Harden release workflow checkouts

AkashKumar7902 · AkashKumar7902 · commit 3403a8d839de · 2026-04-28T22:59:12.000+05:30
Signed-off-by: Akash Kumar &lt;meakash7902@gmail.com&gt;
diff --git a/.github/workflows/reusable-release-policy-assemblyscript.yml b/.github/workflows/reusable-release-policy-assemblyscript.yml
@@ -23,6 +23,7 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
+          persist-credentials: false
       - id: calculate-version
         shell: bash
         run: |
@@ -55,6 +56,9 @@ jobs:
         with:
           node-version: "${{ env.NODE_VERSION }}"
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0
+          persist-credentials: false
       - name: Install npm
         run: npm install
       - name: Install npm dependencies
diff --git a/.github/workflows/reusable-release-policy-go-wasi.yml b/.github/workflows/reusable-release-policy-go-wasi.yml
@@ -21,6 +21,7 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
+          persist-credentials: false
       - id: calculate-version
         shell: bash
         run: |
diff --git a/.github/workflows/reusable-release-policy-go.yml b/.github/workflows/reusable-release-policy-go.yml
@@ -21,6 +21,7 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
+          persist-credentials: false
       - id: calculate-version
         shell: bash
         run: |
diff --git a/.github/workflows/reusable-release-policy-rego.yml b/.github/workflows/reusable-release-policy-rego.yml
@@ -33,6 +33,7 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
+          persist-credentials: false
       - id: calculate-version
         shell: bash
         run: |
@@ -70,6 +71,9 @@ jobs:
       - name: Install opa
         uses: kubewarden/github-actions/opa-installer@a4c174cd70a6b18027011907c2fa8fc5bb4107fd
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0
+          persist-credentials: false
       - name: Build policy
         working-directory: ${{ inputs.policy-working-dir }}
         shell: bash
diff --git a/.github/workflows/reusable-release-policy-rust.yml b/.github/workflows/reusable-release-policy-rust.yml
@@ -21,6 +21,7 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
+          persist-credentials: false
       - id: calculate-version
         shell: bash
         run: |
diff --git a/.github/workflows/reusable-release-policy-swift.yml b/.github/workflows/reusable-release-policy-swift.yml
@@ -21,6 +21,7 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
+          persist-credentials: false
       - id: calculate-version
         shell: bash
         run: |
