Currently one has to resort to explicitly specifying persist-credentials: false to avoid the credentials being persistent. My understanding is that persisting the credentials gives every step in the job that occurs after actions/checkout@v2 implicit access to the token. This is not what people expect and this leads people to write jobs that expose their repo to more risk than they otherwise would.

I propose the persist-credentials feature be removed completely and then v3 be released. Otherwise, if that's not practical, then at least the default should be changed to false.