Skip to content

ci: set persist-credentials:false on Go CI checkout (Aikido)#1090

Closed
dorothyyzh wants to merge 1 commit into
mainfrom
fix/aikido-dependency-vulnerabilities-2026-06-29
Closed

ci: set persist-credentials:false on Go CI checkout (Aikido)#1090
dorothyyzh wants to merge 1 commit into
mainfrom
fix/aikido-dependency-vulnerabilities-2026-06-29

Conversation

@dorothyyzh

Copy link
Copy Markdown
Contributor

Summary

Hardens the Go CI workflow against the Aikido SAST finding "GitHub Action actions/checkout persist Git credentials in workflow" (Low / SAST).

actions/checkout@v2+ leaves the default GITHUB_TOKEN in the repo's local .git/config for the rest of the job unless persist-credentials: false is set. Subsequent steps or compromised third-party actions could then read it. The Go job here only builds and tests — it never performs an authenticated git push back to the repo — so the token does not need to persist.

Change

  • .github/workflows/go.yml: add persist-credentials: false to the actions/checkout step.

That's the only change. submodules: true is kept (the repo currently has no submodules, but the flag is left untouched); the checkout still fetches everything it needs during the action itself.

Verification

  • YAML / actionlint parse the workflow cleanly (the pre-existing "action version too old" warnings for checkout@v3 / setup-go@v3 / aws-actions@v2 are unrelated to this change and intentionally left alone).
  • The real test is this PR's own CI run: the Go job runs go build ./... + go test ./.... If dependency fetching relied on the persisted checkout token, the build would fail here — so a green run confirms persist-credentials: false is safe for this repo.

Deployment Note

Skill does not touch release-* branches. Merging is handled per team policy.

actions/checkout v2+ leaves the default GITHUB_TOKEN in .git/config for the
rest of the job, where later steps or third-party actions could read it. The
Go CI job only builds/tests and never pushes back to the repo, so the token
does not need to persist. Sets persist-credentials: false per Aikido SAST
finding 'GitHub Action actions/checkout persist Git credentials in workflow'.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@deepsource-io

deepsource-io Bot commented Jun 29, 2026

Copy link
Copy Markdown

DeepSource Code Review

We reviewed changes in 3ea7d84...9178954 on this pull request. Below is the summary for the review, and you can see the individual issues we found as inline review comments.

See full review on DeepSource ↗

PR Report Card

Overall Grade   Security  

Reliability  

Complexity  

Hygiene  

Code Review Summary

Analyzer Status Updated (UTC) Details
Go Jun 29, 2026 7:36a.m. Review ↗

Important

AI Review is run only on demand for your team. We're only showing results of static analysis review right now. To trigger AI Review, comment @deepsourcebot review on this thread.

@codecov

codecov Bot commented Jun 29, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@dorothyyzh dorothyyzh closed this Jun 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant