From ee6fc7e38b4aeef44862159215a56d97122f59a0 Mon Sep 17 00:00:00 2001
From: Joost VandeVondele <Joost.VandeVondele@gmail.com>
Date: Wed, 3 Jul 2024 11:14:41 +0200
Subject: [PATCH] CI: limit artifact uploads

do not upload some unneeded intermediate directories,
disable running authenticated git commands with the checkout action.

Thanks to Yaron A for the report.

closes https://github.com/official-stockfish/Stockfish/pull/5435

No functional change
---
 .github/workflows/arm_compilation.yml | 6 +++++-
 .github/workflows/clang-format.yml    | 1 +
 .github/workflows/codeql.yml          | 2 ++
 .github/workflows/compilation.yml     | 7 ++++++-
 .github/workflows/games.yml           | 2 ++
 .github/workflows/iwyu.yml            | 2 ++
 .github/workflows/matetrack.yml       | 2 ++
 .github/workflows/sanitizers.yml      | 2 ++
 .github/workflows/stockfish.yml       | 4 ++++
 .github/workflows/tests.yml           | 1 +
 .github/workflows/upload_binaries.yml | 2 ++
 11 files changed, 29 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/arm_compilation.yml b/.github/workflows/arm_compilation.yml
index 3934ac2d636..5bf2a93e552 100644
--- a/.github/workflows/arm_compilation.yml
+++ b/.github/workflows/arm_compilation.yml
@@ -26,6 +26,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Download required linux packages
         if: runner.os == 'Linux'
@@ -91,4 +92,7 @@ jobs:
         uses: actions/upload-artifact@v4
         with:
           name: ${{ matrix.config.simple_name }} ${{ matrix.binaries }}
-          path: .
+          path: |
+            .
+            !.git
+            !.output
diff --git a/.github/workflows/clang-format.yml b/.github/workflows/clang-format.yml
index 630edbf93fe..637cfc0d826 100644
--- a/.github/workflows/clang-format.yml
+++ b/.github/workflows/clang-format.yml
@@ -19,6 +19,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           ref: ${{ github.event.pull_request.head.sha }}
+          persist-credentials: false
 
       - name: Run clang-format style check
         uses: jidicula/clang-format-action@f62da5e3d3a2d88ff364771d9d938773a618ab5e # @v4.11.0
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index d949a5a7649..d01ed41fea6 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -30,6 +30,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
diff --git a/.github/workflows/compilation.yml b/.github/workflows/compilation.yml
index 3524d5e9f2e..5878adecb5c 100644
--- a/.github/workflows/compilation.yml
+++ b/.github/workflows/compilation.yml
@@ -25,6 +25,8 @@ jobs:
         shell: ${{ matrix.config.shell }}
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Install fixed GCC on Linux
         if: runner.os == 'Linux'
@@ -86,4 +88,7 @@ jobs:
         uses: actions/upload-artifact@v4
         with:
           name: ${{ matrix.config.simple_name }} ${{ matrix.binaries }}
-          path: .
+          path: |
+             .
+             !.git
+             !.output
diff --git a/.github/workflows/games.yml b/.github/workflows/games.yml
index 088695e57fc..f0bca442fdc 100644
--- a/.github/workflows/games.yml
+++ b/.github/workflows/games.yml
@@ -13,6 +13,7 @@ jobs:
         with:
           ref: ${{ github.event.pull_request.head.sha }}
           path: Stockfish
+          persist-credentials: false
 
       - name: build debug enabled version of SF
         working-directory: Stockfish/src
@@ -24,6 +25,7 @@ jobs:
           repository: Disservin/fast-chess
           path: fast-chess
           ref: d54af1910d5479c669dc731f1f54f9108a251951
+          persist-credentials: false
 
       - name: fast-chess build
         working-directory: fast-chess
diff --git a/.github/workflows/iwyu.yml b/.github/workflows/iwyu.yml
index 0552a598c8f..f8898b1c90e 100644
--- a/.github/workflows/iwyu.yml
+++ b/.github/workflows/iwyu.yml
@@ -14,6 +14,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           path: Stockfish
+          persist-credentials: false
 
       - name: Checkout include-what-you-use
         uses: actions/checkout@v4
@@ -21,6 +22,7 @@ jobs:
           repository: include-what-you-use/include-what-you-use
           ref: f25caa280dc3277c4086ec345ad279a2463fea0f
           path: include-what-you-use
+          persist-credentials: false
 
       - name: Download required linux packages
         run: |
diff --git a/.github/workflows/matetrack.yml b/.github/workflows/matetrack.yml
index dd81f334d05..de65209fb29 100644
--- a/.github/workflows/matetrack.yml
+++ b/.github/workflows/matetrack.yml
@@ -13,6 +13,7 @@ jobs:
         with:
           ref: ${{ github.event.pull_request.head.sha }}
           path: Stockfish
+          persist-credentials: false
 
       - name: build SF
         working-directory: Stockfish/src
@@ -24,6 +25,7 @@ jobs:
           repository: vondele/matetrack
           path: matetrack
           ref: 20287a1a145f30a166b7ef251eddb611e4e44fbf
+          persist-credentials: false
 
       - name: matetrack install deps
         working-directory: matetrack
diff --git a/.github/workflows/sanitizers.yml b/.github/workflows/sanitizers.yml
index b75c06cfbbe..55459292107 100644
--- a/.github/workflows/sanitizers.yml
+++ b/.github/workflows/sanitizers.yml
@@ -40,6 +40,8 @@ jobs:
         shell: ${{ matrix.config.shell }}
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Download required linux packages
         run: |
diff --git a/.github/workflows/stockfish.yml b/.github/workflows/stockfish.yml
index 8a1094fbdbd..5589c762489 100644
--- a/.github/workflows/stockfish.yml
+++ b/.github/workflows/stockfish.yml
@@ -17,6 +17,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       # returns null if no pre-release exists
       - name: Get Commit SHA of Latest Pre-release
@@ -66,6 +68,8 @@ jobs:
       arm_matrix: ${{ steps.set-arm-matrix.outputs.arm_matrix }}
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - id: set-matrix
         run: |
           TASKS=$(echo $(cat .github/ci/matrix.json) )
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 328c9cf94b1..836555e6127 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -106,6 +106,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Download required linux packages
         if: runner.os == 'Linux'
diff --git a/.github/workflows/upload_binaries.yml b/.github/workflows/upload_binaries.yml
index acf91a8f331..c91824a2556 100644
--- a/.github/workflows/upload_binaries.yml
+++ b/.github/workflows/upload_binaries.yml
@@ -25,6 +25,8 @@ jobs:
         shell: ${{ matrix.config.shell }}
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Download artifact from compilation
         uses: actions/download-artifact@v4