ci: specify persist-credentials for actions/checkout

Explicitly set `persist-credentials: true` for uses of
`actions/checkout` where it's needed (when the job does git operations
using the stored credentials) and `persist-credentials: false` where the
stored credentials are not later used.

This reduces the risk of cached credentials accidentally being leaked
via artifacts.

Signed-off-by: Daniel Hast <hast.daniel@protonmail.com>

Author: HastD

.github/workflows/dev-bump.yml

@@ -18,6 +18,7 @@ jobs:
         with:
           ref: ${{ github.ref_name }}
           token: ${{ secrets.PODMANBOT_TOKEN }}
+          persist-credentials: true
       - name: Bump
         id: bump
         run: |
@@ -93,6 +94,7 @@ jobs:
         with:
           ref: main
           token: ${{ secrets.PODMANBOT_TOKEN }}
+          persist-credentials: true
       - name: Check version on main
         id: check
         run: |

.github/workflows/first_contrib_cert_generator.yml

@@ -60,6 +60,7 @@ jobs:
         with:
           repository: containers/automation
           path: automation-repo
+          persist-credentials: false
 
       # Step 3: Update the HTML file locally
       - name: Update HTML file

.github/workflows/mac-pkg.yml

@@ -100,6 +100,7 @@ jobs:
       uses: actions/checkout@v6
       with:
         ref: ${{steps.getversion.outputs.version}}
+        persist-credentials: false
     - name: Set up Go
       # Conditional duplication sucks - GHA doesn't grok YAML anchors/aliases
       if: >-

.github/workflows/machine-os-pr.yml

@@ -74,6 +74,7 @@ jobs:
           repository: containers/podman-machine-os
           ref: ${{github.base_ref}}
           token: ${{secrets.PODMANBOT_TOKEN}}
+          persist-credentials: true
 
       - name: Bump version
         if: steps.getversion.outputs.update == 'true'

.github/workflows/release-artifacts.yml

@@ -103,6 +103,7 @@ jobs:
         uses: actions/checkout@v6
         with:
           ref: ${{steps.getversion.outputs.version}}
+          persist-credentials: false
 
       - name: Set up Go
         if: >-

.github/workflows/release.yml

@@ -72,6 +72,7 @@ jobs:
       uses: actions/checkout@v6
       with:
         ref: ${{needs.check.outputs.version}}
+        persist-credentials: false
     - name: Set up Go
       uses: actions/setup-go@v6
       with:
@@ -109,6 +110,7 @@ jobs:
       uses: actions/checkout@v6
       with:
         ref: ${{needs.check.outputs.version}}
+        persist-credentials: false
     - name: Set up Go
       uses: actions/setup-go@v6
       with:
@@ -165,6 +167,8 @@ jobs:
         Write-Output "version=$version" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
     - name: Checkout Podman
       uses: actions/checkout@v6
+      with:
+        persist-credentials: false
     - name: Download Windows zip artifact
       uses: actions/download-artifact@v6
     - name: Set up Go
@@ -268,6 +272,7 @@ jobs:
       uses: actions/checkout@v6
       with:
         ref: ${{needs.check.outputs.version}}
+        persist-credentials: false
     - name: Get release notes
       run: |
         ver="$(echo "$VERSION" | sed -e "s/^v//" -e "s/-rc.*//")"

.github/workflows/update-podmanio.yml

@@ -78,6 +78,7 @@ jobs:
           repository: containers/podman.io
           ref: refs/heads/main
           token: ${{ secrets.PODMANBOT_TOKEN }}
+          persist-credentials: true
 
       - name: Check version
         if: >-

.github/workflows/upload-win-installer.yml

@@ -55,6 +55,8 @@ jobs:
     # installer build script is designed to support older releases (uses the archives
     # on the release tag).
     - uses: actions/checkout@v6
+      with:
+        persist-credentials: false
     # This step is super-duper critical for the built/signed windows installer .exe file.
     # It ensures the referenced $version github release page does NOT already contain
     # this file.  Windows assigns a UUID to the installer at build time, it's assumed