Skip to content

ci: don't persist credentials for read-only nixpkgs checkout#42

Merged
smorin merged 1 commit into
mainfrom
claude/wizardly-goldberg-0gkmj7
Jun 16, 2026
Merged

ci: don't persist credentials for read-only nixpkgs checkout#42
smorin merged 1 commit into
mainfrom
claude/wizardly-goldberg-0gkmj7

Conversation

@smorin

@smorin smorin commented Jun 15, 2026
edited by coderabbitai Bot
Loading

Copy link
Copy Markdown
Owner

What

Add persist-credentials: false to the NixOS/nixpkgs checkout in .github/workflows/nixpkgs-update.yml.

Why

That step checks out NixOS/nixpkgs only to read it and compute a version bump locally. The resulting PR is pushed to the smorin/nixpkgs fork by peter-evans/create-pull-request using its own NIXPKGS_UPDATE_TOKEN (push-to-fork) — never the checkout's persisted credentials. The only other git use is git diff (read-only).

By default actions/checkout persists the token into .git/config after cloning. Since no later step needs it, persisting it only widens the window for a later step to read or misuse the credential. persist-credentials: false uses the token for the initial clone only, then strips it.

Scope notes

  • This is the only read-only external-repo checkout in the workflows. All other checkouts target the current repo.
  • release-please.yml was deliberately left unchanged: its checkout uses a write token and a later step runs git push, which requires the persisted credentials.

Validation

  • Workflow YAML parses cleanly.
  • nixpkgs-update.yml is workflow_dispatch-only, so this change does not affect PR/push CI.
  • The version uses: pin was not touched.

https://claude.ai/code/session_016wuFKi9GQvDfT6kARKn36F

Generated by Claude Code

Summary by CodeRabbit

  • Chores
    • Updated GitHub Actions workflow configuration to enhance security by preventing credential persistence during repository checkout.

@claude
ci: don't persist credentials for read-only nixpkgs checkout
6e3f23c 
The nixpkgs-update workflow checks out NixOS/nixpkgs only to read it and
compute a version bump locally; the resulting PR is pushed to the
smorin/nixpkgs fork via peter-evans/create-pull-request using its own
NIXPKGS_UPDATE_TOKEN, never via the checkout's persisted credentials.

Set persist-credentials: false so the default GITHUB_TOKEN is used for the
initial clone only and stripped from .git/config afterward, preventing later
steps from reading or misusing it.
Copilot AI review requested due to automatic review settings June 15, 2026 23:35
@coderabbitai

coderabbitai Bot commented Jun 15, 2026
edited
Loading

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ed2e05d0-830d-4e59-96a3-d90c7e9d49b1

📥 Commits

Reviewing files that changed from the base of the PR and between c9a4e45 and 6e3f23c.

📒 Files selected for processing (1)
  • .github/workflows/nixpkgs-update.yml
📝 Walkthrough

Walkthrough

A single line, persist-credentials: false, is added to the actions/checkout step in .github/workflows/nixpkgs-update.yml. This prevents the GitHub-provided token from being stored in the local Git config after the checkout step completes.

Changes

nixpkgs-update Workflow Hardening

Layer / File(s) Summary
Checkout credential persistence disabled
.github/workflows/nixpkgs-update.yml		 Adds persist-credentials: false to the actions/checkout step, preventing the GitHub token from being retained in the local Git configuration after checkout.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

A rabbit hops through workflows neat,
One line changed — credentials discrete!
No tokens left behind to roam,
The checkout cleans its little home.
🐇✨ Hop hop, secure and fleet!

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately describes the main change: adding persist-credentials: false to prevent unnecessary credential persistence in a read-only checkout operation.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Copilot AI reviewed Jun 15, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the nixpkgs update workflow by ensuring the GitHub token used for the read-only NixOS/nixpkgs checkout is not persisted into the local git config, reducing the risk of later steps accessing credentials unnecessarily.

Changes:

  • Add persist-credentials: false to the actions/checkout step that clones NixOS/nixpkgs for local diff/version computation.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@smorin smorin merged commit 399ed65 into main Jun 16, 2026
22 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@smorin @claude