workflows: don't persist credentials

By default, the `actions/checkout` action stores the credentials in the
local Git config file.  This is not really very secure and a credential
manager would be a much better idea, but Actions has not yet done so.

In the mean time, since we don't need those credentials to perform more
Git operations, let's make sure to not persist them in the config,
which means that it's less likely we'll accidentally expose them, such
as by shipping them in an artifact.

Author: bk2204

.github/workflows/ci.yml

@@ -15,6 +15,7 @@ jobs:
     - uses: actions/checkout@v4
       with:
         fetch-depth: 0
+        persist-credentials: false
     - run: git fetch origin "+${GITHUB_REF}:${GITHUB_REF}"
       if: ${{ github.ref_type == 'tag' }}
       # We update the current tag as the checkout step turns annotated tags
@@ -53,6 +54,7 @@ jobs:
     - uses: actions/checkout@v4
       with:
         fetch-depth: 0
+        persist-credentials: false
     - run: git fetch origin "+${GITHUB_REF}:${GITHUB_REF}"
       if: ${{ github.ref_type == 'tag' }}
     - uses: actions/setup-go@v5
@@ -66,6 +68,7 @@ jobs:
     - uses: actions/checkout@v4
       with:
         fetch-depth: 0
+        persist-credentials: false
     - run: git fetch origin "+${GITHUB_REF}:${GITHUB_REF}"
       if: ${{ github.ref_type == 'tag' }}
       shell: bash
@@ -134,6 +137,7 @@ jobs:
     - uses: actions/checkout@v4
       with:
         fetch-depth: 0
+        persist-credentials: false
     - uses: actions/setup-go@v5
       with:
         go-version: '1.23.x'
@@ -158,6 +162,7 @@ jobs:
     - uses: actions/checkout@v4
       with:
         fetch-depth: 0
+        persist-credentials: false
     - uses: actions/setup-go@v5
       with:
         go-version: '1.23.x'
@@ -179,6 +184,7 @@ jobs:
     - uses: actions/checkout@v4
       with:
         fetch-depth: 0
+        persist-credentials: false
     - run: git fetch origin "+${GITHUB_REF}:${GITHUB_REF}"
       if: ${{ github.ref_type == 'tag' }}
     - uses: ruby/setup-ruby@v1
@@ -196,6 +202,7 @@ jobs:
     - uses: actions/checkout@v4
       with:
         fetch-depth: 0
+        persist-credentials: false
     - run: git fetch origin "+${GITHUB_REF}:${GITHUB_REF}"
       if: ${{ github.ref_type == 'tag' }}
     - uses: ruby/setup-ruby@v1

.github/workflows/release.yml

@@ -16,6 +16,7 @@ jobs:
     - uses: actions/checkout@v4
       with:
         fetch-depth: 0
+        persist-credentials: false
     - run: git fetch origin "+${GITHUB_REF}:${GITHUB_REF}"
       shell: bash
       # We update the current tag as the checkout step turns annotated tags
@@ -108,6 +109,7 @@ jobs:
     - uses: actions/checkout@v4
       with:
         fetch-depth: 0
+        persist-credentials: false
     - run: git fetch origin "+${GITHUB_REF}:${GITHUB_REF}"
     - uses: ruby/setup-ruby@v1
     - run: gem install asciidoctor
@@ -147,6 +149,7 @@ jobs:
     - uses: actions/checkout@v4
       with:
         fetch-depth: 0
+        persist-credentials: false
     - run: git fetch origin "+${GITHUB_REF}:${GITHUB_REF}"
     - uses: ruby/setup-ruby@v1
     - run: gem install asciidoctor
@@ -178,6 +181,7 @@ jobs:
     - uses: actions/checkout@v4
       with:
         fetch-depth: 0
+        persist-credentials: false
     - run: git fetch origin "+${GITHUB_REF}:${GITHUB_REF}"
     - uses: ruby/setup-ruby@v1
     - run: gem install packagecloud-ruby
@@ -199,6 +203,7 @@ jobs:
     - uses: actions/checkout@v4
       with:
         fetch-depth: 0
+        persist-credentials: false
     - run: git fetch origin "+${GITHUB_REF}:${GITHUB_REF}"
     - uses: ruby/setup-ruby@v1
     - run: gem install packagecloud-ruby