From f38d20996fef2e3496930f8fe9144ed2db97bdea Mon Sep 17 00:00:00 2001
From: Steffen Winter <steffen.winter@proton.me>
Date: Fri, 27 Mar 2026 00:17:37 +0100
Subject: [PATCH] ci: don't persist workflow credentials on runner

---
 .github/workflows/cmake-freebsd.yml            | 2 ++
 .github/workflows/cmake-linux.yml              | 2 ++
 .github/workflows/cmake-macos.yml              | 2 ++
 .github/workflows/cmake-netbsd.yml             | 2 ++
 .github/workflows/cmake-openbsd.yml            | 2 ++
 .github/workflows/continuous-build-freebsd.yml | 2 ++
 .github/workflows/continuous-build-gpu.yml     | 2 ++
 .github/workflows/continuous-build-linux.yml   | 2 ++
 .github/workflows/continuous-build-macos.yml   | 2 ++
 .github/workflows/continuous-build-netbsd.yml  | 2 ++
 .github/workflows/continuous-build-openbsd.yml | 2 ++
 .github/workflows/test-snap-can-build.yml      | 2 ++
 12 files changed, 24 insertions(+)

diff --git a/.github/workflows/cmake-freebsd.yml b/.github/workflows/cmake-freebsd.yml
index daf84472..f69ad56c 100644
--- a/.github/workflows/cmake-freebsd.yml
+++ b/.github/workflows/cmake-freebsd.yml
@@ -37,6 +37,8 @@ jobs:
         version: ['14.3', '15.0']
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Compile
         uses: vmactions/freebsd-vm@4807432c7cab1c3f97688665332c0b932062d31f # v1.4.3
diff --git a/.github/workflows/cmake-linux.yml b/.github/workflows/cmake-linux.yml
index 5441dd0e..6a914bd4 100644
--- a/.github/workflows/cmake-linux.yml
+++ b/.github/workflows/cmake-linux.yml
@@ -46,6 +46,8 @@ jobs:
             version: 14
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Install clang ${{ matrix.version }}
         if: ${{ matrix.compiler == 'clang' }}
diff --git a/.github/workflows/cmake-macos.yml b/.github/workflows/cmake-macos.yml
index 4e10f247..213468ba 100644
--- a/.github/workflows/cmake-macos.yml
+++ b/.github/workflows/cmake-macos.yml
@@ -32,6 +32,8 @@ jobs:
       cancel-in-progress: true
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Install build tools
         run: |
diff --git a/.github/workflows/cmake-netbsd.yml b/.github/workflows/cmake-netbsd.yml
index 95d9321b..13e9be47 100644
--- a/.github/workflows/cmake-netbsd.yml
+++ b/.github/workflows/cmake-netbsd.yml
@@ -37,6 +37,8 @@ jobs:
         version: ['10.1']
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Compile
         uses: vmactions/netbsd-vm@ca7ff0556959998c82761c34ea0c3c99fa084c48 # v1.3.7
diff --git a/.github/workflows/cmake-openbsd.yml b/.github/workflows/cmake-openbsd.yml
index b2e0b292..fc5c7dee 100644
--- a/.github/workflows/cmake-openbsd.yml
+++ b/.github/workflows/cmake-openbsd.yml
@@ -37,6 +37,8 @@ jobs:
         version: ['7.8']
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Compile
         uses: vmactions/openbsd-vm@3fafb45f2e2e696249c583835939323fe1c3448c # v1.3.7
diff --git a/.github/workflows/continuous-build-freebsd.yml b/.github/workflows/continuous-build-freebsd.yml
index c5ac7e32..412c4c09 100644
--- a/.github/workflows/continuous-build-freebsd.yml
+++ b/.github/workflows/continuous-build-freebsd.yml
@@ -40,6 +40,8 @@ jobs:
         compiler: ["clang++", "g++"]
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Compile
         uses: vmactions/freebsd-vm@4807432c7cab1c3f97688665332c0b932062d31f # v1.4.3
diff --git a/.github/workflows/continuous-build-gpu.yml b/.github/workflows/continuous-build-gpu.yml
index d1afa7d9..0bf61c7b 100644
--- a/.github/workflows/continuous-build-gpu.yml
+++ b/.github/workflows/continuous-build-gpu.yml
@@ -40,6 +40,8 @@ jobs:
       cancel-in-progress: true
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Install build tools
         run: apk add --no-cache --update gcc g++ make linux-headers
diff --git a/.github/workflows/continuous-build-linux.yml b/.github/workflows/continuous-build-linux.yml
index 6c3a596d..2af3c914 100644
--- a/.github/workflows/continuous-build-linux.yml
+++ b/.github/workflows/continuous-build-linux.yml
@@ -63,6 +63,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Install cross toolchain
         run: |
diff --git a/.github/workflows/continuous-build-macos.yml b/.github/workflows/continuous-build-macos.yml
index 3d098f52..c49e70f5 100644
--- a/.github/workflows/continuous-build-macos.yml
+++ b/.github/workflows/continuous-build-macos.yml
@@ -46,6 +46,8 @@ jobs:
           xcode-version: latest-stable
 
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Install build tools
         run: |
diff --git a/.github/workflows/continuous-build-netbsd.yml b/.github/workflows/continuous-build-netbsd.yml
index 702a88ac..d93d2b94 100644
--- a/.github/workflows/continuous-build-netbsd.yml
+++ b/.github/workflows/continuous-build-netbsd.yml
@@ -37,6 +37,8 @@ jobs:
     timeout-minutes: 20
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Compile
         uses: vmactions/netbsd-vm@ca7ff0556959998c82761c34ea0c3c99fa084c48 # v1.3.7
diff --git a/.github/workflows/continuous-build-openbsd.yml b/.github/workflows/continuous-build-openbsd.yml
index 71bc590b..f342d36b 100644
--- a/.github/workflows/continuous-build-openbsd.yml
+++ b/.github/workflows/continuous-build-openbsd.yml
@@ -37,6 +37,8 @@ jobs:
     timeout-minutes: 20
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Compile
         uses: vmactions/openbsd-vm@3fafb45f2e2e696249c583835939323fe1c3448c # v1.3.7
diff --git a/.github/workflows/test-snap-can-build.yml b/.github/workflows/test-snap-can-build.yml
index 891c40e5..3face6fd 100644
--- a/.github/workflows/test-snap-can-build.yml
+++ b/.github/workflows/test-snap-can-build.yml
@@ -40,6 +40,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - uses: snapcore/action-build@3bdaa03e1ba6bf59a65f84a751d943d549a54e79 # v1.3.0
         id: build