmyadmin:masterfrom
liviuconcioiu:actions
Jul 5, 2026
Merged

Set persist-credentials to false#37
williamdes merged 1 commit into
phpmyadmin:masterfrom
liviuconcioiu:actions

Conversation

@liviuconcioiu

Copy link
Copy Markdown
Contributor

@williamdes I've got this check from Aikido when updating actions/checkout on device-detector:

GitHub Action actions/checkout persist Git credentials in workflow - low severity

actions/checkout v2 and above persist the default GITHUB_TOKEN in the repository's local git config when persist-credentials is not set to false, during the workflow run. Subsequent workflow steps or third-party actions can read this token from git configuration, increasing the risk of credential theft or misuse within the pipeline. In order to limit the attack surface when external actions are compromised, ensure persist-credentials is set to false.

Show fix

Remediation: Set persist-credentials: false on actions/checkout steps that do not need to push commits back to the repository. Only keep persist-credentials: true when the workflow explicitly performs authenticated git push operations.

I considered to also fix here.

Signed-off-by: Liviu-Mihail Concioiu <liviu.concioiu@gmail.com>

@williamdes williamdes left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks you!

@williamdes williamdes merged commit 9658c97 into phpmyadmin:master Jul 5, 2026
42 of 47 checks passed
@williamdes williamdes self-assigned this Jul 5, 2026
@liviuconcioiu liviuconcioiu deleted the actions branch July 5, 2026 09:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants