From 0fa90791298e14fa15dbba2b82e0579ed85c41a4 Mon Sep 17 00:00:00 2001
From: "Vipul Gupta (@vipulgupta2048)" <vipulgupta2048@gmail.com>
Date: Thu, 26 Sep 2024 12:39:39 +0530
Subject: [PATCH] patch: Stop persisting credentials in actions/checkout

Signed-off-by: Vipul Gupta (@vipulgupta2048) <vipulgupta2048@gmail.com>
---
 .github/workflows/yocto-build-deploy.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.github/workflows/yocto-build-deploy.yml b/.github/workflows/yocto-build-deploy.yml
index bf9bbeed1..3db3f9557 100644
--- a/.github/workflows/yocto-build-deploy.yml
+++ b/.github/workflows/yocto-build-deploy.yml
@@ -388,6 +388,9 @@ jobs:
           repository: balena-io/private-contracts
           token: ${{ steps.app-token-balena-io.outputs.token }}
           path: ${{ github.workspace }}/private-contracts
+          # Do not persist the token credentials,
+          # and prefer that each step provide credentials where required
+          persist-credentials: false
 
       # Unrolled balena_api_is_dt_private function - https://github.com/balena-os/balena-yocto-scripts/blob/master/automation/include/balena-api.inc#L424
       # Had to be unrolled due to this: https://github.com/balena-os/balena-yocto-scripts/blob/master/automation/include/balena-lib.inc#L191 function relying on a jenkins env var to select the balena env - so failed
@@ -1133,6 +1136,9 @@ jobs:
           repository: balena-io/private-contracts
           token: ${{ steps.app-token-balena-io.outputs.token }}
           path: ${{ env.LEVIATHAN_ROOT }}/core/private-contracts
+          # Do not persist the token credentials,
+          # and prefer that each step provide credentials where required
+          persist-credentials: false
 
       # Image was uploaded uncompressed and Leviathan test config.js expects the image in a certain place and with a certain name
       # The balena.img file is downloaded to ${WORKSPACE}/image/balena.img