chore(deps): bump actions/checkout from 4 to 5#27
chore(deps): bump actions/checkout from 4 to 5#27dependabot[bot] wants to merge 1 commit intomainfrom
Conversation
Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 5. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v4...v5) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '5' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
![arnica-github-connector[bot]](https://avatars.githubusercontent.com/in/144692?s=60&v=4){kind=small}
| python-version: ['3.12'] | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: actions/checkout@v5 |
There was a problem hiding this comment.
Static Code Analysis Risk: Software and Data Integrity Failures - GitHub actions artipacked vulnerability
Detected local filesystem git credential storage on GitHub Actions, as well as potential avenues for unintentional persistence of credentials in artifacts. By default, using actions/checkout causes a credential to be persisted in the checked-out repo's .git/config, so that subsequent git operations can be authenticated. Subsequent steps may accidentally publicly persist .git/config, e.g. by including it in a publicly accessible artifact via actions/upload-artifact. However, even without this, persisting the credential in the .git/config is non-ideal unless actually needed. To fix, add persist-credentials: false inside a with section in this step.
Severity: Medium
Status: Open 🔴
References:
More details:
If you see an issue, please contact either @shasheen or @phil in the #security-engineering slack channel
Details
Take action by replying with an [arnica] command 💬
Actions
Use [arnica] or [a] to interact with the Arnica bot to acknowledge or dismiss code risks.
To acknowledge the finding as a valid code risk:
[arnica] ack <acknowledge additional details>
To dismiss the risk with a reason:
[arnica] dismiss <fp|accept|capacity> <dismissal reason>
Examples
-
[arnica] ack This is a valid risk and im looking into it -
[arnica] dismiss fp Dismissed - Risk Not Accurate: (i.e. False Positive) -
[arnica] dismiss accept Dismiss - Risk Accepted: Allow the risk to exist in the system -
[arnica] dismiss capacity Dismiss - No Capacity: This will need to wait for a future sprint
| pull-requests: write | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: actions/checkout@v5 |
There was a problem hiding this comment.
Static Code Analysis Risk: Software and Data Integrity Failures - GitHub actions artipacked vulnerability
Detected local filesystem git credential storage on GitHub Actions, as well as potential avenues for unintentional persistence of credentials in artifacts. By default, using actions/checkout causes a credential to be persisted in the checked-out repo's .git/config, so that subsequent git operations can be authenticated. Subsequent steps may accidentally publicly persist .git/config, e.g. by including it in a publicly accessible artifact via actions/upload-artifact. However, even without this, persisting the credential in the .git/config is non-ideal unless actually needed. To fix, add persist-credentials: false inside a with section in this step.
Severity: Medium
Status: Open 🔴
References:
More details:
If you see an issue, please contact either @shasheen or @phil in the #security-engineering slack channel
Details
Take action by replying with an [arnica] command 💬
Actions
Use [arnica] or [a] to interact with the Arnica bot to acknowledge or dismiss code risks.
To acknowledge the finding as a valid code risk:
[arnica] ack <acknowledge additional details>
To dismiss the risk with a reason:
[arnica] dismiss <fp|accept|capacity> <dismissal reason>
Examples
-
[arnica] ack This is a valid risk and im looking into it -
[arnica] dismiss fp Dismissed - Risk Not Accurate: (i.e. False Positive) -
[arnica] dismiss accept Dismiss - Risk Accepted: Allow the risk to exist in the system -
[arnica] dismiss capacity Dismiss - No Capacity: This will need to wait for a future sprint
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v4 | ||
| uses: actions/checkout@v5 |
There was a problem hiding this comment.
Static Code Analysis Risk: Software and Data Integrity Failures - GitHub actions artipacked vulnerability
Detected local filesystem git credential storage on GitHub Actions, as well as potential avenues for unintentional persistence of credentials in artifacts. By default, using actions/checkout causes a credential to be persisted in the checked-out repo's .git/config, so that subsequent git operations can be authenticated. Subsequent steps may accidentally publicly persist .git/config, e.g. by including it in a publicly accessible artifact via actions/upload-artifact. However, even without this, persisting the credential in the .git/config is non-ideal unless actually needed. To fix, add persist-credentials: false inside a with section in this step.
Severity: Medium
Status: Open 🔴
References:
More details:
If you see an issue, please contact either @shasheen or @phil in the #security-engineering slack channel
Details
Take action by replying with an [arnica] command 💬
Actions
Use [arnica] or [a] to interact with the Arnica bot to acknowledge or dismiss code risks.
To acknowledge the finding as a valid code risk:
[arnica] ack <acknowledge additional details>
To dismiss the risk with a reason:
[arnica] dismiss <fp|accept|capacity> <dismissal reason>
Examples
-
[arnica] ack This is a valid risk and im looking into it -
[arnica] dismiss fp Dismissed - Risk Not Accurate: (i.e. False Positive) -
[arnica] dismiss accept Dismiss - Risk Accepted: Allow the risk to exist in the system -
[arnica] dismiss capacity Dismiss - No Capacity: This will need to wait for a future sprint
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v4 | ||
| uses: actions/checkout@v5 |
There was a problem hiding this comment.
Static Code Analysis Risk: Software and Data Integrity Failures - GitHub actions artipacked vulnerability
Detected local filesystem git credential storage on GitHub Actions, as well as potential avenues for unintentional persistence of credentials in artifacts. By default, using actions/checkout causes a credential to be persisted in the checked-out repo's .git/config, so that subsequent git operations can be authenticated. Subsequent steps may accidentally publicly persist .git/config, e.g. by including it in a publicly accessible artifact via actions/upload-artifact. However, even without this, persisting the credential in the .git/config is non-ideal unless actually needed. To fix, add persist-credentials: false inside a with section in this step.
Severity: Medium
Status: Open 🔴
References:
More details:
If you see an issue, please contact either @shasheen or @phil in the #security-engineering slack channel
Details
Take action by replying with an [arnica] command 💬
Actions
Use [arnica] or [a] to interact with the Arnica bot to acknowledge or dismiss code risks.
To acknowledge the finding as a valid code risk:
[arnica] ack <acknowledge additional details>
To dismiss the risk with a reason:
[arnica] dismiss <fp|accept|capacity> <dismissal reason>
Examples
-
[arnica] ack This is a valid risk and im looking into it -
[arnica] dismiss fp Dismissed - Risk Not Accurate: (i.e. False Positive) -
[arnica] dismiss accept Dismiss - Risk Accepted: Allow the risk to exist in the system -
[arnica] dismiss capacity Dismiss - No Capacity: This will need to wait for a future sprint
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v4 | ||
| uses: actions/checkout@v5 |
There was a problem hiding this comment.
Static Code Analysis Risk: Software and Data Integrity Failures - GitHub actions artipacked vulnerability
Detected local filesystem git credential storage on GitHub Actions, as well as potential avenues for unintentional persistence of credentials in artifacts. By default, using actions/checkout causes a credential to be persisted in the checked-out repo's .git/config, so that subsequent git operations can be authenticated. Subsequent steps may accidentally publicly persist .git/config, e.g. by including it in a publicly accessible artifact via actions/upload-artifact. However, even without this, persisting the credential in the .git/config is non-ideal unless actually needed. To fix, add persist-credentials: false inside a with section in this step.
Severity: Medium
Status: Open 🔴
References:
More details:
If you see an issue, please contact either @shasheen or @phil in the #security-engineering slack channel
Details
Take action by replying with an [arnica] command 💬
Actions
Use [arnica] or [a] to interact with the Arnica bot to acknowledge or dismiss code risks.
To acknowledge the finding as a valid code risk:
[arnica] ack <acknowledge additional details>
To dismiss the risk with a reason:
[arnica] dismiss <fp|accept|capacity> <dismissal reason>
Examples
-
[arnica] ack This is a valid risk and im looking into it -
[arnica] dismiss fp Dismissed - Risk Not Accurate: (i.e. False Positive) -
[arnica] dismiss accept Dismiss - Risk Accepted: Allow the risk to exist in the system -
[arnica] dismiss capacity Dismiss - No Capacity: This will need to wait for a future sprint
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v4 | ||
| uses: actions/checkout@v5 |
There was a problem hiding this comment.
Static Code Analysis Risk: Software and Data Integrity Failures - GitHub actions artipacked vulnerability
Detected local filesystem git credential storage on GitHub Actions, as well as potential avenues for unintentional persistence of credentials in artifacts. By default, using actions/checkout causes a credential to be persisted in the checked-out repo's .git/config, so that subsequent git operations can be authenticated. Subsequent steps may accidentally publicly persist .git/config, e.g. by including it in a publicly accessible artifact via actions/upload-artifact. However, even without this, persisting the credential in the .git/config is non-ideal unless actually needed. To fix, add persist-credentials: false inside a with section in this step.
Severity: Medium
Status: Open 🔴
References:
More details:
If you see an issue, please contact either @shasheen or @phil in the #security-engineering slack channel
Details
Take action by replying with an [arnica] command 💬
Actions
Use [arnica] or [a] to interact with the Arnica bot to acknowledge or dismiss code risks.
To acknowledge the finding as a valid code risk:
[arnica] ack <acknowledge additional details>
To dismiss the risk with a reason:
[arnica] dismiss <fp|accept|capacity> <dismissal reason>
Examples
-
[arnica] ack This is a valid risk and im looking into it -
[arnica] dismiss fp Dismissed - Risk Not Accurate: (i.e. False Positive) -
[arnica] dismiss accept Dismiss - Risk Accepted: Allow the risk to exist in the system -
[arnica] dismiss capacity Dismiss - No Capacity: This will need to wait for a future sprint
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v4 | ||
| uses: actions/checkout@v5 |
There was a problem hiding this comment.
Static Code Analysis Risk: Software and Data Integrity Failures - GitHub actions artipacked vulnerability
Detected local filesystem git credential storage on GitHub Actions, as well as potential avenues for unintentional persistence of credentials in artifacts. By default, using actions/checkout causes a credential to be persisted in the checked-out repo's .git/config, so that subsequent git operations can be authenticated. Subsequent steps may accidentally publicly persist .git/config, e.g. by including it in a publicly accessible artifact via actions/upload-artifact. However, even without this, persisting the credential in the .git/config is non-ideal unless actually needed. To fix, add persist-credentials: false inside a with section in this step.
Severity: Medium
Status: Open 🔴
References:
More details:
If you see an issue, please contact either @shasheen or @phil in the #security-engineering slack channel
Details
Take action by replying with an [arnica] command 💬
Actions
Use [arnica] or [a] to interact with the Arnica bot to acknowledge or dismiss code risks.
To acknowledge the finding as a valid code risk:
[arnica] ack <acknowledge additional details>
To dismiss the risk with a reason:
[arnica] dismiss <fp|accept|capacity> <dismissal reason>
Examples
-
[arnica] ack This is a valid risk and im looking into it -
[arnica] dismiss fp Dismissed - Risk Not Accurate: (i.e. False Positive) -
[arnica] dismiss accept Dismiss - Risk Accepted: Allow the risk to exist in the system -
[arnica] dismiss capacity Dismiss - No Capacity: This will need to wait for a future sprint
| runs-on: blacksmith-4vcpu-ubuntu-2204 | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: actions/checkout@v5 |
There was a problem hiding this comment.
Static Code Analysis Risk: Software and Data Integrity Failures - GitHub actions artipacked vulnerability
Detected local filesystem git credential storage on GitHub Actions, as well as potential avenues for unintentional persistence of credentials in artifacts. By default, using actions/checkout causes a credential to be persisted in the checked-out repo's .git/config, so that subsequent git operations can be authenticated. Subsequent steps may accidentally publicly persist .git/config, e.g. by including it in a publicly accessible artifact via actions/upload-artifact. However, even without this, persisting the credential in the .git/config is non-ideal unless actually needed. To fix, add persist-credentials: false inside a with section in this step.
Severity: Medium
Status: Open 🔴
References:
More details:
If you see an issue, please contact either @shasheen or @phil in the #security-engineering slack channel
Details
Take action by replying with an [arnica] command 💬
Actions
Use [arnica] or [a] to interact with the Arnica bot to acknowledge or dismiss code risks.
To acknowledge the finding as a valid code risk:
[arnica] ack <acknowledge additional details>
To dismiss the risk with a reason:
[arnica] dismiss <fp|accept|capacity> <dismissal reason>
Examples
-
[arnica] ack This is a valid risk and im looking into it -
[arnica] dismiss fp Dismissed - Risk Not Accurate: (i.e. False Positive) -
[arnica] dismiss accept Dismiss - Risk Accepted: Allow the risk to exist in the system -
[arnica] dismiss capacity Dismiss - No Capacity: This will need to wait for a future sprint
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v4 | ||
| uses: actions/checkout@v5 |
There was a problem hiding this comment.
Static Code Analysis Risk: Software and Data Integrity Failures - GitHub actions artipacked vulnerability
Detected local filesystem git credential storage on GitHub Actions, as well as potential avenues for unintentional persistence of credentials in artifacts. By default, using actions/checkout causes a credential to be persisted in the checked-out repo's .git/config, so that subsequent git operations can be authenticated. Subsequent steps may accidentally publicly persist .git/config, e.g. by including it in a publicly accessible artifact via actions/upload-artifact. However, even without this, persisting the credential in the .git/config is non-ideal unless actually needed. To fix, add persist-credentials: false inside a with section in this step.
Severity: Medium
Status: Open 🔴
References:
More details:
If you see an issue, please contact either @shasheen or @phil in the #security-engineering slack channel
Details
Take action by replying with an [arnica] command 💬
Actions
Use [arnica] or [a] to interact with the Arnica bot to acknowledge or dismiss code risks.
To acknowledge the finding as a valid code risk:
[arnica] ack <acknowledge additional details>
To dismiss the risk with a reason:
[arnica] dismiss <fp|accept|capacity> <dismissal reason>
Examples
-
[arnica] ack This is a valid risk and im looking into it -
[arnica] dismiss fp Dismissed - Risk Not Accurate: (i.e. False Positive) -
[arnica] dismiss accept Dismiss - Risk Accepted: Allow the risk to exist in the system -
[arnica] dismiss capacity Dismiss - No Capacity: This will need to wait for a future sprint
| runs-on: blacksmith-4vcpu-ubuntu-2204 | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: actions/checkout@v5 |
There was a problem hiding this comment.
Static Code Analysis Risk: Software and Data Integrity Failures - GitHub actions artipacked vulnerability
Detected local filesystem git credential storage on GitHub Actions, as well as potential avenues for unintentional persistence of credentials in artifacts. By default, using actions/checkout causes a credential to be persisted in the checked-out repo's .git/config, so that subsequent git operations can be authenticated. Subsequent steps may accidentally publicly persist .git/config, e.g. by including it in a publicly accessible artifact via actions/upload-artifact. However, even without this, persisting the credential in the .git/config is non-ideal unless actually needed. To fix, add persist-credentials: false inside a with section in this step.
Severity: Medium
Status: Open 🔴
References:
More details:
If you see an issue, please contact either @shasheen or @phil in the #security-engineering slack channel
Details
Take action by replying with an [arnica] command 💬
Actions
Use [arnica] or [a] to interact with the Arnica bot to acknowledge or dismiss code risks.
To acknowledge the finding as a valid code risk:
[arnica] ack <acknowledge additional details>
To dismiss the risk with a reason:
[arnica] dismiss <fp|accept|capacity> <dismissal reason>
Examples
-
[arnica] ack This is a valid risk and im looking into it -
[arnica] dismiss fp Dismissed - Risk Not Accurate: (i.e. False Positive) -
[arnica] dismiss accept Dismiss - Risk Accepted: Allow the risk to exist in the system -
[arnica] dismiss capacity Dismiss - No Capacity: This will need to wait for a future sprint
| steps: | ||
| - name: Checkout branch | ||
| uses: actions/checkout@v4 | ||
| uses: actions/checkout@v5 |
There was a problem hiding this comment.
Static Code Analysis Risk: Software and Data Integrity Failures - GitHub actions artipacked vulnerability
Detected local filesystem git credential storage on GitHub Actions, as well as potential avenues for unintentional persistence of credentials in artifacts. By default, using actions/checkout causes a credential to be persisted in the checked-out repo's .git/config, so that subsequent git operations can be authenticated. Subsequent steps may accidentally publicly persist .git/config, e.g. by including it in a publicly accessible artifact via actions/upload-artifact. However, even without this, persisting the credential in the .git/config is non-ideal unless actually needed. To fix, add persist-credentials: false inside a with section in this step.
Severity: Medium
Status: Open 🔴
References:
More details:
If you see an issue, please contact either @shasheen or @phil in the #security-engineering slack channel
Details
Take action by replying with an [arnica] command 💬
Actions
Use [arnica] or [a] to interact with the Arnica bot to acknowledge or dismiss code risks.
To acknowledge the finding as a valid code risk:
[arnica] ack <acknowledge additional details>
To dismiss the risk with a reason:
[arnica] dismiss <fp|accept|capacity> <dismissal reason>
Examples
-
[arnica] ack This is a valid risk and im looking into it -
[arnica] dismiss fp Dismissed - Risk Not Accurate: (i.e. False Positive) -
[arnica] dismiss accept Dismiss - Risk Accepted: Allow the risk to exist in the system -
[arnica] dismiss capacity Dismiss - No Capacity: This will need to wait for a future sprint
| pull-requests: write | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: actions/checkout@v5 |
There was a problem hiding this comment.
Static Code Analysis Risk: Software and Data Integrity Failures - GitHub actions artipacked vulnerability
Detected local filesystem git credential storage on GitHub Actions, as well as potential avenues for unintentional persistence of credentials in artifacts. By default, using actions/checkout causes a credential to be persisted in the checked-out repo's .git/config, so that subsequent git operations can be authenticated. Subsequent steps may accidentally publicly persist .git/config, e.g. by including it in a publicly accessible artifact via actions/upload-artifact. However, even without this, persisting the credential in the .git/config is non-ideal unless actually needed. To fix, add persist-credentials: false inside a with section in this step.
Severity: Medium
Status: Open 🔴
References:
More details:
If you see an issue, please contact either @shasheen or @phil in the #security-engineering slack channel
Details
Take action by replying with an [arnica] command 💬
Actions
Use [arnica] or [a] to interact with the Arnica bot to acknowledge or dismiss code risks.
To acknowledge the finding as a valid code risk:
[arnica] ack <acknowledge additional details>
To dismiss the risk with a reason:
[arnica] dismiss <fp|accept|capacity> <dismissal reason>
Examples
-
[arnica] ack This is a valid risk and im looking into it -
[arnica] dismiss fp Dismissed - Risk Not Accurate: (i.e. False Positive) -
[arnica] dismiss accept Dismiss - Risk Accepted: Allow the risk to exist in the system -
[arnica] dismiss capacity Dismiss - No Capacity: This will need to wait for a future sprint
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v4 | ||
| uses: actions/checkout@v5 |
There was a problem hiding this comment.
Static Code Analysis Risk: Software and Data Integrity Failures - GitHub actions artipacked vulnerability
Detected local filesystem git credential storage on GitHub Actions, as well as potential avenues for unintentional persistence of credentials in artifacts. By default, using actions/checkout causes a credential to be persisted in the checked-out repo's .git/config, so that subsequent git operations can be authenticated. Subsequent steps may accidentally publicly persist .git/config, e.g. by including it in a publicly accessible artifact via actions/upload-artifact. However, even without this, persisting the credential in the .git/config is non-ideal unless actually needed. To fix, add persist-credentials: false inside a with section in this step.
Severity: Medium
Status: Open 🔴
References:
More details:
If you see an issue, please contact either @shasheen or @phil in the #security-engineering slack channel
Details
Take action by replying with an [arnica] command 💬
Actions
Use [arnica] or [a] to interact with the Arnica bot to acknowledge or dismiss code risks.
To acknowledge the finding as a valid code risk:
[arnica] ack <acknowledge additional details>
To dismiss the risk with a reason:
[arnica] dismiss <fp|accept|capacity> <dismissal reason>
Examples
-
[arnica] ack This is a valid risk and im looking into it -
[arnica] dismiss fp Dismissed - Risk Not Accurate: (i.e. False Positive) -
[arnica] dismiss accept Dismiss - Risk Accepted: Allow the risk to exist in the system -
[arnica] dismiss capacity Dismiss - No Capacity: This will need to wait for a future sprint
| runs-on: blacksmith-4vcpu-ubuntu-2204 | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: actions/checkout@v5 |
There was a problem hiding this comment.
Static Code Analysis Risk: Software and Data Integrity Failures - GitHub actions artipacked vulnerability
Detected local filesystem git credential storage on GitHub Actions, as well as potential avenues for unintentional persistence of credentials in artifacts. By default, using actions/checkout causes a credential to be persisted in the checked-out repo's .git/config, so that subsequent git operations can be authenticated. Subsequent steps may accidentally publicly persist .git/config, e.g. by including it in a publicly accessible artifact via actions/upload-artifact. However, even without this, persisting the credential in the .git/config is non-ideal unless actually needed. To fix, add persist-credentials: false inside a with section in this step.
Severity: Medium
Status: Open 🔴
References:
More details:
If you see an issue, please contact either @shasheen or @phil in the #security-engineering slack channel
Details
Take action by replying with an [arnica] command 💬
Actions
Use [arnica] or [a] to interact with the Arnica bot to acknowledge or dismiss code risks.
To acknowledge the finding as a valid code risk:
[arnica] ack <acknowledge additional details>
To dismiss the risk with a reason:
[arnica] dismiss <fp|accept|capacity> <dismissal reason>
Examples
-
[arnica] ack This is a valid risk and im looking into it -
[arnica] dismiss fp Dismissed - Risk Not Accurate: (i.e. False Positive) -
[arnica] dismiss accept Dismiss - Risk Accepted: Allow the risk to exist in the system -
[arnica] dismiss capacity Dismiss - No Capacity: This will need to wait for a future sprint
| runs-on: blacksmith-4vcpu-ubuntu-2204 | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: actions/checkout@v5 |
There was a problem hiding this comment.
Static Code Analysis Risk: Software and Data Integrity Failures - GitHub actions artipacked vulnerability
Detected local filesystem git credential storage on GitHub Actions, as well as potential avenues for unintentional persistence of credentials in artifacts. By default, using actions/checkout causes a credential to be persisted in the checked-out repo's .git/config, so that subsequent git operations can be authenticated. Subsequent steps may accidentally publicly persist .git/config, e.g. by including it in a publicly accessible artifact via actions/upload-artifact. However, even without this, persisting the credential in the .git/config is non-ideal unless actually needed. To fix, add persist-credentials: false inside a with section in this step.
Severity: Medium
Status: Open 🔴
References:
More details:
If you see an issue, please contact either @shasheen or @phil in the #security-engineering slack channel
Details
Take action by replying with an [arnica] command 💬
Actions
Use [arnica] or [a] to interact with the Arnica bot to acknowledge or dismiss code risks.
To acknowledge the finding as a valid code risk:
[arnica] ack <acknowledge additional details>
To dismiss the risk with a reason:
[arnica] dismiss <fp|accept|capacity> <dismissal reason>
Examples
-
[arnica] ack This is a valid risk and im looking into it -
[arnica] dismiss fp Dismissed - Risk Not Accurate: (i.e. False Positive) -
[arnica] dismiss accept Dismiss - Risk Accepted: Allow the risk to exist in the system -
[arnica] dismiss capacity Dismiss - No Capacity: This will need to wait for a future sprint
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v4 | ||
| uses: actions/checkout@v5 |
There was a problem hiding this comment.
Static Code Analysis Risk: Software and Data Integrity Failures - GitHub actions artipacked vulnerability
Detected local filesystem git credential storage on GitHub Actions, as well as potential avenues for unintentional persistence of credentials in artifacts. By default, using actions/checkout causes a credential to be persisted in the checked-out repo's .git/config, so that subsequent git operations can be authenticated. Subsequent steps may accidentally publicly persist .git/config, e.g. by including it in a publicly accessible artifact via actions/upload-artifact. However, even without this, persisting the credential in the .git/config is non-ideal unless actually needed. To fix, add persist-credentials: false inside a with section in this step.
Severity: Medium
Status: Open 🔴
References:
More details:
If you see an issue, please contact either @shasheen or @phil in the #security-engineering slack channel
Details
Take action by replying with an [arnica] command 💬
Actions
Use [arnica] or [a] to interact with the Arnica bot to acknowledge or dismiss code risks.
To acknowledge the finding as a valid code risk:
[arnica] ack <acknowledge additional details>
To dismiss the risk with a reason:
[arnica] dismiss <fp|accept|capacity> <dismissal reason>
Examples
-
[arnica] ack This is a valid risk and im looking into it -
[arnica] dismiss fp Dismissed - Risk Not Accurate: (i.e. False Positive) -
[arnica] dismiss accept Dismiss - Risk Accepted: Allow the risk to exist in the system -
[arnica] dismiss capacity Dismiss - No Capacity: This will need to wait for a future sprint
| base_image: ${{ fromJson(needs.define-matrix.outputs.base_image) }} | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: actions/checkout@v5 |
There was a problem hiding this comment.
Static Code Analysis Risk: Software and Data Integrity Failures - GitHub actions artipacked vulnerability
Detected local filesystem git credential storage on GitHub Actions, as well as potential avenues for unintentional persistence of credentials in artifacts. By default, using actions/checkout causes a credential to be persisted in the checked-out repo's .git/config, so that subsequent git operations can be authenticated. Subsequent steps may accidentally publicly persist .git/config, e.g. by including it in a publicly accessible artifact via actions/upload-artifact. However, even without this, persisting the credential in the .git/config is non-ideal unless actually needed. To fix, add persist-credentials: false inside a with section in this step.
Severity: Medium
Status: Open 🔴
References:
More details:
If you see an issue, please contact either @shasheen or @phil in the #security-engineering slack channel
Details
Take action by replying with an [arnica] command 💬
Actions
Use [arnica] or [a] to interact with the Arnica bot to acknowledge or dismiss code risks.
To acknowledge the finding as a valid code risk:
[arnica] ack <acknowledge additional details>
To dismiss the risk with a reason:
[arnica] dismiss <fp|accept|capacity> <dismissal reason>
Examples
-
[arnica] ack This is a valid risk and im looking into it -
[arnica] dismiss fp Dismissed - Risk Not Accurate: (i.e. False Positive) -
[arnica] dismiss accept Dismiss - Risk Accepted: Allow the risk to exist in the system -
[arnica] dismiss capacity Dismiss - No Capacity: This will need to wait for a future sprint
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v4 | ||
| uses: actions/checkout@v5 |
There was a problem hiding this comment.
Static Code Analysis Risk: Software and Data Integrity Failures - GitHub actions artipacked vulnerability
Detected local filesystem git credential storage on GitHub Actions, as well as potential avenues for unintentional persistence of credentials in artifacts. By default, using actions/checkout causes a credential to be persisted in the checked-out repo's .git/config, so that subsequent git operations can be authenticated. Subsequent steps may accidentally publicly persist .git/config, e.g. by including it in a publicly accessible artifact via actions/upload-artifact. However, even without this, persisting the credential in the .git/config is non-ideal unless actually needed. To fix, add persist-credentials: false inside a with section in this step.
Severity: Medium
Status: Open 🔴
References:
More details:
If you see an issue, please contact either @shasheen or @phil in the #security-engineering slack channel
Details
Take action by replying with an [arnica] command 💬
Actions
Use [arnica] or [a] to interact with the Arnica bot to acknowledge or dismiss code risks.
To acknowledge the finding as a valid code risk:
[arnica] ack <acknowledge additional details>
To dismiss the risk with a reason:
[arnica] dismiss <fp|accept|capacity> <dismissal reason>
Examples
-
[arnica] ack This is a valid risk and im looking into it -
[arnica] dismiss fp Dismissed - Risk Not Accurate: (i.e. False Positive) -
[arnica] dismiss accept Dismiss - Risk Accepted: Allow the risk to exist in the system -
[arnica] dismiss capacity Dismiss - No Capacity: This will need to wait for a future sprint
| python-version: ['3.12'] | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: actions/checkout@v5 |
There was a problem hiding this comment.
Static Code Analysis Risk: Software and Data Integrity Failures - GitHub actions artipacked vulnerability
Detected local filesystem git credential storage on GitHub Actions, as well as potential avenues for unintentional persistence of credentials in artifacts. By default, using actions/checkout causes a credential to be persisted in the checked-out repo's .git/config, so that subsequent git operations can be authenticated. Subsequent steps may accidentally publicly persist .git/config, e.g. by including it in a publicly accessible artifact via actions/upload-artifact. However, even without this, persisting the credential in the .git/config is non-ideal unless actually needed. To fix, add persist-credentials: false inside a with section in this step.
Severity: Medium
Status: Open 🔴
References:
More details:
If you see an issue, please contact either @shasheen or @phil in the #security-engineering slack channel
Details
Take action by replying with an [arnica] command 💬
Actions
Use [arnica] or [a] to interact with the Arnica bot to acknowledge or dismiss code risks.
To acknowledge the finding as a valid code risk:
[arnica] ack <acknowledge additional details>
To dismiss the risk with a reason:
[arnica] dismiss <fp|accept|capacity> <dismissal reason>
Examples
-
[arnica] ack This is a valid risk and im looking into it -
[arnica] dismiss fp Dismissed - Risk Not Accurate: (i.e. False Positive) -
[arnica] dismiss accept Dismiss - Risk Accepted: Allow the risk to exist in the system -
[arnica] dismiss capacity Dismiss - No Capacity: This will need to wait for a future sprint
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v4 | ||
| uses: actions/checkout@v5 |
There was a problem hiding this comment.
Static Code Analysis Risk: Software and Data Integrity Failures - GitHub actions artipacked vulnerability
Detected local filesystem git credential storage on GitHub Actions, as well as potential avenues for unintentional persistence of credentials in artifacts. By default, using actions/checkout causes a credential to be persisted in the checked-out repo's .git/config, so that subsequent git operations can be authenticated. Subsequent steps may accidentally publicly persist .git/config, e.g. by including it in a publicly accessible artifact via actions/upload-artifact. However, even without this, persisting the credential in the .git/config is non-ideal unless actually needed. To fix, add persist-credentials: false inside a with section in this step.
Severity: Medium
Status: Open 🔴
References:
More details:
If you see an issue, please contact either @shasheen or @phil in the #security-engineering slack channel
Details
Take action by replying with an [arnica] command 💬
Actions
Use [arnica] or [a] to interact with the Arnica bot to acknowledge or dismiss code risks.
To acknowledge the finding as a valid code risk:
[arnica] ack <acknowledge additional details>
To dismiss the risk with a reason:
[arnica] dismiss <fp|accept|capacity> <dismissal reason>
Examples
-
[arnica] ack This is a valid risk and im looking into it -
[arnica] dismiss fp Dismissed - Risk Not Accurate: (i.e. False Positive) -
[arnica] dismiss accept Dismiss - Risk Accepted: Allow the risk to exist in the system -
[arnica] dismiss capacity Dismiss - No Capacity: This will need to wait for a future sprint
| base_image: ${{ fromJson(needs.define-matrix.outputs.base_image) }} | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: actions/checkout@v5 |
There was a problem hiding this comment.
Static Code Analysis Risk: Software and Data Integrity Failures - GitHub actions artipacked vulnerability
Detected local filesystem git credential storage on GitHub Actions, as well as potential avenues for unintentional persistence of credentials in artifacts. By default, using actions/checkout causes a credential to be persisted in the checked-out repo's .git/config, so that subsequent git operations can be authenticated. Subsequent steps may accidentally publicly persist .git/config, e.g. by including it in a publicly accessible artifact via actions/upload-artifact. However, even without this, persisting the credential in the .git/config is non-ideal unless actually needed. To fix, add persist-credentials: false inside a with section in this step.
Severity: Medium
Status: Open 🔴
References:
More details:
If you see an issue, please contact either @shasheen or @phil in the #security-engineering slack channel
Details
Take action by replying with an [arnica] command 💬
Actions
Use [arnica] or [a] to interact with the Arnica bot to acknowledge or dismiss code risks.
To acknowledge the finding as a valid code risk:
[arnica] ack <acknowledge additional details>
To dismiss the risk with a reason:
[arnica] dismiss <fp|accept|capacity> <dismissal reason>
Examples
-
[arnica] ack This is a valid risk and im looking into it -
[arnica] dismiss fp Dismissed - Risk Not Accurate: (i.e. False Positive) -
[arnica] dismiss accept Dismiss - Risk Accepted: Allow the risk to exist in the system -
[arnica] dismiss capacity Dismiss - No Capacity: This will need to wait for a future sprint
Bumps actions/checkout from 4 to 5.
Release notes
Sourced from actions/checkout's releases.
... (truncated)
Changelog
Sourced from actions/checkout's changelog.
... (truncated)
Commits
08c6903Prepare v5.0.0 release (#2238)9f26565Update actions checkout to use node 24 (#2226)You can trigger a rebase of this PR by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)