Don't persist git credentials when not needed

juliette-derancourt · juliette-derancourt · commit 2bc71bd3ffd8 · 2025-08-15T19:57:42.000+02:00
Fixes https://docs.zizmor.sh/audits/#artipacked warnings
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -37,6 +37,8 @@ jobs:
     steps:
     - name: Check out repository
       uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      with:
+        persist-credentials: false
     - name: Initialize CodeQL
       uses: github/codeql-action/init@df559355d593797519d70b90fc8edd5db049e7a2 # v3.29.9
       with:
diff --git a/.github/workflows/cross-version.yml b/.github/workflows/cross-version.yml
@@ -33,6 +33,7 @@ jobs:
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           fetch-depth: 1
+          persist-credentials: false
       - name: Set up Test JDK
         uses: ./.github/actions/setup-test-jdk
       - name: "Set up JDK ${{ matrix.jdk.version }} (${{ matrix.jdk.release || 'ea' }})"
@@ -79,6 +80,7 @@ jobs:
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           fetch-depth: 1
+          persist-credentials: false
       - name: Set up Test JDK
         uses: ./.github/actions/setup-test-jdk
         with:
diff --git a/.github/workflows/gradle-dependency-submission.yml b/.github/workflows/gradle-dependency-submission.yml
@@ -21,6 +21,7 @@ jobs:
       uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
         fetch-depth: 1
+        persist-credentials: false
     - name: Setup Java
       uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
       with:
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -24,6 +24,7 @@ jobs:
       uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
         fetch-depth: 1
+        persist-credentials: false
     - name: Install GraalVM
       uses: graalvm/setup-graalvm@7f488cf82a3629ee755e4e97342c01d6bed318fa # v1.3.5
       with:
@@ -51,6 +52,7 @@ jobs:
       uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
         fetch-depth: 1
+        persist-credentials: false
     - name: Build
       uses: ./.github/actions/main-build
       with:
@@ -63,6 +65,7 @@ jobs:
       uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
         fetch-depth: 1
+        persist-credentials: false
     - name: Build
       uses: ./.github/actions/main-build
       with:
@@ -81,6 +84,7 @@ jobs:
       uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
         fetch-depth: 1
+        persist-credentials: false
     - name: Publish
       uses: ./.github/actions/run-gradle
       env:
@@ -108,6 +112,7 @@ jobs:
       uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
         fetch-depth: 1
+        persist-credentials: false
     - name: Install Graphviz
       run: |
         sudo apt-get update
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -36,6 +36,7 @@ jobs:
         with:
           fetch-depth: 1
           ref: "refs/tags/${{ env.RELEASE_TAG }}"
+          persist-credentials: false
       - name: Prepare Maven Central user token
         uses: ./.github/actions/maven-central-user-token
         with:
@@ -77,6 +78,7 @@ jobs:
           fetch-depth: 1
           ref: "refs/tags/${{ env.RELEASE_TAG }}"
           path: junit-framework
+          persist-credentials: false
       - name: Check out examples repository
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
@@ -85,6 +87,7 @@ jobs:
           fetch-depth: 1
           path: junit-examples
           ref: develop/6.x
+          persist-credentials: false
       - name: Set up JDK
         uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
         with:
@@ -165,6 +168,7 @@ jobs:
         with:
           fetch-depth: 1
           ref: "refs/tags/${{ env.RELEASE_TAG }}"
+          persist-credentials: false
       - name: Release staging repository
         if: ${{ inputs.dryRun == false }}
         uses: ./.github/actions/run-gradle
@@ -187,6 +191,7 @@ jobs:
         with:
           fetch-depth: 1
           ref: "refs/tags/${{ env.RELEASE_TAG }}"
+          persist-credentials: false
       - name: Install Graphviz and Poppler
         run: |
           sudo apt-get update
@@ -244,6 +249,7 @@ jobs:
           token: ${{ secrets.JUNIT_BUILDS_GITHUB_TOKEN_EXAMPLES_REPO }}
           fetch-depth: 1
           ref: develop/6.x
+          persist-credentials: true
       - name: Set up JDK
         uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
         with:
diff --git a/.github/workflows/reproducible-build.yml b/.github/workflows/reproducible-build.yml
@@ -23,6 +23,7 @@ jobs:
       uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
         fetch-depth: 1
+        persist-credentials: false
     - name: Restore Gradle cache and display toolchains
       uses: ./.github/actions/run-gradle
       with:
