feat: Add persist-credentials input#69
Merged
Merged
Conversation
Adds a new `persist-credentials` input that is passed through to the `actions/checkout` step. Defaults to `true` to preserve existing behaviour, but can be set to `false` to prevent accidental token leaks.
Mrtenz
changed the title
persist-credentials input
Mrtenz
commented
Jun 9, 2026
| persist-credentials: | ||
| description: 'Whether to persist the GitHub token in the checked-out repository. This is passed to the `actions/checkout` step. Setting this to false can help prevent accidental token leaks, but if your workflow needs to make authenticated GitHub API calls using the checked-out repository, you may need to set this to true (default).' | ||
| required: false | ||
| default: 'true' |
Member
Author
There was a problem hiding this comment.
I considered making this false by default, but that would be a breaking change as any subsequent steps would no longer to pull, fetch, push, etc. so this is the best we can do for now. We should make this false in the next major version (or even force this to be false, and have subsequent steps use the GitHub token themselves).
FrederikBolding
approved these changes
Jun 9, 2026
cryptodev-2s
approved these changes
Jun 9, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
persist-credentialsinput passed through to theactions/checkoutstep.trueto preserve existing behaviour.falseprevents accidental GitHub token leaks in workflows that don't need authenticated Git operations.Note
Low Risk
Small, backward-compatible composite-action input with default
true; only affects checkout credential persistence when callers opt out.Overview
Adds a
persist-credentialsaction input (defaulttrue) and forwards it to the conditionalactions/checkoutstep so callers can disable storing the GitHub token in the repo’s git config.Setting
persist-credentials: falseis intended to reduce accidental token exposure in workflows that do not need authenticated git operations after checkout; workflows that rely on the checked-out repo for authenticated GitHub API calls can keep the default.Reviewed by Cursor Bugbot for commit 5a07bfa. Bugbot is set up for automated code reviews on this repo. Configure here.