Summary

Sets persist-credentials: false on every actions/checkout step across our workflows. By default, actions/checkout persists the GITHUB_TOKEN on disk so that subsequent git operations are authenticated; when downstream steps don't need that, opting out removes an unnecessary credential-leak surface. This is the artipacked audit in zizmor.

Where the token actually lives (FYI)

• actions/checkout@v4 (what we use today): the token is written into the repo's .git/config as an http.https://github.com/.extraheader basic-auth value. So if any later step uploads the workspace (including .git/) as an artifact, the token rides along.
• actions/checkout@v5+ / v6 (#2286 "Persist creds to a separate file"): the auth header is written to $RUNNER_TEMP/git-credentials-<uuid>.config and .git/config only contains an includeIf.gitdir:<repo>.path = <that file> pointer. The credential is no longer captured by a .git/-inclusive artifact upload, but it still persists on disk in RUNNER_TEMP until the post-job cleanup removes it.

persist-credentials: false skips writing the credential anywhere in either version.

Changes

• .github/workflows/codeql-analysis.yml
• .github/workflows/lint.yml
• .github/workflows/test.yml

Safety

None of the affected workflows perform authenticated git operations after checkout:

No git push, no submodules, no private module fetches, no gh calls that rely on the persisted git credential.

Verification

zizmor reports clean after the change:

No findings to report. Good job! (8 suppressed)