Unactioned Review Feedback
Source PR: #134
File: .github/workflows/validate-docs.yml
Reviewers: coderabbit
Findings: 1
Max severity: high
HIGH: coderabbit (coderabbitai[bot])
File: .github/workflows/validate-docs.yml:58
⚠️ Potential issue | 🟠 Major
🧩 Analysis chain
🏁 Script executed:
cd /root && find . -name "validate-docs.yml" -type f 2>/dev/null | head -20
Repository: Ultimate-Multisite/docs
Length of output: 123
🏁 Script executed:
cat -n .github/workflows/validate-docs.yml | sed -n '50,65p'
Repository: Ultimate-Multisite/docs
Length of output: 645
🏁 Script executed:
cat -n .github/workflows/validate-docs.yml | sed -n '120,130p'
Repository: Ultimate-Multisite/docs
Length of output: 427
🌐 Web query:
actions/checkout v6 persist-credentials default behavior GitHub Actions documentation
💡 Result:
In actions/checkout v6, the persist-credentials input defaults to true [1][2]. When set to true (the default), the action configures the local Git environment to use the provided authentication token or SSH key [1][3]. In v6, this behavior was improved for security by storing credentials in a separate file under the $RUNNER_TEMP directory instead of writing them directly into the.git/config file [1][3]. This allows subsequent Git commands in your workflow (such as git fetch or git push) to run authenticated automatically without requiring additional setup [1][2]. The token is securely removed during the post-job cleanup phase [1][3]. If you wish to prevent the action from configuring these credentials, you can set the persist-credentials input to false [1][4].
Citations:
Disable credential persistence in both checkout steps.
Both actions/checkout@v6 steps persist the authentication token to the Git environment by default, making it available to all subsequent steps. Add persist-credentials: false at lines 58 and 124 to reduce token exposure when not needed for Git operations.
Suggested patch
- uses: actions/checkout@v6
with:
fetch-depth: 0
+ persist-credentials: false - uses: actions/checkout@v6
+ with:
+ persist-credentials: false
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
- uses: actions/checkout@v6
with:
fetch-depth: 0
persist-credentials: false
🧰 Tools
🪛 zizmor (1.25.2)
[warning] 56-58: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 56-56: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/validate-docs.yml around lines 56 - 58, Both
actions/checkout@v6 steps in the validate-docs workflow have default credential
persistence enabled, which unnecessarily exposes the authentication token to
subsequent steps. Add the parameter persist-credentials: false to the with
section of each checkout step to disable token persistence and reduce security
exposure when Git authentication is not needed for the workflow operations.
Source: Linters/SAST tools
✅ Addressed in commit e84d758
View comment
Auto-generated by quality-feedback-helper.sh scan-merged. Review each finding and either fix the code or dismiss with a reason.
aidevops.sh v3.20.86 automated scan.
Unactioned Review Feedback
Source PR: #134
File:
.github/workflows/validate-docs.ymlReviewers: coderabbit
Findings: 1
Max severity: high
HIGH: coderabbit (coderabbitai[bot])
File:
⚠️ Potential issue | 🟠 Major
.github/workflows/validate-docs.yml:58🧩 Analysis chain
🏁 Script executed:
Repository: Ultimate-Multisite/docs
Length of output: 123
🏁 Script executed:
Repository: Ultimate-Multisite/docs
Length of output: 645
🏁 Script executed:
Repository: Ultimate-Multisite/docs
Length of output: 427
🌐 Web query:
actions/checkout v6 persist-credentials default behavior GitHub Actions documentation💡 Result:
In actions/checkout v6, the persist-credentials input defaults to true [1][2]. When set to true (the default), the action configures the local Git environment to use the provided authentication token or SSH key [1][3]. In v6, this behavior was improved for security by storing credentials in a separate file under the $RUNNER_TEMP directory instead of writing them directly into the.git/config file [1][3]. This allows subsequent Git commands in your workflow (such as git fetch or git push) to run authenticated automatically without requiring additional setup [1][2]. The token is securely removed during the post-job cleanup phase [1][3]. If you wish to prevent the action from configuring these credentials, you can set the persist-credentials input to false [1][4].
Citations:
Disable credential persistence in both checkout steps.
Both
actions/checkout@v6steps persist the authentication token to the Git environment by default, making it available to all subsequent steps. Addpersist-credentials: falseat lines 58 and 124 to reduce token exposure when not needed for Git operations.Suggested patch
- uses: actions/checkout@v6 with: fetch-depth: 0 + persist-credentials: false📝 Committable suggestion
🧰 Tools
🪛 zizmor (1.25.2)
[warning] 56-58: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 56-56: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Source: Linters/SAST tools
✅ Addressed in commit e84d758
View comment
Auto-generated by
quality-feedback-helper.sh scan-merged. Review each finding and either fix the code or dismiss with a reason.aidevops.sh v3.20.86 automated scan.