Summary
The default branch already hardened .github/workflows/nightlies.yml against the issue(s) below, but 5 release branches still carry it. This proposes the same, minimal, scanner-verified fix for each.
What's flagged (by zizmor)
artipacked — actions/checkout left persist-credentials enabled (token leaks into artifacts)
Already resolved on the default branch in:
Affected release branches (5)
release/ngc/26.07 (still present as of HEAD e6afd573)
release/2.13 (still present as of HEAD 4c9c739b)
release/2.12 (still present as of HEAD 92bb1663)
release/ngc/26.06 (still present as of HEAD bec6f242)
release/ngc/26.05 (still present as of HEAD c4ec0839)
Suggested per-branch patches
Each diff below was checked locally with zizmor and actionlint: the flagged finding(s) are cleared on the affected construct and no new lint or security findings are introduced. (Whitespace is normalized; only security-relevant lines change.)
release/ngc/26.07 — artipacked
File .github/workflows/nightlies.yml; suggested edits:
-
- jobs.$J.steps[uses=actions/checkout].with.persist-credentials = False
--- a/.github/workflows/nightlies.yml
+++ b/.github/workflows/nightlies.yml
@@ -15,6 +15,7 @@
with:
ref: main
token: ${{ secrets.GH_PYTORCHBOT_TOKEN }}
+ persist-credentials: false
- name: Create nightly commit
shell: bash
run: |
release/2.13 — artipacked
File .github/workflows/nightlies.yml; suggested edits:
-
- jobs.$J.steps[uses=actions/checkout].with.persist-credentials = False
--- a/.github/workflows/nightlies.yml
+++ b/.github/workflows/nightlies.yml
@@ -15,6 +15,7 @@
with:
ref: main
token: ${{ secrets.GH_PYTORCHBOT_TOKEN }}
+ persist-credentials: false
- name: Create nightly commit
shell: bash
run: |
release/2.12 — artipacked
File .github/workflows/nightlies.yml; suggested edits:
-
- jobs.$J.steps[uses=actions/checkout].with.persist-credentials = False
--- a/.github/workflows/nightlies.yml
+++ b/.github/workflows/nightlies.yml
@@ -15,6 +15,7 @@
with:
ref: main
token: ${{ secrets.GH_PYTORCHBOT_TOKEN }}
+ persist-credentials: false
- name: Create nightly commit
shell: bash
run: |
release/ngc/26.06 — artipacked
File .github/workflows/nightlies.yml; suggested edits:
-
- jobs.$J.steps[uses=actions/checkout].with.persist-credentials = False
--- a/.github/workflows/nightlies.yml
+++ b/.github/workflows/nightlies.yml
@@ -15,6 +15,7 @@
with:
ref: main
token: ${{ secrets.GH_PYTORCHBOT_TOKEN }}
+ persist-credentials: false
- name: Create nightly commit
shell: bash
run: |
release/ngc/26.05 — artipacked
File .github/workflows/nightlies.yml; suggested edits:
-
- jobs.$J.steps[uses=actions/checkout].with.persist-credentials = False
--- a/.github/workflows/nightlies.yml
+++ b/.github/workflows/nightlies.yml
@@ -15,6 +15,7 @@
with:
ref: main
token: ${{ secrets.GH_PYTORCHBOT_TOKEN }}
+ persist-credentials: false
- name: Create nightly commit
shell: bash
run: |
Happy to open pull requests instead if that's preferred.
Summary
The default branch already hardened
.github/workflows/nightlies.ymlagainst the issue(s) below, but 5 release branches still carry it. This proposes the same, minimal, scanner-verified fix for each.What's flagged (by zizmor)
artipacked—actions/checkoutleftpersist-credentialsenabled (token leaks into artifacts)Already resolved on the default branch in:
Affected release branches (5)
release/ngc/26.07(still present as of HEADe6afd573)release/2.13(still present as of HEAD4c9c739b)release/2.12(still present as of HEAD92bb1663)release/ngc/26.06(still present as of HEADbec6f242)release/ngc/26.05(still present as of HEADc4ec0839)Suggested per-branch patches
Each diff below was checked locally with zizmor and actionlint: the flagged finding(s) are cleared on the affected construct and no new lint or security findings are introduced. (Whitespace is normalized; only security-relevant lines change.)
release/ngc/26.07— artipackedFile
.github/workflows/nightlies.yml; suggested edits:release/2.13— artipackedFile
.github/workflows/nightlies.yml; suggested edits:release/2.12— artipackedFile
.github/workflows/nightlies.yml; suggested edits:release/ngc/26.06— artipackedFile
.github/workflows/nightlies.yml; suggested edits:release/ngc/26.05— artipackedFile
.github/workflows/nightlies.yml; suggested edits:Happy to open pull requests instead if that's preferred.