ci: fix TOB-SCREUC-8, do not persist git credentials (#1139)

Thegaram · web-flow · commit 94fcd7d9cef4 · 2025-03-14T11:36:32.000+01:00
* fix(ci): disable cache-binary option

* ci: pin 3rd-party actions

* ci: do not persist git credentials
diff --git a/.github/workflows/bump_version.yml b/.github/workflows/bump_version.yml
@@ -19,6 +19,8 @@ jobs:
         uses: actions/checkout@v3
         with:
           ref: ${{ github.head_ref }}
+          persist-credentials: false
+
       - name: check diff
         id: check_diff
         run: |
@@ -45,11 +47,13 @@ jobs:
             echo '> yes'
             echo "result=bump" >> "$GITHUB_OUTPUT"
           fi
+
       - name: Install Node.js 16
         if: steps.check_diff.outputs.result == 'bump'
         uses: actions/setup-node@v3
         with:
           node-version: 16
+
       - name: bump version in params/version.go
         if: steps.check_diff.outputs.result == 'bump'
         run: node .github/scripts/bump_version_dot_go.mjs
diff --git a/.github/workflows/docker-arm64.yaml b/.github/workflows/docker-arm64.yaml
@@ -19,6 +19,8 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@v2
+        with:
+          persist-credentials: false
 
       - name: Set up QEMU
         run: |
diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml
@@ -13,6 +13,8 @@ jobs:
     steps:
     - name: Checkout code
       uses: actions/checkout@v2
+      with:
+        persist-credentials: false
 
     - name: Set up QEMU
       uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.2.0
@@ -21,6 +23,7 @@ jobs:
       uses: docker/setup-buildx-action@885d1462b80bc1c1c7f0b00334ad271f09369c55 # v2.10.0
       with:
         cache-binary: false
+
     - name: Extract docker metadata
       id: meta
       uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
diff --git a/.github/workflows/l2geth_ci.yml b/.github/workflows/l2geth_ci.yml
@@ -25,6 +25,8 @@ jobs:
 
     - name: Checkout code
       uses: actions/checkout@v2
+      with:
+        persist-credentials: false
 
     - name: Build
       run: |
@@ -48,6 +50,8 @@ jobs:
 
     - name: Checkout code
       uses: actions/checkout@v2
+      with:
+        persist-credentials: false
 
     - name: Build
       run: |
@@ -66,6 +70,8 @@ jobs:
 
     - name: Checkout code
       uses: actions/checkout@v2
+      with:
+        persist-credentials: false
 
     - name: Lint
       run: |
@@ -86,6 +92,8 @@ jobs:
 
     - name: Checkout code
       uses: actions/checkout@v2
+      with:
+        persist-credentials: false
 
     - run: goimports -local github.com/scroll-tech/go-ethereum/ -w .
 
@@ -107,6 +115,8 @@ jobs:
 
     - name: Checkout code
       uses: actions/checkout@v2
+      with:
+        persist-credentials: false
 
     - run: go mod tidy
 
@@ -128,6 +138,8 @@ jobs:
 
     - name: Checkout code
       uses: actions/checkout@v2
+      with:
+        persist-credentials: false
 
     - name: Test
       run: |
diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml
@@ -21,4 +21,6 @@ jobs:
       image: returntocorp/semgrep
     steps:
     - uses: actions/checkout@v3
+      with:
+        persist-credentials: false
     - run: semgrep ci
