this repo has no description
internal/ci: disable checkout persist-credentials by default
But provide a "hook" by which uses of the steps can override the
default.
Signed-off-by: Paul Jolly <paul@myitcv.io>
Change-Id: I3d7c92c808e1ec95235e03f92c2d8bf3ff7a178b
Reviewed-on: https://cue.gerrithub.io/c/cue-lang/cue/+/1231230
Reviewed-by: Daniel Martí <mvdan@mvdan.cc>
TryBot-Result: CUEcueckoo <cueckoo@cuelang.org>
+62
-44
+1
.github/workflows/release.yaml
+1
.github/workflows/release.yaml
+1
.github/workflows/trybot.yaml
+1
.github/workflows/trybot.yaml
+60
-44
internal/ci/base/github.cue
+60
-44
internal/ci/base/github.cue
···
87
87
]
88
88
}
89
89
90
-
checkoutCode: [...githubactions.#Step] & [
91
-
{
92
-
name: "Checkout code"
93
-
uses: "actions/checkout@v6" // TODO(mvdan): switch to namespacelabs/nscloud-checkout-action@v1 once Windows supports caching
90
+
checkoutCode: [...githubactions.#Step] & {
91
+
#checkout: _
94
92
95
-
// "pull_request_target" builds will by default use a merge commit,
96
-
// testing the PR's HEAD merged on top of the master branch.
97
-
// For consistency with Gerrit, avoid that merge commit entirely.
98
-
// This doesn't affect builds by other events like "push",
99
-
// since github.event.pull_request is unset so ref remains empty.
100
-
with: {
101
-
ref: "${{ github.event.pull_request.head.sha }}"
102
-
"fetch-depth": 0 // see the docs below
103
-
}
104
-
},
93
+
[
94
+
{
95
+
#checkout...
105
96
106
-
// Restore modified times to work around https://go.dev/issues/58571,
107
-
// as otherwise we would get lots of unnecessary Go test cache misses.
108
-
// Note that this action requires actions/checkout to use a fetch-depth of 0.
109
-
// Since this is a third-party action which runs arbitrary code,
110
-
// we pin a commit hash for v2 to be in control of code updates.
111
-
// Also note that git-restore-mtime does not update all directories,
112
-
// per the bug report at https://github.com/MestreLion/git-tools/issues/47,
113
-
// so we first reset all directory timestamps to a static time as a fallback.
114
-
// TODO(mvdan): May be unnecessary once the Go bug above is fixed.
115
-
{
116
-
name: "Reset git directory modification times"
117
-
run: "touch -t 202211302355 $(find * -type d)"
118
-
},
119
-
{
120
-
name: "Restore git file modification times"
121
-
uses: "chetan/git-restore-mtime-action@cbf8161ddb4e9b162409104954fb540e8a38c1da" // 2025-08-27
122
-
},
97
+
name: "Checkout code"
98
+
uses: "actions/checkout@v6" // TODO(mvdan): switch to namespacelabs/nscloud-checkout-action@v1 once Windows supports caching
123
99
124
-
{
125
-
name: "Try to extract \(dispatchTrailer)"
126
-
id: dispatchTrailerStepID
127
-
run: """
100
+
// "pull_request_target" builds will by default use a merge commit,
101
+
// testing the PR's HEAD merged on top of the master branch.
102
+
// For consistency with Gerrit, avoid that merge commit entirely.
103
+
// This doesn't affect builds by other events like "push",
104
+
// since github.event.pull_request is unset so ref remains empty.
105
+
with: {
106
+
ref: "${{ github.event.pull_request.head.sha }}"
107
+
"fetch-depth": 0 // see the docs below
108
+
109
+
// Default persist-credentials to false. Limiting the use of
110
+
// credentials to the checkout step maintains the principle of
111
+
// least privilege. But it also means that if/where we need to set
112
+
// custom credentials elsewhere (via git's extraheader) then we
113
+
// don't end up with a situation of having double extraheaders in
114
+
// the resulting config. For example, in the cuelang.org tip deploy
115
+
// workflow, we set a custom header with write permissions when we
116
+
// want to push to tip.cuelang.org.
117
+
"persist-credentials": *false | bool
118
+
}
119
+
},
120
+
121
+
// Restore modified times to work around https://go.dev/issues/58571,
122
+
// as otherwise we would get lots of unnecessary Go test cache misses.
123
+
// Note that this action requires actions/checkout to use a fetch-depth of 0.
124
+
// Since this is a third-party action which runs arbitrary code,
125
+
// we pin a commit hash for v2 to be in control of code updates.
126
+
// Also note that git-restore-mtime does not update all directories,
127
+
// per the bug report at https://github.com/MestreLion/git-tools/issues/47,
128
+
// so we first reset all directory timestamps to a static time as a fallback.
129
+
// TODO(mvdan): May be unnecessary once the Go bug above is fixed.
130
+
{
131
+
name: "Reset git directory modification times"
132
+
run: "touch -t 202211302355 $(find * -type d)"
133
+
},
134
+
{
135
+
name: "Restore git file modification times"
136
+
uses: "chetan/git-restore-mtime-action@cbf8161ddb4e9b162409104954fb540e8a38c1da" // 2025-08-27
137
+
},
138
+
139
+
{
140
+
name: "Try to extract \(dispatchTrailer)"
141
+
id: dispatchTrailerStepID
142
+
run: """
128
143
x="$(git log -1 --pretty='%(trailers:key=\(dispatchTrailer),valueonly)')"
129
144
if [[ "$x" == "" ]]
130
145
then
···
140
155
echo "$x" >> $GITHUB_OUTPUT
141
156
echo "EOD" >> $GITHUB_OUTPUT
142
157
"""
143
-
},
158
+
},
144
159
145
-
// Safety nets to flag if we ever have a Dispatch-Trailer slip through the
146
-
// net and make it to master
147
-
{
148
-
name: "Check we don't have \(dispatchTrailer) on a protected branch"
149
-
if: "\(isProtectedBranch) && \(containsDispatchTrailer)"
150
-
run: """
160
+
// Safety nets to flag if we ever have a Dispatch-Trailer slip through the
161
+
// net and make it to master
162
+
{
163
+
name: "Check we don't have \(dispatchTrailer) on a protected branch"
164
+
if: "\(isProtectedBranch) && \(containsDispatchTrailer)"
165
+
run: """
151
166
echo "\(_dispatchTrailerVariable) contains \(dispatchTrailer) but we are on a protected branch"
152
167
false
153
168
"""
154
-
},
155
-
]
169
+
},
170
+
]
171
+
}
156
172
157
173
earlyChecks: githubactions.#Step & {
158
174
name: "Early git and code sanity checks"