Release · v2.18.1
Don't persist the checkout token on read-only jobs
ci: don't persist the checkout token on read-only jobs
Details
Add persist-credentials: false to every checkout in ci.yml and pr-validation.yml (all of them are read-only — none push). Keeps the GITHUB_TOKEN out of .git/config after checkout. agent.yml is intentionally left as-is since it pushes the work branch. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01A9nJYCSwtVUrxubiU4VAMN
Files changed (2)
| .github/workflows/ci.yml | +8 | −0 |
| .github/workflows/pr-validation.yml | +6 | −0 |