[llvm-branch-commits] [llvm] release/19.x: workflows/release-binaries: Remove .git/config file from artifacts (#106310) (PR #106821)

Sun Sep 1 00:51:10 PDT 2024

https://github.com/tru updated https://github.com/llvm/llvm-project/pull/106821

>From c21b039178b2efd17bc4eef906ab7b3a07cab288 Mon Sep 17 00:00:00 2001
From: Tom Stellard <tstellar at redhat.com>
Date: Fri, 30 Aug 2024 19:46:33 -0700
Subject: [PATCH] workflows/release-binaries: Remove .git/config file from
 artifacts (#106310)

The .git/config file contains an auth token that can be leaked if the
.git directory is included in a workflow artifact.

(cherry picked from commit ef50970204384643acca42ba4c7ca8f14865a0c2)
---
 .github/workflows/release-binaries-save-stage/action.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.github/workflows/release-binaries-save-stage/action.yml b/.github/workflows/release-binaries-save-stage/action.yml
index e2f3eeadd15bea..f08088c7bc56f1 100644
--- a/.github/workflows/release-binaries-save-stage/action.yml
+++ b/.github/workflows/release-binaries-save-stage/action.yml
@@ -10,6 +10,9 @@ inputs:
     required: true
     type: 'string'
 
+permissions:
+  contents: read
+
 runs:
   using: "composite"
   steps:
@@ -18,6 +21,9 @@ runs:
     - name: Package Build and Source Directories
       shell: bash
       run: |
+        # Remove .git/config to avoid leaking GITHUB_TOKEN stored there.
+        # See https://unit42.paloaltonetworks.com/github-repo-artifacts-leak-tokens/
+        rm -Rf .git/config
         # Windows does not support symlinks, so we need to dereference them.
         tar --exclude build/ ${{ (runner.os == 'Windows' && '-h') || '' }} -c . | zstd -T0 -c > ../llvm-project.tar.zst
         mv ../llvm-project.tar.zst .

