From 8fc74cc3e195df21361ee0eea7b71e3b7a7b0359 Mon Sep 17 00:00:00 2001
From: Joe Wallwork <jw2423@cam.ac.uk>
Date: Mon, 31 Mar 2025 11:27:11 +0100
Subject: [PATCH 1/2] Fix vulnerability in cloud benchmarking workflow

---
 .github/workflows/cloud-benchmarking-workflow.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/cloud-benchmarking-workflow.yml b/.github/workflows/cloud-benchmarking-workflow.yml
index f658a6109..160c51af6 100644
--- a/.github/workflows/cloud-benchmarking-workflow.yml
+++ b/.github/workflows/cloud-benchmarking-workflow.yml
@@ -43,8 +43,8 @@ jobs:
       # conditionally overwrite variables if a tag was the triggering event
       - name: Reset Initial Variables for pull request
         run: |
-          echo "GITHUB_SHA_SHORT=`echo ${{ github.event.pull_request.head.sha }} | cut -c1-7`" >> $GITHUB_ENV
-          echo "COMMIT_NAME=`echo ${{ github.event.pull_request.head.sha }} | cut -c1-7`" >> $GITHUB_ENV
+          echo "GITHUB_SHA_SHORT=${{ github.event.pull_request.head.sha | substr(0, 7) }}" >> $GITHUB_ENV
+          echo "COMMIT_NAME=${{ github.event.pull_request.head.sha | substr(0, 7) }}" >> $GITHUB_ENV
         if: github.event_name == 'pull_request'
       - name: Reset Variables For Tags
         # We do a 1Month benchmark for tags

From 46c53ceea746796e56197a62a797510f512d311f Mon Sep 17 00:00:00 2001
From: Joe Wallwork <jw2423@cam.ac.uk>
Date: Mon, 31 Mar 2025 11:24:45 +0100
Subject: [PATCH 2/2] Persist credentials when checking out

---
 .github/workflows/cloud-benchmarking-workflow.yml | 1 +
 .github/workflows/gcclassic-compile-tests.yml     | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/.github/workflows/cloud-benchmarking-workflow.yml b/.github/workflows/cloud-benchmarking-workflow.yml
index 160c51af6..932d6b986 100644
--- a/.github/workflows/cloud-benchmarking-workflow.yml
+++ b/.github/workflows/cloud-benchmarking-workflow.yml
@@ -33,6 +33,7 @@ jobs:
       - uses: actions/checkout@v3
         with:
           fetch-depth: 0
+          persist-credentials: false
       - name: Set Initial Variables
         # By default we use 1Hr benchmarks
         run: |
diff --git a/.github/workflows/gcclassic-compile-tests.yml b/.github/workflows/gcclassic-compile-tests.yml
index 0c0a5528b..77940a3b1 100644
--- a/.github/workflows/gcclassic-compile-tests.yml
+++ b/.github/workflows/gcclassic-compile-tests.yml
@@ -19,6 +19,8 @@ jobs:
 
     steps:
       - name: Checkout code
+        with:
+          persist-credentials: false
         uses: actions/checkout@v4
 
       - name: Install dependencies