Set persist-credentials to false. (youtube#374)

Also, use actions/checkout@v3

b/282361986

.github/workflows/label-cherry-pick.yaml

@@ -63,6 +63,7 @@ jobs:
         with:
           ref: ${{ matrix.target_branch }}
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Setup Git
         run: |

.github/workflows/lint.yaml

@@ -40,6 +40,7 @@ jobs:
         uses: actions/checkout@v3
         with:
           fetch-depth: 0
+          persist-credentials: false
       - name: Setup Python
         uses: actions/setup-python@v4
       - name: Install Pip Packages

.github/workflows/main.yaml

@@ -71,6 +71,7 @@ jobs:
         uses: actions/checkout@v3
         with:
           fetch-depth: 1
+          persist-credentials: false
       - name: Remove runtest if exists
         if: github.event_name == 'pull_request'
         continue-on-error: true  # Ignore this step if we cannot remove the label.
@@ -121,6 +122,7 @@ jobs:
         uses: actions/checkout@v3
         with:
           fetch-depth: 2
+          persist-credentials: false
       - name: Login to Docker Registry ${{env.REGISTRY}}
         uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
         with:
@@ -153,6 +155,7 @@ jobs:
         uses: actions/checkout@v3
         with:
           fetch-depth: 2
+          persist-credentials: false
       - name: Login to Docker Registry ${{env.REGISTRY}}
         uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
         with:
@@ -197,6 +200,7 @@ jobs:
         with:
           # Use fetch depth of 0 to get full history for a valid build id.
           fetch-depth: 0
+          persist-credentials: false
       - name: GN
         uses: ./.github/actions/gn
       - name: Build Cobalt
@@ -275,6 +279,9 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v3
+        with:
+          fetch-depth: 1
+          persist-credentials: false
       - name: Run Tests (${{ matrix.shard }})
         uses: ./.github/actions/on_device_tests
 
@@ -304,6 +311,7 @@ jobs:
         uses: actions/checkout@v3
         with:
           fetch-depth: 1
+          persist-credentials: false
       - name: Run Tests
         uses: ./.github/actions/on_host_test
         with:

.github/workflows/main_win.yaml

@@ -62,6 +62,7 @@ jobs:
         uses: actions/checkout@v3
         with:
           fetch-depth: 1
+          persist-credentials: false
       - name: Remove runtest if exists
         if: github.event_name == 'pull_request'
         continue-on-error: true  # Ignore this step if we cannot remove the label.
@@ -106,6 +107,7 @@ jobs:
         uses: actions/checkout@v3
         with:
           fetch-depth: 2
+          persist-credentials: false
       - name: Login to Docker Registry ${{env.REGISTRY}}
         uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
         with:
@@ -140,6 +142,7 @@ jobs:
         with:
           # Use fetch depth of 0 to get full history for a valid build id.
           fetch-depth: 0
+          persist-credentials: false
       - name: GN
         uses: ./.github/actions/gn
       - name: Build Cobalt
@@ -173,6 +176,7 @@ jobs:
         uses: actions/checkout@v3
         with:
           fetch-depth: 1
+          persist-credentials: false
       - name: Run Tests
         uses: ./.github/actions/on_host_test
         with:

.github/workflows/manual-cherry-pick.yaml

@@ -46,9 +46,10 @@ jobs:
       GITHUB_REF: ${{ github.ref }}
     steps:
     - name: Checkout code
-      uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
+      uses: actions/checkout@v3
       with:
         ref: ${{ env.RELEASE_BRANCH }}
+        persist-credentials: false
     - name: Get some helpful info for formatting
       id: cherrypick
       run: |

.github/workflows/nightly_trigger.yaml

@@ -17,6 +17,7 @@ jobs:
         with:
           fetch-depth: 1
           ref: 23.lts.1+
+          persist-credentials: false
       - name: Trigger Nightly
         run: |
           set -x
@@ -37,6 +38,7 @@ jobs:
         with:
           fetch-depth: 1
           ref: 22.lts.1+
+          persist-credentials: false
       - name: Trigger Nightly
         run: |
           set -x
@@ -56,6 +58,7 @@ jobs:
         with:
           fetch-depth: 1
           ref: 21.lts.1+
+          persist-credentials: false
       - name: Trigger Nightly
         run: |
           set -x
@@ -74,6 +77,7 @@ jobs:
         with:
           fetch-depth: 1
           ref: 20.lts.1+
+          persist-credentials: false
       - name: Trigger Nightly
         run: |
           set -x
@@ -91,6 +95,7 @@ jobs:
         with:
           fetch-depth: 1
           ref: 19.lts.1+
+          persist-credentials: false
       - name: Trigger Nightly
         run: |
           set -x
@@ -108,6 +113,7 @@ jobs:
         with:
           fetch-depth: 1
           ref: rc_11
+          persist-credentials: false
       - name: Trigger Nightly
         run: |
           set -x
@@ -125,6 +131,7 @@ jobs:
         with:
           fetch-depth: 1
           ref: COBALT_9
+          persist-credentials: false
       - name: Trigger Nightly
         run: |
           set -x

.github/workflows/pytest.yaml

@@ -25,6 +25,9 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v3
+        with:
+          fetch-depth: 1
+          persist-credentials: false
       - name: Setup Python
         uses: actions/setup-python@v4
         with:

.github/workflows/scorecards.yml

@@ -31,7 +31,7 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@v3.2.0
+        uses: actions/checkout@v3
         with:
           persist-credentials: false