Set 'persist-credentials' to false

Author: AA-Turner

.github/workflows/builddoc.yml

@@ -22,6 +22,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - name: Set up Python
       uses: actions/setup-python@v5
       with:

.github/workflows/create-release.yml

@@ -28,6 +28,8 @@ jobs:
       id-token: write  # for PyPI trusted publishing
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Set up Python
         uses: actions/setup-python@v5
         with:
@@ -97,7 +99,7 @@ jobs:
               headers: {Authorization: `bearer ${oidc_request_token}`},
             });
             const oidc_token = (await oidc_resp.json()).value;
-  
+
             // exchange the OIDC token for an API token
             const mint_resp = await fetch('https://pypi.org/_/oidc/github/mint-token', {
               method: 'post',
@@ -127,6 +129,8 @@ jobs:
       contents: write  # for softprops/action-gh-release to create GitHub release
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Get release version
         id: get_version
         uses: actions/github-script@v7

.github/workflows/lint.yml

@@ -24,6 +24,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - name: Get Ruff version from pyproject.toml
       run: |
         RUFF_VERSION=$(awk -F'[="]' '/\[project\.optional-dependencies\]/ {p=1} /ruff/ {if (p) print $4}' pyproject.toml)
@@ -48,6 +50,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - name: Set up Python
       uses: actions/setup-python@v5
       with:
@@ -68,6 +72,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - name: Set up Python
       uses: actions/setup-python@v5
       with:
@@ -88,6 +94,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - name: Set up Python
       uses: actions/setup-python@v5
       with:
@@ -108,6 +116,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - name: Set up Python
       uses: actions/setup-python@v5
       with:
@@ -128,6 +138,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - name: Set up Python
       uses: actions/setup-python@v5
       with:

.github/workflows/main.yml

@@ -47,6 +47,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - name: Set up Python ${{ matrix.python }}
       uses: actions/setup-python@v5
       with:
@@ -85,6 +87,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - name: Set up Python ${{ matrix.python }} (deadsnakes)
       uses: deadsnakes/[email protected]
       with:
@@ -117,6 +121,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - name: Set up Python ${{ matrix.python }} (deadsnakes)
       uses: deadsnakes/[email protected]
       with:
@@ -150,6 +156,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - name: Set up Python ${{ matrix.python }} (deadsnakes)
       uses: deadsnakes/[email protected]
       with:
@@ -179,6 +187,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - name: Set up Python
       uses: actions/setup-python@v5
       with:
@@ -211,6 +221,8 @@ jobs:
         wget --no-verbose https://github.com/w3c/epubcheck/releases/download/v${EPUBCHECK_VERSION}/epubcheck-${EPUBCHECK_VERSION}.zip
         unzip epubcheck-${EPUBCHECK_VERSION}.zip
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - name: Set up Python
       uses: actions/setup-python@v5
       with:
@@ -243,6 +255,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - name: Set up Python
       uses: actions/setup-python@v5
       with:
@@ -275,6 +289,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - name: Set up Python
       uses: actions/setup-python@v5
       with:
@@ -303,6 +319,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - name: Set up Python
       uses: actions/setup-python@v5
       with:

.github/workflows/nodejs.yml

@@ -34,6 +34,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - name: Use Node.js ${{ env.node-version }}
       uses: actions/setup-node@v4
       with:

.github/workflows/transifex.yml

@@ -16,6 +16,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - name: Set up Python
       uses: actions/setup-python@v5
       with:
@@ -45,6 +47,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - name: Set up Python
       uses: actions/setup-python@v5
       with:

doc/tutorial/deploying.rst

@@ -188,6 +188,8 @@ contents:
          contents: write
        steps:
        - uses: actions/checkout@v4
+         with:
+           persist-credentials: false
        - name: Build HTML
          uses: ammaraskar/sphinx-action@master
        - name: Upload artifacts