From 3ef344ac44ed325060fce0ad80fded0aca3f7205 Mon Sep 17 00:00:00 2001
From: jmeridth <jmeridth@gmail.com>
Date: Fri, 12 Sep 2025 14:01:33 -0500
Subject: [PATCH] fix: ensure we're not persisting credentials after checkouts

Signed-off-by: jmeridth <jmeridth@gmail.com>
---
 .github/workflows/ci.yml         | 4 ++++
 .github/workflows/lint.yml       | 2 ++
 .github/workflows/post-merge.yml | 2 ++
 .github/workflows/release.yml    | 1 +
 .github/workflows/site.yml       | 1 +
 5 files changed, 10 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 546cb21..7461752 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -11,6 +11,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v5.0.0
+        with:
+          persist-credentials: false
       - uses: actions/setup-go@v6
         with:
           go-version: "^1.23.4"
@@ -50,6 +52,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v5.0.0
+        with:
+          persist-credentials: false
       - uses: actions/setup-go@v6
         with:
           go-version: "^1.23.4"
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index d338ff1..50255d3 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -16,6 +16,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v5.0.0
+        with:
+          persist-credentials: false
       - uses: actions/setup-go@v6
         with:
           go-version: stable
diff --git a/.github/workflows/post-merge.yml b/.github/workflows/post-merge.yml
index b31054a..ae7baff 100644
--- a/.github/workflows/post-merge.yml
+++ b/.github/workflows/post-merge.yml
@@ -11,6 +11,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v5.0.0
+        with:
+          persist-credentials: false
       - id: Fetch_tags
         run: git fetch --prune --unshallow --tags
       - run: git describe --tags
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 26b0724..fb5c9f9 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -26,6 +26,7 @@ jobs:
         uses: actions/checkout@v5.0.0
         with:
           fetch-depth: 0
+          persist-credentials: false
       - name: Set up Go
         uses: actions/setup-go@v6
         with:
diff --git a/.github/workflows/site.yml b/.github/workflows/site.yml
index b9ec288..119c1fa 100644
--- a/.github/workflows/site.yml
+++ b/.github/workflows/site.yml
@@ -11,6 +11,7 @@ jobs:
         with:
           submodules: recursive # Fetch Hugo themes (true OR recursive)
           fetch-depth: 0 # Fetch all history for .GitInfo and .Lastmod
+          persist-credentials: false
 
       - name: Setup Hugo
         uses: peaceiris/actions-hugo@v3.0.0