From 84f6781bbbd1d95872649044ef643b6f4b720767 Mon Sep 17 00:00:00 2001 From: Arash Date: Thu, 31 Oct 2024 12:15:03 +0100 Subject: [PATCH] Set persist-credentials to false in GitHub workflows --- .github/workflows/api.yaml | 1 + .github/workflows/bioblend.yaml | 2 ++ .github/workflows/build_client.yaml | 1 + .github/workflows/build_container_image.yaml | 4 ++++ .github/workflows/check_test_class_names.yaml | 2 ++ .github/workflows/codeql-analysis.yml | 2 ++ .github/workflows/converter_tests.yaml | 2 ++ .github/workflows/cwl_conformance.yaml | 1 + .github/workflows/db_indexes.yaml | 1 + .github/workflows/dependencies.yaml | 2 ++ .github/workflows/deployment.yaml | 1 + .github/workflows/docs.yaml | 1 + .github/workflows/first_startup.yaml | 1 + .github/workflows/framework_tools.yaml | 1 + .github/workflows/framework_workflows.yaml | 1 + .github/workflows/integration.yaml | 1 + .github/workflows/integration_selenium.yaml | 1 + .github/workflows/jest.yaml | 2 ++ .github/workflows/js_lint.yaml | 2 ++ .github/workflows/lint.yaml | 2 ++ .github/workflows/lint_openapi_schema.yml | 1 + .github/workflows/mulled.yaml | 1 + .github/workflows/osx_startup.yaml | 1 + .github/workflows/performance.yaml | 1 + .github/workflows/publish_artifacts.yaml | 2 ++ .github/workflows/reports_startup.yaml | 1 + .github/workflows/selenium.yaml | 1 + .github/workflows/test_galaxy_packages.yaml | 1 + .github/workflows/test_galaxy_packages_for_pulsar.yaml | 1 + .github/workflows/test_galaxy_release.yaml | 1 + .github/workflows/toolshed.yaml | 1 + .github/workflows/unit-postgres.yaml | 1 + .github/workflows/unit.yaml | 1 + 33 files changed, 45 insertions(+) diff --git a/.github/workflows/api.yaml b/.github/workflows/api.yaml index 0ca4399f9314..bf41c6bfb5cc 100644 --- a/.github/workflows/api.yaml +++ b/.github/workflows/api.yaml @@ -48,6 +48,7 @@ jobs: - uses: actions/checkout@v4 with: path: 'galaxy root' + persist-credentials: false - uses: actions/setup-node@v4 with: node-version: '18.12.1' diff --git a/.github/workflows/bioblend.yaml b/.github/workflows/bioblend.yaml index f0da9f2ed0e6..077d406576d3 100644 --- a/.github/workflows/bioblend.yaml +++ b/.github/workflows/bioblend.yaml @@ -39,11 +39,13 @@ jobs: with: fetch-depth: 1 path: galaxy + persist-credentials: false - name: Checkout Bioblend uses: actions/checkout@v4 with: repository: galaxyproject/bioblend path: bioblend + persist-credentials: false - name: Cache pip dir uses: actions/cache@v4 with: diff --git a/.github/workflows/build_client.yaml b/.github/workflows/build_client.yaml index c31032013902..88aad02c4b8c 100644 --- a/.github/workflows/build_client.yaml +++ b/.github/workflows/build_client.yaml @@ -14,6 +14,7 @@ jobs: - uses: actions/checkout@v4 with: path: 'galaxy root' + persist-credentials: false - uses: actions/setup-node@v4 with: node-version: '18.12.1' diff --git a/.github/workflows/build_container_image.yaml b/.github/workflows/build_container_image.yaml index dbff3546e9ae..251c9c88694a 100644 --- a/.github/workflows/build_container_image.yaml +++ b/.github/workflows/build_container_image.yaml @@ -15,6 +15,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false # https://stackoverflow.com/questions/59810838/how-to-get-the-short-sha-for-the-github-workflow - name: Set outputs id: commit @@ -75,6 +77,8 @@ jobs: if: github.repository_owner == 'galaxyproject' steps: - uses: actions/checkout@v4 + with: + persist-credentials: false # https://stackoverflow.com/questions/59810838/how-to-get-the-short-sha-for-the-github-workflow - name: Set outputs id: commit diff --git a/.github/workflows/check_test_class_names.yaml b/.github/workflows/check_test_class_names.yaml index 33bf31877177..ff4cb4660314 100644 --- a/.github/workflows/check_test_class_names.yaml +++ b/.github/workflows/check_test_class_names.yaml @@ -17,6 +17,8 @@ jobs: python-version: ['3.8'] steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: actions/setup-python@v5 with: python-version: ${{ matrix.python-version }} diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index bbacec3a450b..0b45b200930e 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -41,6 +41,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4 + with: + persist-credentials: false # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL diff --git a/.github/workflows/converter_tests.yaml b/.github/workflows/converter_tests.yaml index b953699e6048..78f212852b21 100644 --- a/.github/workflows/converter_tests.yaml +++ b/.github/workflows/converter_tests.yaml @@ -31,6 +31,7 @@ jobs: - uses: actions/checkout@v4 with: path: 'galaxy root' + persist-credentials: false - uses: actions/setup-node@v4 with: node-version: '18.12.1' @@ -41,6 +42,7 @@ jobs: with: repository: galaxyproject/galaxy-test-data path: galaxy-test-data + persist-credentials: false - uses: actions/setup-python@v5 with: python-version: ${{ matrix.python-version }} diff --git a/.github/workflows/cwl_conformance.yaml b/.github/workflows/cwl_conformance.yaml index 10fb215bf042..86b276aa8035 100644 --- a/.github/workflows/cwl_conformance.yaml +++ b/.github/workflows/cwl_conformance.yaml @@ -40,6 +40,7 @@ jobs: - uses: actions/checkout@v4 with: path: 'galaxy root' + persist-credentials: false - uses: actions/setup-node@v4 with: node-version: '18.12.1' diff --git a/.github/workflows/db_indexes.yaml b/.github/workflows/db_indexes.yaml index 5141cfc04baa..dd2c3fb94888 100644 --- a/.github/workflows/db_indexes.yaml +++ b/.github/workflows/db_indexes.yaml @@ -42,6 +42,7 @@ jobs: - uses: actions/checkout@v4 with: path: 'galaxy root' + persist-credentials: false - uses: actions/setup-python@v5 with: python-version: ${{ matrix.python-version }} diff --git a/.github/workflows/dependencies.yaml b/.github/workflows/dependencies.yaml index 2401107eb325..270bc8b6f435 100644 --- a/.github/workflows/dependencies.yaml +++ b/.github/workflows/dependencies.yaml @@ -10,6 +10,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false # Install Python 3.8 for update_lint_requirements.sh # Install Python 3.9 (as default) to allow `uv lock` to generate metadata for rucio-clients - uses: actions/setup-python@v5 diff --git a/.github/workflows/deployment.yaml b/.github/workflows/deployment.yaml index 281b60beb071..4db88651c943 100644 --- a/.github/workflows/deployment.yaml +++ b/.github/workflows/deployment.yaml @@ -34,6 +34,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - uses: actions/setup-python@v5 with: python-version: ${{ matrix.python-version }} diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml index 0758dfb522a1..8565c1858ea0 100644 --- a/.github/workflows/docs.yaml +++ b/.github/workflows/docs.yaml @@ -29,6 +29,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - uses: actions/setup-python@v5 with: python-version: ${{ matrix.python-version }} diff --git a/.github/workflows/first_startup.yaml b/.github/workflows/first_startup.yaml index 05efc45367b9..37582a651590 100644 --- a/.github/workflows/first_startup.yaml +++ b/.github/workflows/first_startup.yaml @@ -31,6 +31,7 @@ jobs: - uses: actions/checkout@v4 with: path: 'galaxy root' + persist-credentials: false - uses: actions/setup-node@v4 with: node-version: '18.12.1' diff --git a/.github/workflows/framework_tools.yaml b/.github/workflows/framework_tools.yaml index a55dfa316488..bb680d901e81 100644 --- a/.github/workflows/framework_tools.yaml +++ b/.github/workflows/framework_tools.yaml @@ -43,6 +43,7 @@ jobs: - uses: actions/checkout@v4 with: path: 'galaxy root' + persist-credentials: false - uses: actions/setup-node@v4 with: node-version: '18.12.1' diff --git a/.github/workflows/framework_workflows.yaml b/.github/workflows/framework_workflows.yaml index 018463833e22..3c2c15912cdb 100644 --- a/.github/workflows/framework_workflows.yaml +++ b/.github/workflows/framework_workflows.yaml @@ -44,6 +44,7 @@ jobs: - uses: actions/checkout@v4 with: path: 'galaxy root' + persist-credentials: false - uses: actions/setup-node@v4 with: node-version: '18.12.1' diff --git a/.github/workflows/integration.yaml b/.github/workflows/integration.yaml index 872cdef6c69d..2b02d6591735 100644 --- a/.github/workflows/integration.yaml +++ b/.github/workflows/integration.yaml @@ -68,6 +68,7 @@ jobs: - uses: actions/checkout@v4 with: path: 'galaxy root' + persist-credentials: false - uses: actions/setup-node@v4 with: node-version: '18.12.1' diff --git a/.github/workflows/integration_selenium.yaml b/.github/workflows/integration_selenium.yaml index 311fb16a96f0..addd6719b0b0 100644 --- a/.github/workflows/integration_selenium.yaml +++ b/.github/workflows/integration_selenium.yaml @@ -51,6 +51,7 @@ jobs: - uses: actions/checkout@v4 with: path: 'galaxy root' + persist-credentials: false - uses: actions/setup-python@v5 with: python-version: ${{ matrix.python-version }} diff --git a/.github/workflows/jest.yaml b/.github/workflows/jest.yaml index 0d69a1498299..9a98c4caf8a9 100644 --- a/.github/workflows/jest.yaml +++ b/.github/workflows/jest.yaml @@ -19,6 +19,8 @@ jobs: node: [18] steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup node uses: actions/setup-node@v4 with: diff --git a/.github/workflows/js_lint.yaml b/.github/workflows/js_lint.yaml index ea821e1c105b..a7d3757d416e 100644 --- a/.github/workflows/js_lint.yaml +++ b/.github/workflows/js_lint.yaml @@ -19,6 +19,8 @@ jobs: node: [18] steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup node uses: actions/setup-node@v4 with: diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index 37d337fb95fe..1a63044ef977 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -29,6 +29,8 @@ jobs: CORE_PATH: 'lib/galaxy/dependencies/pinned-requirements.txt' steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: actions/setup-python@v5 with: python-version: ${{ matrix.python-version }} diff --git a/.github/workflows/lint_openapi_schema.yml b/.github/workflows/lint_openapi_schema.yml index 4dc692fc2739..f4501a4b7cb2 100644 --- a/.github/workflows/lint_openapi_schema.yml +++ b/.github/workflows/lint_openapi_schema.yml @@ -25,6 +25,7 @@ jobs: - uses: actions/checkout@v4 with: path: 'galaxy root' + persist-credentials: false - uses: actions/setup-node@v4 with: node-version: '18.12.1' diff --git a/.github/workflows/mulled.yaml b/.github/workflows/mulled.yaml index 4d654af6ddbb..31f27ae18956 100644 --- a/.github/workflows/mulled.yaml +++ b/.github/workflows/mulled.yaml @@ -25,6 +25,7 @@ jobs: - uses: actions/checkout@v4 with: path: 'galaxy root' + persist-credentials: false - uses: actions/setup-python@v5 with: python-version: ${{ matrix.python-version }} diff --git a/.github/workflows/osx_startup.yaml b/.github/workflows/osx_startup.yaml index 13960eb8e85f..8ebc36df2ac5 100644 --- a/.github/workflows/osx_startup.yaml +++ b/.github/workflows/osx_startup.yaml @@ -29,6 +29,7 @@ jobs: - uses: actions/checkout@v4 with: path: 'galaxy root' + persist-credentials: false - uses: actions/setup-node@v4 with: node-version: '18.12.1' diff --git a/.github/workflows/performance.yaml b/.github/workflows/performance.yaml index ab4063c51f7d..e459793dfa51 100644 --- a/.github/workflows/performance.yaml +++ b/.github/workflows/performance.yaml @@ -42,6 +42,7 @@ jobs: - uses: actions/checkout@v4 with: path: 'galaxy root' + persist-credentials: false - uses: actions/setup-node@v4 with: node-version: '18.12.1' diff --git a/.github/workflows/publish_artifacts.yaml b/.github/workflows/publish_artifacts.yaml index dded5d1086eb..56b65d6b95ad 100644 --- a/.github/workflows/publish_artifacts.yaml +++ b/.github/workflows/publish_artifacts.yaml @@ -15,6 +15,8 @@ jobs: with: python-version: ${{ matrix.python-version }} - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Install script dependencies run: pip install galaxy-release-util - name: Build and publish diff --git a/.github/workflows/reports_startup.yaml b/.github/workflows/reports_startup.yaml index b7449dc5979c..245f58bb520c 100644 --- a/.github/workflows/reports_startup.yaml +++ b/.github/workflows/reports_startup.yaml @@ -26,6 +26,7 @@ jobs: - uses: actions/checkout@v4 with: path: 'galaxy root' + persist-credentials: false - uses: actions/setup-node@v4 with: node-version: '18.12.1' diff --git a/.github/workflows/selenium.yaml b/.github/workflows/selenium.yaml index 195eb02b3de0..834933af75ec 100644 --- a/.github/workflows/selenium.yaml +++ b/.github/workflows/selenium.yaml @@ -51,6 +51,7 @@ jobs: - uses: actions/checkout@v4 with: path: 'galaxy root' + persist-credentials: false - uses: actions/setup-node@v4 with: node-version: '18.12.1' diff --git a/.github/workflows/test_galaxy_packages.yaml b/.github/workflows/test_galaxy_packages.yaml index f38f05846e74..5c9b4e53aa46 100644 --- a/.github/workflows/test_galaxy_packages.yaml +++ b/.github/workflows/test_galaxy_packages.yaml @@ -23,6 +23,7 @@ jobs: - uses: actions/checkout@v4 with: path: 'galaxy root' + persist-credentials: false - uses: actions/setup-node@v4 with: node-version: '18.12.1' diff --git a/.github/workflows/test_galaxy_packages_for_pulsar.yaml b/.github/workflows/test_galaxy_packages_for_pulsar.yaml index 5f54f7fd31ad..e05366875b9c 100644 --- a/.github/workflows/test_galaxy_packages_for_pulsar.yaml +++ b/.github/workflows/test_galaxy_packages_for_pulsar.yaml @@ -25,6 +25,7 @@ jobs: - uses: actions/checkout@v4 with: path: 'galaxy root' + persist-credentials: false - uses: actions/setup-python@v5 with: python-version: ${{ matrix.python-version }} diff --git a/.github/workflows/test_galaxy_release.yaml b/.github/workflows/test_galaxy_release.yaml index 6e39d98adc8e..fdb22d8f7570 100644 --- a/.github/workflows/test_galaxy_release.yaml +++ b/.github/workflows/test_galaxy_release.yaml @@ -25,5 +25,6 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - name: Run tests run: ./test/release.sh diff --git a/.github/workflows/toolshed.yaml b/.github/workflows/toolshed.yaml index 14be278e16bc..17f99e584070 100644 --- a/.github/workflows/toolshed.yaml +++ b/.github/workflows/toolshed.yaml @@ -37,6 +37,7 @@ jobs: - uses: actions/checkout@v4 with: path: 'galaxy root' + persist-credentials: false - uses: actions/setup-node@v4 with: node-version: '18.12.1' diff --git a/.github/workflows/unit-postgres.yaml b/.github/workflows/unit-postgres.yaml index 92ee7795854c..c984a8c68014 100644 --- a/.github/workflows/unit-postgres.yaml +++ b/.github/workflows/unit-postgres.yaml @@ -36,6 +36,7 @@ jobs: - uses: actions/checkout@v4 with: path: 'galaxy root' + persist-credentials: false - uses: actions/setup-node@v4 with: node-version: '18.12.1' diff --git a/.github/workflows/unit.yaml b/.github/workflows/unit.yaml index 671dcac0162d..88e14baec99b 100644 --- a/.github/workflows/unit.yaml +++ b/.github/workflows/unit.yaml @@ -25,6 +25,7 @@ jobs: - uses: actions/checkout@v4 with: path: 'galaxy root' + persist-credentials: false - uses: actions/setup-node@v4 with: node-version: '18.12.1'