From fd300220653ce242641e907205fb72780d7d5c9f Mon Sep 17 00:00:00 2001
From: Junyan Qin <rockchinq@gmail.com>
Date: Fri, 27 Dec 2024 22:54:48 +0800
Subject: [PATCH] fix: potential vulnerabilities in CI

---
 .github/workflows/build-dev-image.yaml         | 3 +++
 .github/workflows/build-docker-image.yml       | 3 +++
 .github/workflows/build-release-artifacts.yaml | 2 ++
 3 files changed, 8 insertions(+)

diff --git a/.github/workflows/build-dev-image.yaml b/.github/workflows/build-dev-image.yaml
index 28a46678..2784e40d 100644
--- a/.github/workflows/build-dev-image.yaml
+++ b/.github/workflows/build-dev-image.yaml
@@ -10,6 +10,9 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v2
+        with:
+          persist-credentials: false
+
       - name: Generate Tag
         id: generate_tag
         run: |
diff --git a/.github/workflows/build-docker-image.yml b/.github/workflows/build-docker-image.yml
index 63cbf3d5..2b78d459 100644
--- a/.github/workflows/build-docker-image.yml
+++ b/.github/workflows/build-docker-image.yml
@@ -13,6 +13,9 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v2
+        with:
+          persist-credentials: false
+
       - name: judge has env GITHUB_REF  # 如果没有GITHUB_REF环境变量，则把github.ref变量赋值给GITHUB_REF
         run: |
           if [ -z "$GITHUB_REF" ]; then
diff --git a/.github/workflows/build-release-artifacts.yaml b/.github/workflows/build-release-artifacts.yaml
index 89ff9cae..2a1d2fc6 100644
--- a/.github/workflows/build-release-artifacts.yaml
+++ b/.github/workflows/build-release-artifacts.yaml
@@ -12,6 +12,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v2
+        with:
+          persist-credentials: false
 
       - name: Check version
         id: check_version