Set release persist-credential false

[5ouma]

Set the GitHub CLI as a Git credential helper to operate.

[Copilot]

Pull request overview

This PR updates the release workflow to stop persisting actions/checkout credentials and instead rely on GitHub CLI as the git credential helper, aligning the workflow with security linting expectations.

Changes:

• Set actions/checkout persist-credentials to false in the release workflow.
• Add a gh auth setup-git step and provide GH_TOKEN to tagpr to support authenticated git operations.
• Remove the ghalint exclusion that previously allowed persist-credentials: true for the release job.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File	Description
.github/workflows/release.yml	Disables persisted checkout credentials and configures git authentication for the release process.
.github/ghalint.yml	Removes the workflow lint exclusion related to persist-credentials.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: a11d1d4b-77af-4ae9-afc2-70d1ef98b03a

📥 Commits

Reviewing files that changed from the base of the PR and between eb87ba5 and a6cc9ab.

📒 Files selected for processing (2)

• .github/ghalint.yml
• .github/workflows/release.yml

💤 Files with no reviewable changes (1)

• .github/ghalint.yml

---

Walkthrough

This PR disables credential persistence in GitHub Actions' checkout step for the release workflow and removes the associated linter policy exception. The checkout step now prevents authentication tokens from persisting to later steps, while the release automation continues to use an explicit token passed via environment variable.

Changes

Credential Security Policy

Layer / File(s)	Summary
Checkout credential persistence and policy alignment .github/workflows/release.yml, .github/ghalint.yml	The actions/checkout@v* step sets persist-credentials: false to prevent token leakage to subsequent steps. The Songmu/tagpr step receives GH_TOKEN explicitly via environment configuration. The linter exclusion for checkout_persist_credentials_should_be_false is removed from the ghalint configuration, enforcing the policy across all workflows.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly reflects the main change: setting persist-credentials to false in the release workflow, which is the primary modification across the changed files.
Description check	✅ Passed	The description is related to the changeset, explaining the purpose of configuring the GitHub CLI as a credential helper in conjunction with the persist-credentials change.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci-release-persist-credential-false

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}