From 58b561a3ff87dce0604eb68618a245cbd2704812 Mon Sep 17 00:00:00 2001
From: Minijackson <minijackson@riseup.net>
Date: Thu, 22 Aug 2024 09:27:40 +0200
Subject: [PATCH] github: don't persist checkout credentials by default

the backport action however still needs the credentials
---
 .github/workflows/backport.yml          | 3 +++
 .github/workflows/book-gh-pages.yml     | 2 ++
 .github/workflows/editorconfig.yml      | 2 ++
 .github/workflows/formatting.yml        | 2 ++
 .github/workflows/update-flake-lock.yml | 1 +
 5 files changed, 10 insertions(+)

diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml
index 3968462f..17f4f854 100644
--- a/.github/workflows/backport.yml
+++ b/.github/workflows/backport.yml
@@ -23,6 +23,9 @@ jobs:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           ref: ${{ github.event.pull_request.head.sha }}
+          # Credentials are needed to push to a remote branch,
+          # before creating a pull request
+          persist-credentials: true
       - name: Create backport PRs
         uses: korthout/backport-action@bd410d37cdcae80be6d969823ff5a225fe5c833f # v3.0.2
         with:
diff --git a/.github/workflows/book-gh-pages.yml b/.github/workflows/book-gh-pages.yml
index c85315be..5a604a13 100644
--- a/.github/workflows/book-gh-pages.yml
+++ b/.github/workflows/book-gh-pages.yml
@@ -24,6 +24,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          persist-credentials: false
       - uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27
       - name: "Build documentation book"
         run: |
diff --git a/.github/workflows/editorconfig.yml b/.github/workflows/editorconfig.yml
index d5379ba5..bb1744d0 100644
--- a/.github/workflows/editorconfig.yml
+++ b/.github/workflows/editorconfig.yml
@@ -11,6 +11,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      with:
+        persist-credentials: false
     - uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27
     - name: "Check EditorConfig"
       run: nix run 'nixpkgs#eclint' --inputs-from .
diff --git a/.github/workflows/formatting.yml b/.github/workflows/formatting.yml
index 13cdb7ac..ee2861d8 100644
--- a/.github/workflows/formatting.yml
+++ b/.github/workflows/formatting.yml
@@ -11,6 +11,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      with:
+        persist-credentials: false
     - uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27
     - name: "Check Formatting"
       run: nix fmt -- --check .
diff --git a/.github/workflows/update-flake-lock.yml b/.github/workflows/update-flake-lock.yml
index fc1aecc8..536a35c4 100644
--- a/.github/workflows/update-flake-lock.yml
+++ b/.github/workflows/update-flake-lock.yml
@@ -28,6 +28,7 @@ jobs:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           ref: ${{ matrix.branch }}
+          persist-credentials: false
       - uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27
       - uses: DeterminateSystems/update-flake-lock@db4ee38117a597ea8df8f7f75a187dd65093eade # v23
         with: