From 997ebbb623e07b78e02c57e61c329591ff57616f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cl=C3=A9ment=20Robert?= <cr52@protonmail.com>
Date: Wed, 11 Mar 2026 12:44:37 +0100
Subject: [PATCH] SEC: avoid leaking credentials in GHA

---
 .github/workflows/release.yml                |  2 ++
 .github/workflows/test.yml                   | 14 ++++++++++++++
 .github/workflows/update-dependencies.yml    |  2 ++
 .github/workflows/update-major-minor-tag.yml |  2 ++
 4 files changed, 20 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 8cbec9356..b8a0ba66d 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -12,6 +12,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v6
+      with:
+        persist-credentials: false
 
     - uses: hynek/build-and-inspect-python-package@v2
 
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index c553bd6f6..71c79eaf4 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -38,6 +38,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v6
+      with:
+        persist-credentials: false
     - uses: actions/setup-python@v6
       id: python
       with:
@@ -52,6 +54,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v6
+      with:
+        persist-credentials: false
     - uses: actions/setup-python@v6
       name: Install Python
       with:
@@ -112,6 +116,8 @@ jobs:
     timeout-minutes: 180
     steps:
     - uses: actions/checkout@v6
+      with:
+        persist-credentials: false
     - uses: actions/setup-python@v6
       name: Install Python ${{ matrix.python_version }}
       with:
@@ -240,6 +246,8 @@ jobs:
       archs: ${{ steps.archs.outputs.archs }}
     steps:
     - uses: actions/checkout@v6
+      with:
+        persist-credentials: false
     - uses: actions/setup-python@v6
       with:
         python-version: "3.x"
@@ -263,6 +271,8 @@ jobs:
         arch: ${{ fromJSON(needs.emulated-archs.outputs.archs) }}
     steps:
     - uses: actions/checkout@v6
+      with:
+        persist-credentials: false
     - uses: actions/setup-python@v6
       with:
         python-version: "3.x"
@@ -283,6 +293,8 @@ jobs:
     timeout-minutes: 180
     steps:
     - uses: actions/checkout@v6
+      with:
+        persist-credentials: false
     - uses: actions/setup-python@v6
       name: Install Python 3.12
       with:
@@ -331,6 +343,8 @@ jobs:
           test_select: android
     steps:
     - uses: actions/checkout@v6
+      with:
+        persist-credentials: false
     - name: Download a sample project
       uses: actions/download-artifact@v8
       with:
diff --git a/.github/workflows/update-dependencies.yml b/.github/workflows/update-dependencies.yml
index 6f5cc76d1..51bb55029 100644
--- a/.github/workflows/update-dependencies.yml
+++ b/.github/workflows/update-dependencies.yml
@@ -31,6 +31,8 @@ jobs:
         private-key: ${{ secrets.CIBUILDWHEEL_BOT_APP_PRIVATE_KEY }}
 
     - uses: actions/checkout@v6
+      with:
+        persist-credentials: false
 
     - uses: wntrblm/nox@2026.02.09
 
diff --git a/.github/workflows/update-major-minor-tag.yml b/.github/workflows/update-major-minor-tag.yml
index 2d48506a7..d08a3d7d7 100644
--- a/.github/workflows/update-major-minor-tag.yml
+++ b/.github/workflows/update-major-minor-tag.yml
@@ -22,6 +22,8 @@ jobs:
       contents: write
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - name: Update the ${{ env.TAG_NAME }} tag
         id: update-major-minor-tag