Merge e832aee124 into 85e6279cec

Adjust positioning of user email note and permissions heading (#2044 )
Documentation update - add recommended permissions to Readme (#2043 )
2025-04-20 17:00:15 +03:00 · 2025-01-22 15:44:57 +03:00 · 2025-01-16 15:56:18 -05:00 · 2025-01-16 14:14:48 -05:00 · 2024-04-20 23:37:24 +00:00
2 changed files with 12 additions and 3 deletions
--- a/README.md
+++ b/README.md
@ -6,7 +6,7 @@ This action checks-out your repository under `$GITHUB_WORKSPACE`, so your workfl

 Only a single commit is fetched by default, for the ref/SHA that triggered the workflow. Set `fetch-depth: 0` to fetch all history for all branches and tags. Refer [here](https://docs.github.com/actions/using-workflows/events-that-trigger-workflows) to learn which commit `$GITHUB_SHA` points to for different events.

-The auth token is persisted in the local git config. This enables your scripts to run authenticated git commands. The token is removed during post-job cleanup. Set `persist-credentials: false` to opt-out.
+Set `persist-credentials: true` to opt-in to persist the auth token in the local git config. This enables your scripts to run authenticated git commands. The token is removed during post-job cleanup.

 When Git 2.18 or higher is not in your PATH, falls back to the REST API to download the files.

@ -68,7 +68,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
    ssh-user: ''

    # Whether to configure the token or SSH key with the local git config
-    # Default: true
+    # Default: false
    persist-credentials: ''

    # Relative path under $GITHUB_WORKSPACE to place the repository
@ -311,8 +311,17 @@ jobs:
          git commit -m "generated"
          git push
 ```
+
 *NOTE:* The user email is `{user.id}+{user.login}@users.noreply.github.com`. See users API: https://api.github.com/users/github-actions%5Bbot%5D

+# Recommended permissions
+
+When using the `checkout` action in your GitHub Actions workflow, it is recommended to set the following `GITHUB_TOKEN` permissions to ensure proper functionality, unless alternative auth is provided via the `token` or `ssh-key` inputs:
+
+```yaml
+permissions:
+  contents: read
+```

 # License

--- a/action.yml
+++ b/action.yml
@ -51,7 +51,7 @@ inputs:
    default: git
  persist-credentials:
    description: 'Whether to configure the token or SSH key with the local git config'
-    default: true
+    default: false
  path:
    description: 'Relative path under $GITHUB_WORKSPACE to place the repository'
  clean:
Author	SHA1	Message	Date
Michi Mutsuzaki	5da1eb48b5	Merge `e832aee124` into `85e6279cec`	2025-01-22 15:44:57 +03:00
Josh Gross	85e6279cec	Adjust positioning of user email note and permissions heading (#2044 ) Some checks failed CodeQL / Analyze (push) Has been cancelled Details Licensed / Check licenses (push) Has been cancelled Details Build and Test / build (push) Has been cancelled Details Build and Test / test (macos-latest) (push) Has been cancelled Details Build and Test / test (ubuntu-latest) (push) Has been cancelled Details Build and Test / test (windows-latest) (push) Has been cancelled Details Build and Test / test-proxy (push) Has been cancelled Details Build and Test / test-bypass-proxy (push) Has been cancelled Details Build and Test / test-git-container (push) Has been cancelled Details Build and Test / test-output (push) Has been cancelled Details	2025-01-16 15:56:18 -05:00
Ben Wells	009b9ae9e4	Documentation update - add recommended permissions to Readme (#2043 ) * Update README.md * Update README.md Co-authored-by: Josh Gross <joshmgross@github.com> --------- Co-authored-by: Josh Gross <joshmgross@github.com>	2025-01-16 14:14:48 -05:00
Michi Mutsuzaki	e832aee124	Change the default value of persist-credentials to false Change the default value of persist-credentials setting from true to false to reduce the risk of unintentionally exposing the GITHUB_TOKEN secret. Fixes: #485 Signed-off-by: Michi Mutsuzaki <michi@isovalent.com>	2024-04-20 23:37:24 +00:00