From d6607232163716ffb15b49da374310b4b7ad8dee Mon Sep 17 00:00:00 2001
From: Jamie Tanna <jamie.tanna@mend.io>
Date: Tue, 2 Jun 2026 18:24:03 +0100
Subject: [PATCH] ci: don't persist credentials after checkout

Via Zizmor.

Co-authored-by: Claude Sonnet 4.6 <jamie.tanna+claude-code@mend.io>
---
 .github/workflows/build.yml                      | 16 ++++++++++++++++
 .github/workflows/close-answered-discussions.yml |  1 +
 .github/workflows/codeql-analysis.yml            |  1 +
 .github/workflows/dependency-review.yml          |  1 +
 .github/workflows/devcontainer.yml               |  1 +
 .../find-issues-with-missing-labels.yml          |  2 ++
 .../workflows/undesirable-test-additions.yaml    |  1 +
 .github/workflows/update-data.yml                |  1 +
 .github/workflows/ws_scan.yaml                   |  1 +
 9 files changed, 25 insertions(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 7f07fbc5f53..ab3b5a97f7a 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -101,6 +101,7 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
+          persist-credentials: false
           filter: blob:none # we don't need all blobs
           sparse-checkout: ${{ env.SPARSE_CHECKOUT }}
           show-progress: false
@@ -140,6 +141,7 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
+          persist-credentials: false
           filter: blob:none # we don't need all blobs
           sparse-checkout: ${{ env.SPARSE_CHECKOUT }}
           show-progress: false
@@ -184,6 +186,7 @@ jobs:
         if: needs.setup.outputs.os-matrix-is-full && runner.os != 'Linux'
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
+          persist-credentials: false
           filter: blob:none # we don't need all blobs
           sparse-checkout: ${{ env.SPARSE_CHECKOUT }}
           show-progress: false
@@ -206,6 +209,7 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
+          persist-credentials: false
           show-progress: false
 
       - name: Setup Node.js
@@ -230,6 +234,7 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
+          persist-credentials: false
           show-progress: false
 
       - name: Setup Node.js
@@ -272,6 +277,7 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
+          persist-credentials: false
           show-progress: false
 
       - name: Setup Node.js
@@ -305,6 +311,7 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
+          persist-credentials: false
           show-progress: false
 
       - name: Setup Node.js
@@ -354,6 +361,7 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
+          persist-credentials: false
           show-progress: false
           sparse-checkout: .github/workflows
 
@@ -390,6 +398,7 @@ jobs:
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
+          persist-credentials: false
           show-progress: false
 
       - name: Setup Node.js
@@ -466,6 +475,7 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
+          persist-credentials: false
           filter: blob:none # we don't need all blobs
           show-progress: false
 
@@ -496,6 +506,7 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
+          persist-credentials: false
           filter: blob:none # we don't need all blobs
           sparse-checkout: ${{ env.SPARSE_CHECKOUT }}
           show-progress: false
@@ -611,6 +622,7 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
+          persist-credentials: false
           show-progress: false
 
       - name: Setup Node.js
@@ -648,6 +660,7 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
+          persist-credentials: false
           show-progress: false
 
       - name: Download dist
@@ -689,6 +702,7 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
+          persist-credentials: false
           show-progress: false
 
       - name: Setup Node.js
@@ -738,6 +752,7 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
+          persist-credentials: false
           show-progress: false
 
       - name: Setup Node.js
@@ -821,6 +836,7 @@ jobs:
 
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
+          persist-credentials: false
           fetch-depth: 0 # zero stands for full checkout, which is required for semantic-release
           filter: blob:none # we don't need all blobs, only the full tree
           show-progress: false
diff --git a/.github/workflows/close-answered-discussions.yml b/.github/workflows/close-answered-discussions.yml
index db88ce492f5..65fc1439bf5 100644
--- a/.github/workflows/close-answered-discussions.yml
+++ b/.github/workflows/close-answered-discussions.yml
@@ -20,6 +20,7 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
+          persist-credentials: false
           show-progress: false
 
       - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 9c6208f2808..e69adecc6b5 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -33,6 +33,7 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
+          persist-credentials: false
           show-progress: false
 
       - name: Delete fixtures to suppress false positives
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
index 27f304d3a55..f3778873187 100644
--- a/.github/workflows/dependency-review.yml
+++ b/.github/workflows/dependency-review.yml
@@ -11,6 +11,7 @@ jobs:
       - name: 'Checkout Repository'
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
+          persist-credentials: false
           show-progress: false
 
       - name: 'Dependency Review'
diff --git a/.github/workflows/devcontainer.yml b/.github/workflows/devcontainer.yml
index b11b09fbb74..f7675115696 100644
--- a/.github/workflows/devcontainer.yml
+++ b/.github/workflows/devcontainer.yml
@@ -20,6 +20,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
+          persist-credentials: false
           show-progress: false
 
       - name: Build and run dev container task
diff --git a/.github/workflows/find-issues-with-missing-labels.yml b/.github/workflows/find-issues-with-missing-labels.yml
index a521b32d366..8ffb1137581 100644
--- a/.github/workflows/find-issues-with-missing-labels.yml
+++ b/.github/workflows/find-issues-with-missing-labels.yml
@@ -22,6 +22,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Search for issues with missing labels
         run: bash ./tools/find-issues-with-missing-labels.sh
diff --git a/.github/workflows/undesirable-test-additions.yaml b/.github/workflows/undesirable-test-additions.yaml
index 06cac90b218..254949a3546 100644
--- a/.github/workflows/undesirable-test-additions.yaml
+++ b/.github/workflows/undesirable-test-additions.yaml
@@ -16,6 +16,7 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
+          persist-credentials: false
           fetch-depth: 0 # Fetch all history for comparison
           sparse-checkout: true
           ref: ${{ github.event.pull_request.head.ref }}
diff --git a/.github/workflows/update-data.yml b/.github/workflows/update-data.yml
index 70ba15ea4dc..6369828adc4 100644
--- a/.github/workflows/update-data.yml
+++ b/.github/workflows/update-data.yml
@@ -19,6 +19,7 @@ jobs:
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
+          persist-credentials: false
           show-progress: false
 
       - name: Setup pnpm
diff --git a/.github/workflows/ws_scan.yaml b/.github/workflows/ws_scan.yaml
index d1b3e9cd19a..5a447c9fe3e 100644
--- a/.github/workflows/ws_scan.yaml
+++ b/.github/workflows/ws_scan.yaml
@@ -14,6 +14,7 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           show-progress: false
+          persist-credentials: false
 
       - name: Download UA
         run: curl -LJO https://github.com/whitesource/unified-agent-distribution/releases/latest/download/wss-unified-agent.jar