fix: credential persistence through GitHub Actions artifacts

Author: MaxymVlasov

.github/workflows/build-image-test.yaml

@@ -36,6 +36,7 @@ jobs:
     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
       with:
         fetch-depth: 0
+        persist-credentials: false
 
     - name: Get changed Docker related files
       id: changed-files-specific

.github/workflows/build-image.yaml

@@ -21,6 +21,9 @@ jobs:
     steps:
     - name: Checkout code
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+      with:
+        persist-credentials: false
+
     - name: Set up Docker Buildx
       uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2  # v3.10.0
     - name: Login to GitHub Container Registry

.github/workflows/ci-cd.yml

@@ -112,6 +112,7 @@ jobs:
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
       with:
         fetch-depth: 0
+        persist-credentials: false
     - name: >-
         Calculate Python interpreter version hash value
         for use in the cache key
@@ -282,6 +283,7 @@ jobs:
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
       with:
         fetch-depth: 0
+        persist-credentials: false
 
     - name: >-
         Calculate Python interpreter version hash value

.github/workflows/codeql.yml

@@ -44,6 +44,8 @@ jobs:
     steps:
     - name: Checkout repository
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+      with:
+        persist-credentials: false
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL

.github/workflows/dependency-review.yml

@@ -22,5 +22,8 @@ jobs:
     steps:
     - name: Checkout Repository
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+      with:
+        persist-credentials: false
+
     - name: Dependency Review
       uses: actions/dependency-review-action@da24556b548a50705dd671f47852072ea4c105d9  # v4.7.1

.github/workflows/pre-commit.yaml

@@ -14,6 +14,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+      with:
+        persist-credentials: false
     - run: >-
         git fetch --no-tags --prune --depth=1 origin
         +refs/heads/*:refs/remotes/origin/*
@@ -48,10 +50,11 @@ jobs:
         )"
         > hadolint
         && chmod +x hadolint && sudo mv hadolint /usr/bin/
-     # Needed for pre-commit fix push to succeed
+      # Needed for pre-commit fix push to succeed
     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
       with:
         fetch-depth: 0
+        persist-credentials: false
         ref: ${{ github.event.pull_request.head.sha }}
         # Needed to trigger pre-commit workflow on autofix commit. Guide:
         # https://web.archive.org/web/20210731173012/https://github.community/t/required-check-is-expected-after-automated-push/187545/

.github/workflows/reusable-tox.yml

@@ -170,6 +170,7 @@ jobs:
         contains(fromJSON('["pre-commit", "spellcheck-docs"]'), inputs.toxenv)
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
       with:
+        persist-credentials: false
         ref: ${{ github.event.inputs.release-committish }}
     - name: Retrieve the project source from an sdist inside the GHA artifact
       if: >-