From 36127ec833b948390dc9b5dff4a7539f8afaca5f Mon Sep 17 00:00:00 2001
From: Silje Enge Kristensen <silje.enge.kristensen@nrk.no>
Date: Tue, 18 Jun 2024 14:20:22 +0200
Subject: [PATCH] ci: set persist-credentials to false for checkout action

---
 .github/workflows/audit.yaml |  4 ++++
 .github/workflows/node.yaml  |  6 ++++++
 .github/workflows/sonar.yaml | 26 ++++++++++++++------------
 3 files changed, 24 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/audit.yaml b/.github/workflows/audit.yaml
index c23c15e..c58618d 100644
--- a/.github/workflows/audit.yaml
+++ b/.github/workflows/audit.yaml
@@ -12,6 +12,8 @@ jobs:
     timeout-minutes: 15
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Use Node.js
         uses: actions/setup-node@v4
         with:
@@ -38,6 +40,8 @@ jobs:
     timeout-minutes: 15
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Use Node.js
         uses: actions/setup-node@v4
         with:
diff --git a/.github/workflows/node.yaml b/.github/workflows/node.yaml
index e6d6556..9fdb9ed 100644
--- a/.github/workflows/node.yaml
+++ b/.github/workflows/node.yaml
@@ -16,6 +16,8 @@ jobs:
     timeout-minutes: 15
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Use Node.js
         uses: actions/setup-node@v4
         with:
@@ -44,6 +46,8 @@ jobs:
     timeout-minutes: 30
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Use Node.js
         uses: actions/setup-node@v4
         with:
@@ -79,6 +83,8 @@ jobs:
     timeout-minutes: 30
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Determine images to publish
         id: image-tags
         run: |
diff --git a/.github/workflows/sonar.yaml b/.github/workflows/sonar.yaml
index 2e86c43..2f8f031 100644
--- a/.github/workflows/sonar.yaml
+++ b/.github/workflows/sonar.yaml
@@ -1,25 +1,27 @@
 on:
   # Trigger analysis when pushing in master or pull requests, and when creating
-  # a pull request. 
+  # a pull request.
   push:
     branches:
       - master
   pull_request:
-      types: [opened, synchronize, reopened]
+    types: [opened, synchronize, reopened]
 name: SonarCloud
 jobs:
   sonarcloud:
     name: SonarCloud
     runs-on: ubuntu-latest
     if: ${{ github.repository_owner == 'nrkno' }}
-      
+
     steps:
-    - uses: actions/checkout@v4
-      with:
-        # Disabling shallow clone is recommended for improving relevancy of reporting
-        fetch-depth: 0
-    - name: SonarCloud Scan
-      uses: sonarsource/sonarcloud-github-action@master
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
\ No newline at end of file
+      - uses: actions/checkout@v4
+        with:
+          # Disabling shallow clone is recommended for improving relevancy of reporting
+          fetch-depth: 0
+          persist-credentials: false
+      - name: SonarCloud Scan
+        uses: sonarsource/sonarcloud-github-action@master
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+