From 9d4d3e8583ff783139a88e195a6804f5ca727b0f Mon Sep 17 00:00:00 2001
From: Filippo Valsorda <hi@filippo.io>
Date: Mon, 6 Jan 2025 14:50:02 +0100
Subject: [PATCH] Avoid leaking credentials to all CI jobs

See actions/checkout#485.
---
 .github/workflows/build.yml | 4 ++++
 .github/workflows/test.yml  | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index d4ba872..3e197a3 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -11,6 +11,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions/setup-node@v4
         with:
           node-version: 22.x
@@ -42,6 +44,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions/setup-node@v4
         with:
           node-version: 22.x
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 307efa7..00bd781 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -17,6 +17,8 @@ jobs:
           - 22.x # Active LTS as of 2025-01
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Use Node.js ${{ matrix.node-version }}
         uses: actions/setup-node@v4
         with:
@@ -31,6 +33,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: oven-sh/setup-bun@v1
         with:
           bun-version: latest