diff --git a/.github/workflows/build-unsigned-mac-binaries.yml b/.github/workflows/build-unsigned-mac-binaries.yml index 9a5e58e92c..2acd67585e 100644 --- a/.github/workflows/build-unsigned-mac-binaries.yml +++ b/.github/workflows/build-unsigned-mac-binaries.yml @@ -30,6 +30,7 @@ jobs: uses: 'actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5' # ratchet:actions/checkout@v4 with: ref: '${{ inputs.ref || github.ref }}' + persist-credentials: false - name: 'Set up Node.js' uses: 'actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020' # ratchet:actions/setup-node@v4 diff --git a/.github/workflows/chained_e2e.yml b/.github/workflows/chained_e2e.yml index 4a5de8bf7c..a807fbfb37 100644 --- a/.github/workflows/chained_e2e.yml +++ b/.github/workflows/chained_e2e.yml @@ -148,6 +148,7 @@ jobs: with: ref: '${{ needs.parse_run_context.outputs.sha }}' repository: '${{ needs.parse_run_context.outputs.repository }}' + persist-credentials: false - name: 'Set up Node.js ${{ matrix.node-version }}' uses: 'actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020' # ratchet:actions-node@v4 @@ -193,6 +194,7 @@ jobs: with: ref: '${{ needs.parse_run_context.outputs.sha }}' repository: '${{ needs.parse_run_context.outputs.repository }}' + persist-credentials: false - name: 'Set up Node.js 20.x' uses: 'actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020' # ratchet:actions-node@v4 @@ -233,6 +235,7 @@ jobs: with: ref: '${{ needs.parse_run_context.outputs.sha }}' repository: '${{ needs.parse_run_context.outputs.repository }}' + persist-credentials: false - name: 'Set up Node.js 20.x' uses: 'actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020' # ratchet:actions-node@v4 @@ -314,6 +317,7 @@ jobs: with: ref: '${{ needs.parse_run_context.outputs.sha }}' repository: '${{ needs.parse_run_context.outputs.repository }}' + persist-credentials: false fetch-depth: 0 - name: 'Set up Node.js 20.x' diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2ef8bdb58d..5da8e6e05a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -57,6 +57,7 @@ jobs: - name: 'Checkout' uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' # ratchet:actions/checkout@v5 with: + persist-credentials: false ref: '${{ github.event.inputs.branch_ref || github.ref }}' fetch-depth: 0 @@ -130,6 +131,8 @@ jobs: steps: - name: 'Checkout' uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' # ratchet:actions/checkout@v5 + with: + persist-credentials: false - name: 'Link Checker' uses: 'lycheeverse/lychee-action@885c65f3dc543b57c898c8099f4e08c8afd178a2' # ratchet: lycheeverse/lychee-action@v2.6.1 with: @@ -157,6 +160,8 @@ jobs: steps: - name: 'Checkout' uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' # ratchet:actions/checkout@v5 + with: + persist-credentials: false - name: 'Set up Node.js ${{ matrix.node-version }}' uses: 'actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020' # ratchet:actions/setup-node@v4 @@ -252,6 +257,8 @@ jobs: steps: - name: 'Checkout' uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' # ratchet:actions/checkout@v5 + with: + persist-credentials: false - name: 'Set up Node.js ${{ matrix.node-version }}' uses: 'actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020' # ratchet:actions/setup-node@v4 @@ -339,6 +346,7 @@ jobs: - name: 'Checkout' uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' # ratchet:actions/checkout@v5 with: + persist-credentials: false ref: '${{ github.event.inputs.branch_ref || github.ref }}' - name: 'Initialize CodeQL' @@ -363,6 +371,7 @@ jobs: - name: 'Checkout' uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' # ratchet:actions/checkout@v5 with: + persist-credentials: false ref: '${{ github.event.inputs.branch_ref || github.ref }}' fetch-depth: 1 @@ -390,6 +399,7 @@ jobs: - name: 'Checkout' uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' # ratchet:actions/checkout@v5 with: + persist-credentials: false ref: '${{ github.event.inputs.branch_ref || github.ref }}' - name: 'Set up Node.js 20.x' diff --git a/.github/workflows/deflake.yml b/.github/workflows/deflake.yml index a6a7d3664f..5d94dfc84e 100644 --- a/.github/workflows/deflake.yml +++ b/.github/workflows/deflake.yml @@ -43,6 +43,7 @@ jobs: with: ref: '${{ github.event.pull_request.head.sha }}' repository: '${{ github.repository }}' + persist-credentials: false - name: 'Set up Node.js ${{ matrix.node-version }}' uses: 'actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020' # ratchet:actions-node@v4 @@ -86,6 +87,7 @@ jobs: with: ref: '${{ github.event.pull_request.head.sha }}' repository: '${{ github.repository }}' + persist-credentials: false - name: 'Set up Node.js 20.x' uses: 'actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020' # ratchet:actions-node@v4 @@ -125,6 +127,7 @@ jobs: with: ref: '${{ github.event.pull_request.head.sha }}' repository: '${{ github.repository }}' + persist-credentials: false - name: 'Set up Node.js 20.x' uses: 'actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020' # ratchet:actions-node@v4 diff --git a/.github/workflows/docs-audit.yml b/.github/workflows/docs-audit.yml index 4a2da6aa37..687bd3fb57 100644 --- a/.github/workflows/docs-audit.yml +++ b/.github/workflows/docs-audit.yml @@ -19,6 +19,7 @@ jobs: with: fetch-depth: 0 ref: 'main' + persist-credentials: false - name: 'Set up Node.js' uses: 'actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020' diff --git a/.github/workflows/docs-page-action.yml b/.github/workflows/docs-page-action.yml index be807c7c36..60554fb809 100644 --- a/.github/workflows/docs-page-action.yml +++ b/.github/workflows/docs-page-action.yml @@ -24,6 +24,8 @@ jobs: steps: - name: 'Checkout' uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' # ratchet:actions/checkout@v5 + with: + persist-credentials: false - name: 'Setup Pages' uses: 'actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b' # ratchet:actions/configure-pages@v5 diff --git a/.github/workflows/eval-pr.yml b/.github/workflows/eval-pr.yml index 3e6784960c..1dab98b2ee 100644 --- a/.github/workflows/eval-pr.yml +++ b/.github/workflows/eval-pr.yml @@ -38,6 +38,7 @@ jobs: with: # Check out the trusted code from main for detection fetch-depth: 0 + persist-credentials: false - name: 'Detect Steering Changes' id: 'detect' @@ -102,6 +103,7 @@ jobs: # This only runs AFTER manual approval ref: '${{ github.event.pull_request.head.sha }}' fetch-depth: 0 + persist-credentials: false - name: 'Remove Approval Notification' # Run even if other steps fail, to ensure we clean up the "Action Required" message diff --git a/.github/workflows/evals-nightly.yml b/.github/workflows/evals-nightly.yml index 1fe61971fe..2ee064e4ae 100644 --- a/.github/workflows/evals-nightly.yml +++ b/.github/workflows/evals-nightly.yml @@ -46,6 +46,8 @@ jobs: steps: - name: 'Checkout' uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' # ratchet:actions/checkout@v5 + with: + persist-credentials: false - name: 'Set up Node.js' uses: 'actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020' # ratchet:actions/setup-node@v4 @@ -105,6 +107,8 @@ jobs: steps: - name: 'Checkout' uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' # ratchet:actions/checkout@v5 + with: + persist-credentials: false - name: 'Download Logs' uses: 'actions/download-artifact@cc203385981b70ca67e1cc392babf9cc229d5806' # ratchet:actions/download-artifact@v4 diff --git a/.github/workflows/gemini-automated-issue-dedup.yml b/.github/workflows/gemini-automated-issue-dedup.yml index 0fe02b5530..27bc9f27fa 100644 --- a/.github/workflows/gemini-automated-issue-dedup.yml +++ b/.github/workflows/gemini-automated-issue-dedup.yml @@ -48,6 +48,8 @@ jobs: steps: - name: 'Checkout' uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' # ratchet:actions/checkout@v5 + with: + persist-credentials: false - name: 'Log in to GitHub Container Registry' uses: 'docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1' # ratchet:docker/login-action@v3 diff --git a/.github/workflows/gemini-automated-issue-triage.yml b/.github/workflows/gemini-automated-issue-triage.yml index e789aafa7d..f38988fecd 100644 --- a/.github/workflows/gemini-automated-issue-triage.yml +++ b/.github/workflows/gemini-automated-issue-triage.yml @@ -90,6 +90,8 @@ jobs: - name: 'Checkout' uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' # ratchet:actions/checkout@v5 + with: + persist-credentials: false - name: 'Generate GitHub App Token' id: 'generate_token' diff --git a/.github/workflows/gemini-cli-bot-pulse.yml b/.github/workflows/gemini-cli-bot-pulse.yml index b929444837..32fb6a0072 100644 --- a/.github/workflows/gemini-cli-bot-pulse.yml +++ b/.github/workflows/gemini-cli-bot-pulse.yml @@ -23,6 +23,7 @@ jobs: - name: 'Checkout' uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' # ratchet:actions/checkout@v5 with: + persist-credentials: false fetch-depth: 0 - name: 'Setup Node.js' diff --git a/.github/workflows/gemini-lifecycle-manager.yml b/.github/workflows/gemini-lifecycle-manager.yml index 1de2565e8e..7f0a2b9484 100644 --- a/.github/workflows/gemini-lifecycle-manager.yml +++ b/.github/workflows/gemini-lifecycle-manager.yml @@ -33,6 +33,8 @@ jobs: - name: 'Checkout repository' uses: 'actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683' # ratchet:actions/checkout@v4 + with: + persist-credentials: false - name: 'Lifecycle Management' uses: 'actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea' diff --git a/.github/workflows/gemini-scheduled-issue-dedup.yml b/.github/workflows/gemini-scheduled-issue-dedup.yml index 46a6f4628b..b18ccf7fc0 100644 --- a/.github/workflows/gemini-scheduled-issue-dedup.yml +++ b/.github/workflows/gemini-scheduled-issue-dedup.yml @@ -28,6 +28,8 @@ jobs: steps: - name: 'Checkout' uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' # ratchet:actions/checkout@v5 + with: + persist-credentials: false - name: 'Log in to GitHub Container Registry' uses: 'docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1' # ratchet:docker/login-action@v3 diff --git a/.github/workflows/gemini-scheduled-issue-triage.yml b/.github/workflows/gemini-scheduled-issue-triage.yml index 6c8f10dcb7..570d806b91 100644 --- a/.github/workflows/gemini-scheduled-issue-triage.yml +++ b/.github/workflows/gemini-scheduled-issue-triage.yml @@ -30,6 +30,8 @@ jobs: steps: - name: 'Checkout' uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' # ratchet:actions/checkout@v5 + with: + persist-credentials: false - name: 'Generate GitHub App Token' id: 'generate_token' diff --git a/.github/workflows/gemini-scheduled-pr-triage.yml b/.github/workflows/gemini-scheduled-pr-triage.yml index 50cd5a1bad..33072519b1 100644 --- a/.github/workflows/gemini-scheduled-pr-triage.yml +++ b/.github/workflows/gemini-scheduled-pr-triage.yml @@ -21,6 +21,8 @@ jobs: steps: - name: 'Checkout' uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' # ratchet:actions/checkout@v5 + with: + persist-credentials: false - name: 'Generate GitHub App Token' id: 'generate_token' diff --git a/.github/workflows/label-backlog-child-issues.yml b/.github/workflows/label-backlog-child-issues.yml index 697e605d51..920fc1e4c3 100644 --- a/.github/workflows/label-backlog-child-issues.yml +++ b/.github/workflows/label-backlog-child-issues.yml @@ -19,6 +19,8 @@ jobs: steps: - name: 'Checkout' uses: 'actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5' # ratchet:actions/checkout@v4 + with: + persist-credentials: false - name: 'Setup Node.js' uses: 'actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020' # ratchet:actions/setup-node@v4 @@ -41,6 +43,8 @@ jobs: steps: - name: 'Checkout' uses: 'actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5' # ratchet:actions/checkout@v4 + with: + persist-credentials: false - name: 'Setup Node.js' uses: 'actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020' # ratchet:actions/setup-node@v4 diff --git a/.github/workflows/links.yml b/.github/workflows/links.yml index 1ed45019f9..cbc5bb4f04 100644 --- a/.github/workflows/links.yml +++ b/.github/workflows/links.yml @@ -17,6 +17,8 @@ jobs: runs-on: 'ubuntu-latest' steps: - uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' # ratchet:actions/checkout@v5 + with: + persist-credentials: false - name: 'Link Checker' id: 'lychee' diff --git a/.github/workflows/memory-nightly.yml b/.github/workflows/memory-nightly.yml index ee4e5e589c..5a953999db 100644 --- a/.github/workflows/memory-nightly.yml +++ b/.github/workflows/memory-nightly.yml @@ -16,6 +16,8 @@ jobs: steps: - name: 'Checkout' uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' # ratchet:actions/checkout@v5 + with: + persist-credentials: false - name: 'Set up Node.js' uses: 'actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020' # ratchet:actions/setup-node@v4 diff --git a/.github/workflows/perf-nightly.yml b/.github/workflows/perf-nightly.yml index 3749df231a..f45ab487e2 100644 --- a/.github/workflows/perf-nightly.yml +++ b/.github/workflows/perf-nightly.yml @@ -16,6 +16,8 @@ jobs: steps: - name: 'Checkout' uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' # ratchet:actions/checkout@v5 + with: + persist-credentials: false - name: 'Set up Node.js' uses: 'actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020' # ratchet:actions/setup-node@v4 diff --git a/.github/workflows/release-change-tags.yml b/.github/workflows/release-change-tags.yml index 3a7c5648f8..09515f27d4 100644 --- a/.github/workflows/release-change-tags.yml +++ b/.github/workflows/release-change-tags.yml @@ -44,6 +44,7 @@ jobs: with: ref: '${{ github.ref }}' fetch-depth: 0 + persist-credentials: false - name: 'Setup Node.js' uses: 'actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020' diff --git a/.github/workflows/release-manual.yml b/.github/workflows/release-manual.yml index ec2a38b636..2a19aa1139 100644 --- a/.github/workflows/release-manual.yml +++ b/.github/workflows/release-manual.yml @@ -65,11 +65,13 @@ jobs: - name: 'Checkout' uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' with: + persist-credentials: false fetch-depth: 0 - name: 'Checkout Release Code' uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' with: + persist-credentials: false ref: '${{ github.event.inputs.ref }}' path: 'release' fetch-depth: 0 diff --git a/.github/workflows/release-nightly.yml b/.github/workflows/release-nightly.yml index 9899e99d54..cf281deae4 100644 --- a/.github/workflows/release-nightly.yml +++ b/.github/workflows/release-nightly.yml @@ -50,11 +50,13 @@ jobs: - name: 'Checkout' uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' with: + persist-credentials: false fetch-depth: 0 - name: 'Checkout Release Code' uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' with: + persist-credentials: false ref: '${{ github.event.inputs.ref }}' path: 'release' fetch-depth: 0 diff --git a/.github/workflows/release-notes.yml b/.github/workflows/release-notes.yml index bf0b4f42f2..d516ee928a 100644 --- a/.github/workflows/release-notes.yml +++ b/.github/workflows/release-notes.yml @@ -31,6 +31,7 @@ jobs: - name: 'Checkout repository' uses: 'actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5' # ratchet:actions/checkout@v4 with: + persist-credentials: false # The user-level skills need to be available to the workflow fetch-depth: 0 ref: 'main' diff --git a/.github/workflows/release-patch-0-from-comment.yml b/.github/workflows/release-patch-0-from-comment.yml index 2bb7c27c7b..29a05884ad 100644 --- a/.github/workflows/release-patch-0-from-comment.yml +++ b/.github/workflows/release-patch-0-from-comment.yml @@ -17,6 +17,7 @@ jobs: - name: 'Checkout' uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' with: + persist-credentials: false fetch-depth: 1 - name: 'Slash Command Dispatch' diff --git a/.github/workflows/release-patch-1-create-pr.yml b/.github/workflows/release-patch-1-create-pr.yml index d19fc8e8b4..26b3eaeb6a 100644 --- a/.github/workflows/release-patch-1-create-pr.yml +++ b/.github/workflows/release-patch-1-create-pr.yml @@ -54,6 +54,7 @@ jobs: with: ref: '${{ github.event.inputs.ref }}' fetch-depth: 0 + persist-credentials: false - name: 'Setup Node.js' uses: 'actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020' # ratchet:actions/setup-node@v4 diff --git a/.github/workflows/release-patch-2-trigger.yml b/.github/workflows/release-patch-2-trigger.yml index 5976816dbc..8505f198f1 100644 --- a/.github/workflows/release-patch-2-trigger.yml +++ b/.github/workflows/release-patch-2-trigger.yml @@ -64,6 +64,7 @@ jobs: - name: 'Checkout' uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' with: + persist-credentials: false ref: "${{ github.event.inputs.workflow_ref || 'main' }}" fetch-depth: 1 diff --git a/.github/workflows/release-patch-3-release.yml b/.github/workflows/release-patch-3-release.yml index 6680362a16..3dfb992a72 100644 --- a/.github/workflows/release-patch-3-release.yml +++ b/.github/workflows/release-patch-3-release.yml @@ -53,12 +53,14 @@ jobs: - name: 'Checkout' uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' with: + persist-credentials: false fetch-depth: 0 fetch-tags: true - name: 'Checkout Release Code' uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' with: + persist-credentials: false ref: '${{ github.event.inputs.release_ref }}' path: 'release' fetch-depth: 0 diff --git a/.github/workflows/release-promote.yml b/.github/workflows/release-promote.yml index e3a5100cfa..4ac5213a27 100644 --- a/.github/workflows/release-promote.yml +++ b/.github/workflows/release-promote.yml @@ -55,6 +55,7 @@ jobs: - name: 'Checkout' uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' with: + persist-credentials: false fetch-depth: 0 fetch-tags: true @@ -171,11 +172,13 @@ jobs: - name: 'Checkout Ref' uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' with: + persist-credentials: false ref: '${{ github.event.inputs.ref }}' - name: 'Checkout correct SHA' uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' with: + persist-credentials: false ref: '${{ matrix.sha }}' path: 'release' fetch-depth: 0 @@ -216,11 +219,13 @@ jobs: - name: 'Checkout Ref' uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' with: + persist-credentials: false ref: '${{ github.event.inputs.ref }}' - name: 'Checkout correct SHA' uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' with: + persist-credentials: false ref: '${{ needs.calculate-versions.outputs.PREVIEW_SHA }}' path: 'release' fetch-depth: 0 @@ -288,11 +293,13 @@ jobs: - name: 'Checkout Ref' uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' with: + persist-credentials: false ref: '${{ github.event.inputs.ref }}' - name: 'Checkout correct SHA' uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' with: + persist-credentials: false ref: '${{ needs.calculate-versions.outputs.STABLE_SHA }}' path: 'release' fetch-depth: 0 @@ -360,6 +367,7 @@ jobs: - name: 'Checkout Ref' uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' with: + persist-credentials: false ref: '${{ github.event.inputs.ref }}' - name: 'Setup Node.js' diff --git a/.github/workflows/release-rollback.yml b/.github/workflows/release-rollback.yml index db91457b1a..f23e6908b7 100644 --- a/.github/workflows/release-rollback.yml +++ b/.github/workflows/release-rollback.yml @@ -52,6 +52,7 @@ jobs: - name: 'Checkout repository' uses: 'actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955' # ratchet:actions/checkout@v4 with: + persist-credentials: false ref: '${{ github.event.inputs.ref }}' fetch-depth: 0 diff --git a/.github/workflows/release-sandbox.yml b/.github/workflows/release-sandbox.yml index 2c7de7a0f5..033ad45007 100644 --- a/.github/workflows/release-sandbox.yml +++ b/.github/workflows/release-sandbox.yml @@ -26,6 +26,7 @@ jobs: - name: 'Checkout' uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' with: + persist-credentials: false ref: '${{ github.event.inputs.ref || github.sha }}' fetch-depth: 0 - name: 'Push' diff --git a/.github/workflows/smoke-test.yml b/.github/workflows/smoke-test.yml index 29903dfbe8..41a9f927d6 100644 --- a/.github/workflows/smoke-test.yml +++ b/.github/workflows/smoke-test.yml @@ -32,6 +32,7 @@ jobs: with: ref: '${{ github.event.inputs.ref || github.sha }}' fetch-depth: 0 + persist-credentials: false - name: 'Install Dependencies' run: 'npm ci' - name: 'Build bundle' diff --git a/.github/workflows/test-build-binary.yml b/.github/workflows/test-build-binary.yml index 05d6556f8c..e1ad5832ab 100644 --- a/.github/workflows/test-build-binary.yml +++ b/.github/workflows/test-build-binary.yml @@ -34,6 +34,8 @@ jobs: steps: - name: 'Checkout' uses: 'actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5' # ratchet:actions/checkout@v4 + with: + persist-credentials: false - name: 'Optimize Windows Performance' if: "matrix.os == 'windows-latest'" diff --git a/.github/workflows/verify-release.yml b/.github/workflows/verify-release.yml index 20a9f51b8a..964d574081 100644 --- a/.github/workflows/verify-release.yml +++ b/.github/workflows/verify-release.yml @@ -44,6 +44,8 @@ jobs: shell: 'bash' run: 'echo "${{ toJSON(vars) }}"' - uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' + with: + persist-credentials: false - name: 'Verify release' uses: './.github/actions/verify-release' with: