From 297d6bd8698b10330dbfeb630fe2e41d4cc7cc57 Mon Sep 17 00:00:00 2001
From: Kevin <kevihan@thousandeyes.com>
Date: Tue, 2 Jun 2026 11:10:36 +0100
Subject: [PATCH] Set persist-credentials: false on checkouts before untrusted
 steps.

Prevents GITHUB_TOKEN from being written to git config before pip/pytest
in CI and before build steps in release. add-tag checkout keeps default
credentials for GitHub release creation.

Co-authored-by: Cursor <cursoragent@cursor.com>
---
 .github/workflows/python.yaml  | 2 ++
 .github/workflows/release.yaml | 4 ++++
 2 files changed, 6 insertions(+)

diff --git a/.github/workflows/python.yaml b/.github/workflows/python.yaml
index 1a77f8e2..f55b700d 100644
--- a/.github/workflows/python.yaml
+++ b/.github/workflows/python.yaml
@@ -23,6 +23,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions/setup-python@v5
         with:
           python-version: '3.11'
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 5f6987f7..1dc52cd4 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -21,6 +21,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
       - id: validate
         env:
           RELEASE_VERSION: ${{ inputs.releaseVersion }}
@@ -44,6 +45,8 @@ jobs:
       packages: ${{ steps.packages.outputs.packages }}
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - id: packages
         run: |
           shopt -s nullglob
@@ -80,6 +83,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           ref: main
+          persist-credentials: false
       - name: Set up Python
         uses: actions/setup-python@v5
         with: