Set persist-credentials: false on checkouts before untrusted steps.

Prevents GITHUB_TOKEN from being written to git config before pip/pytest in CI and before build steps in release. add-tag checkout keeps default credentials for GitHub release creation. Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-19 17:36:51 +00:00 · 2026-06-02 11:10:36 +01:00 · 2026-06-02 11:10:36 +01:00 · 297d6bd869
commit 297d6bd869
parent 63f29df0e1
2 changed files with 6 additions and 0 deletions
--- a/.github/workflows/python.yaml
+++ b/.github/workflows/python.yaml
@ -23,6 +23,8 @@ jobs:

    steps:
      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
      - uses: actions/setup-python@v5
        with:
          python-version: '3.11'
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@ -21,6 +21,7 @@ jobs:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
+          persist-credentials: false
      - id: validate
        env:
          RELEASE_VERSION: ${{ inputs.releaseVersion }}
@ -44,6 +45,8 @@ jobs:
      packages: ${{ steps.packages.outputs.packages }}
    steps:
      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
      - id: packages
        run: |
          shopt -s nullglob
@ -80,6 +83,7 @@ jobs:
      - uses: actions/checkout@v4
        with:
          ref: main
+          persist-credentials: false
      - name: Set up Python
        uses: actions/setup-python@v5
        with: