Heuristic:Testtimescaling Testtimescaling github io Persist Credentials False
| Knowledge Sources | |
|---|---|
| Domains | CI_CD, Security |
| Last Updated | 2026-02-14 00:00 GMT |
Overview
Security best practice of setting persist-credentials: false on actions/checkout to prevent the GITHUB_TOKEN from being stored in the local git config, requiring explicit credential management for push operations.
Description
By default, actions/checkout persists the GITHUB_TOKEN in the checked-out repository's git configuration (as an http.extraheader). This makes subsequent git push commands work automatically, but it also means the token is accessible to any subsequent step in the workflow -- including third-party actions that may run arbitrary code.
Setting persist-credentials: false removes this automatic credential injection. Subsequent steps that need to push must explicitly configure authentication, typically by setting the remote URL with an x-access-token scheme. This provides better control over which steps have push access and reduces the attack surface if a third-party action is compromised.
Usage
Use this heuristic whenever you use actions/checkout in a workflow that also:
- Runs third-party actions after checkout
- Needs to limit which steps can push to the repository
- Follows the principle of least privilege for credential access
The Insight (Rule of Thumb)
- Action: Set
persist-credentials: falsein theactions/checkoutstep. - Value: Boolean
false. - Trade-off: Subsequent steps cannot push without explicit credential setup. You must add a "Configure git" step that sets the remote URL with the token before any
git pushcommand. - Complement: Pair with an explicit
git remote set-url origin https://x-access-token:$TOKEN@github.com/...command in the step that needs push access.
Reasoning
This follows the principle of least privilege: credentials should only be available to the code that actually needs them. In the citation tracking workflow, the checkout step and the script execution step do not need push access -- only the final "Commit and push" step does. By removing persisted credentials and adding them explicitly only where needed, the workflow limits the blast radius of any potential security issue in intermediate steps.
This is particularly important in workflows that:
- Run user-contributed code or scripts
- Use third-party marketplace actions
- Process untrusted input data
Code Evidence
Checkout with persist-credentials: false from .github/workflows/update_citations.yml:L15-18:
- name: Checkout
uses: actions/checkout@v3
with:
persist-credentials: false
Explicit credential setup in a later step from .github/workflows/update_citations.yml:L21-25:
- name: Configure git
run: |
git config --global user.email "github-actions[bot]@users.noreply.github.com"
git config --global user.name "github-actions[bot]"
git remote set-url origin https://x-access-token:${{ secrets.GITHUB_TOKEN }}@github.com/${{ github.repository }}.git
Note: The course progression workflows (steps 0-5) do not use persist-credentials: false because they rely on the GITHUB_TOKEN being available via the environment variable mechanism (not git config) and use the skills/action-update-step@v2 action which handles its own authentication via the token parameter.