ci: disable checkout credential persistence in privileged workflows (#1851)

2026-05-14 16:38:40 +08:00 · 2026-05-13 01:15:49 -04:00
parent 2486732714
commit 209abd403b
5 changed files with 33 additions and 0 deletions
--- a/scripts/ci/validate-workflow-security.js
+++ b/scripts/ci/validate-workflow-security.js
@@ -108,6 +108,18 @@ function findViolations(filePath, source) {
  }

  if (WRITE_PERMISSION_PATTERN.test(source)) {
+    for (const step of checkoutSteps) {
+      if (!/persist-credentials:\s*['"]?false['"]?\b/m.test(step.text)) {
+        violations.push({
+          filePath,
+          event: 'write-permission checkout',
+          description: 'workflows with write permissions must disable checkout credential persistence',
+          expression: 'actions/checkout without persist-credentials: false',
+          line: step.startLine,
+        });
+      }
+    }
+
    for (const match of source.matchAll(NPM_CI_PATTERN)) {
      violations.push({
        filePath,