Disable credential persistence in GitHub Actions checkout steps (#631)

jonathan343 · web-flow · commit f8ba8931a127 · 2026-01-23T15:21:58.000-05:00
Add persist-credentials: false to all actions/checkout steps across CI workflows to prevent credentials from being exposed to subsequent workflow steps, improving security posture.
diff --git a/.github/workflows/check-license.yml b/.github/workflows/check-license.yml
@@ -15,6 +15,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+        with:
+          persist-credentials: false
 
       - uses: apache/skywalking-eyes/header@0630b017b4e34f27f0d8719c873d703fb31ec8de
         with:
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -21,6 +21,8 @@ jobs:
     steps:
       - name: Checkout Repository
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+        with:
+          persist-credentials: false
 
       - name: Set up JDK 17
         uses: actions/setup-java@f2beeb24e141e01a676f977032f5a29d81c9e27e
diff --git a/.github/workflows/update-gradle-wrapper.yml b/.github/workflows/update-gradle-wrapper.yml
@@ -20,6 +20,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+        with:
+          persist-credentials: false
 
       - name: Update Gradle Wrapper
         uses: gradle-update/update-gradle-wrapper-action@512b1875f3b6270828abfe77b247d5895a2da1e5
