From 5d50adf20946665d92df2e9f2551f3db1946d5b0 Mon Sep 17 00:00:00 2001 From: Sebastiaan Zeeff Date: Sat, 14 Nov 2020 11:07:18 +0100 Subject: Stop Checkout Actions from persisting credentials By default, the Checkout Actions persists the credentials in the environment. As our Actions will also run for PRs made from a fork, we don't want to persist credentials in such a way. I've also: - Ported a comment on PIP_USER and pre-commit from the azure configs - Removed unnecessary id for the pre-commit caching step Signed-off-by: Sebastiaan Zeeff --- .github/workflows/lint-test-build.yml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/.github/workflows/lint-test-build.yml b/.github/workflows/lint-test-build.yml index 05783e813..9101574ae 100644 --- a/.github/workflows/lint-test-build.yml +++ b/.github/workflows/lint-test-build.yml @@ -33,8 +33,12 @@ jobs: - name: Add custom PYTHONUSERBASE to PATH run: echo '${{ env.PYTHONUSERBASE }}/bin/' >> $GITHUB_PATH + # We don't want to persist credentials, as our GitHub Action + # may be run when a PR is made from a fork. - name: Checkout repository uses: actions/checkout@v2 + with: + persist-credentials: false - name: Setup python id: python @@ -59,14 +63,15 @@ jobs: - name: Pre-commit Environment Caching uses: actions/cache@v2 - id: pre_commit_cache with: path: ${{ env.PRE_COMMIT_HOME }} key: "precommit-0-${{ runner.os }}-${{ env.PRE_COMMIT_HOME }}-\ ${{ steps.python.outputs.python-version }}-\ ${{ hashFiles('./.pre-commit-config.yaml') }}" - # We will not run `flake8` here, as we will use a separate flake8 action + # We will not run `flake8` here, as we will use a separate flake8 + # action. As pre-commit does not support user installs, and we don't + # really need it, we set PIP_USER=0. - name: Run pre-commit hooks run: export PIP_USER=0; SKIP=flake8 pre-commit run --all-files -- cgit v1.2.3