Skip to content

Backport workflow-hardening fix (artipacked) to 5 release branches #4366

Description

@CharlieMCY

Summary

The default branch already hardened .github/workflows/nightlies.yml against the issue(s) below, but 5 release branches still carry it. This proposes the same, minimal, scanner-verified fix for each.

What's flagged (by zizmor)

  • artipackedactions/checkout left persist-credentials enabled (token leaks into artifacts)

Already resolved on the default branch in:

Affected release branches (5)

  • release/ngc/26.07 (still present as of HEAD e6afd573)
  • release/2.13 (still present as of HEAD 4c9c739b)
  • release/2.12 (still present as of HEAD 92bb1663)
  • release/ngc/26.06 (still present as of HEAD bec6f242)
  • release/ngc/26.05 (still present as of HEAD c4ec0839)

Suggested per-branch patches

Each diff below was checked locally with zizmor and actionlint: the flagged finding(s) are cleared on the affected construct and no new lint or security findings are introduced. (Whitespace is normalized; only security-relevant lines change.)

release/ngc/26.07 — artipacked

File .github/workflows/nightlies.yml; suggested edits:

    • jobs.$J.steps[uses=actions/checkout].with.persist-credentials = False
--- a/.github/workflows/nightlies.yml
+++ b/.github/workflows/nightlies.yml
@@ -15,6 +15,7 @@
         with:
           ref: main
           token: ${{ secrets.GH_PYTORCHBOT_TOKEN }}
+          persist-credentials: false
       - name: Create nightly commit
         shell: bash
         run: |
release/2.13 — artipacked

File .github/workflows/nightlies.yml; suggested edits:

    • jobs.$J.steps[uses=actions/checkout].with.persist-credentials = False
--- a/.github/workflows/nightlies.yml
+++ b/.github/workflows/nightlies.yml
@@ -15,6 +15,7 @@
         with:
           ref: main
           token: ${{ secrets.GH_PYTORCHBOT_TOKEN }}
+          persist-credentials: false
       - name: Create nightly commit
         shell: bash
         run: |
release/2.12 — artipacked

File .github/workflows/nightlies.yml; suggested edits:

    • jobs.$J.steps[uses=actions/checkout].with.persist-credentials = False
--- a/.github/workflows/nightlies.yml
+++ b/.github/workflows/nightlies.yml
@@ -15,6 +15,7 @@
         with:
           ref: main
           token: ${{ secrets.GH_PYTORCHBOT_TOKEN }}
+          persist-credentials: false
       - name: Create nightly commit
         shell: bash
         run: |
release/ngc/26.06 — artipacked

File .github/workflows/nightlies.yml; suggested edits:

    • jobs.$J.steps[uses=actions/checkout].with.persist-credentials = False
--- a/.github/workflows/nightlies.yml
+++ b/.github/workflows/nightlies.yml
@@ -15,6 +15,7 @@
         with:
           ref: main
           token: ${{ secrets.GH_PYTORCHBOT_TOKEN }}
+          persist-credentials: false
       - name: Create nightly commit
         shell: bash
         run: |
release/ngc/26.05 — artipacked

File .github/workflows/nightlies.yml; suggested edits:

    • jobs.$J.steps[uses=actions/checkout].with.persist-credentials = False
--- a/.github/workflows/nightlies.yml
+++ b/.github/workflows/nightlies.yml
@@ -15,6 +15,7 @@
         with:
           ref: main
           token: ${{ secrets.GH_PYTORCHBOT_TOKEN }}
+          persist-credentials: false
       - name: Create nightly commit
         shell: bash
         run: |

Happy to open pull requests instead if that's preferred.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions