Skip to content

Don't persist credentials in pages checkout#12

Merged
oschwald merged 1 commit into
mainfrom
wstorey/fix-zizmor
Jun 11, 2026
Merged

Don't persist credentials in pages checkout#12
oschwald merged 1 commit into
mainfrom
wstorey/fix-zizmor

Conversation

@horgh

@horgh horgh commented Jun 11, 2026

Copy link
Copy Markdown
Contributor

zizmor reports an artipacked finding for the checkout step in pages.yml: without persist-credentials: false, the GitHub token is written into the local git config and could leak via later steps or build artifacts. Nothing after the checkout needs git credentials (the job just builds the site and uploads the artifact), so this disables persistence.

🤖 Generated with Claude Code

@horgh @claude
Don't persist credentials in pages checkout
f74eec8 
zizmor flags the checkout step in pages.yml for artipacked: without
persist-credentials: false, the GitHub token is written into the local
git config and could leak via later steps or artifacts. Nothing after
the checkout needs git credentials.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@gemini-code-assist

gemini-code-assist Bot commented Jun 11, 2026

Copy link
Copy Markdown

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

@oschwald oschwald merged commit 6314ddb into main Jun 11, 2026
5 checks passed
@oschwald oschwald deleted the wstorey/fix-zizmor branch June 11, 2026 17:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@oschwald oschwald oschwald approved these changes

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@horgh @oschwald