Disable credential persisting for actions/checkout

[nedsalk]

It seems that the default behavior of persist-credentials:true is generally a security issue (actions/checkout#485). We should be disabling it in all of our workflows. Some jobs might fail if they were depending on this persisted value. The solution would be to define it in the job's environment, e.g.:

- name: Do something
  run: echo something
  env:
    GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 

For more info, take a look at #1848 where this problem was found.

[maschad]

@nedsalk Is this issue still relevant? It seems that the only place persist-credentials is used is here and it's set to false

[nedsalk]

@maschad Yes, it's still relevant. I disabled persist-credentials only in that place to fix the issue in #1848, but from what was said in actions/checkout#485, we might want to set it to false everywhere. The work to set it to false everywhere was out of the scope of #1848 so I created this issue. Also note that I created it mainly based on actions/checkout#485 and didn't delve much deeper into investigating it. It made sense when I read it at that time.

[maschad]

Thanks for clarifying @nedsalk , there seems to be discrepancy though between the documented default and the code though, so it may actually be a documentation issue in actions/checkout#485 and the default of persist-credentials is actually false

Reference: actions/checkout#485 (comment)

[maschad]

I'm closing this based on my previous comment, feel free to re-open otherwise.