From ab57b5825589877886c5a49a2264f52e134523fa Mon Sep 17 00:00:00 2001
From: John Bampton <jbampton@gmail.com>
Date: Thu, 8 Jan 2026 03:25:35 +1000
Subject: [PATCH] [CI] Set `persist-credentials: false` for `actions/checkout`
 steps

---
 .github/workflows/build.yml                       | 2 ++
 .github/workflows/ci.yml                          | 1 +
 .github/workflows/codecov.yml                     | 1 +
 .github/workflows/codeql-analysis.yml             | 2 ++
 .github/workflows/docker-cloudstack-simulator.yml | 2 ++
 .github/workflows/main-sonar-check.yml            | 2 +-
 .github/workflows/pre-commit.yml                  | 2 ++
 .github/workflows/rat.yml                         | 2 ++
 .github/workflows/sonar-check.yml                 | 2 +-
 .github/workflows/ui.yml                          | 2 ++
 10 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 84020f4a6b06..58670d794623 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -31,6 +31,8 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
 
       - name: Set up JDK 17
         uses: actions/setup-java@v5
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 4edd448067ae..84dbd34192db 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -219,6 +219,7 @@ jobs:
       - uses: actions/checkout@v5
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Set up JDK 17
         uses: actions/setup-java@v5
diff --git a/.github/workflows/codecov.yml b/.github/workflows/codecov.yml
index fbd944a758f9..321d2d6dc831 100644
--- a/.github/workflows/codecov.yml
+++ b/.github/workflows/codecov.yml
@@ -35,6 +35,7 @@ jobs:
       - uses: actions/checkout@v5
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Set up JDK 17
         uses: actions/setup-java@v5
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 74e59aa821d1..2dc802c3ff10 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -36,6 +36,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - name: Initialize CodeQL
         uses: github/codeql-action/init@v3
         with:
diff --git a/.github/workflows/docker-cloudstack-simulator.yml b/.github/workflows/docker-cloudstack-simulator.yml
index af6cbf49f5ef..dafa47a00f9d 100644
--- a/.github/workflows/docker-cloudstack-simulator.yml
+++ b/.github/workflows/docker-cloudstack-simulator.yml
@@ -48,6 +48,8 @@ jobs:
         run: echo "DOCKER_REPOSITORY=apache" >> $GITHUB_ENV
 
       - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
 
       - name: Set ACS version
         run: echo "ACS_VERSION=$(grep '<version>' pom.xml | head -2 | tail -1 | cut -d'>' -f2 |cut -d'<' -f1)" >> $GITHUB_ENV
diff --git a/.github/workflows/main-sonar-check.yml b/.github/workflows/main-sonar-check.yml
index 224ea2cde801..db47cbb76b3f 100644
--- a/.github/workflows/main-sonar-check.yml
+++ b/.github/workflows/main-sonar-check.yml
@@ -35,7 +35,7 @@ jobs:
       - uses: actions/checkout@v5
         with:
           fetch-depth: 0
-
+          persist-credentials: false
       - name: Set up JDK17
         uses: actions/setup-java@v5
         with:
diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
index 11fe5c068814..274004f5e79e 100644
--- a/.github/workflows/pre-commit.yml
+++ b/.github/workflows/pre-commit.yml
@@ -33,6 +33,8 @@ jobs:
     steps:
       - name: Check Out
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - name: Install
         run: |
           python -m pip install --upgrade pip
diff --git a/.github/workflows/rat.yml b/.github/workflows/rat.yml
index d71f4b0852d8..4222004a9445 100644
--- a/.github/workflows/rat.yml
+++ b/.github/workflows/rat.yml
@@ -31,6 +31,8 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - name: Set up JDK 17
         uses: actions/setup-java@v5
         with:
diff --git a/.github/workflows/sonar-check.yml b/.github/workflows/sonar-check.yml
index 31fb671cc58f..fcb07488a172 100644
--- a/.github/workflows/sonar-check.yml
+++ b/.github/workflows/sonar-check.yml
@@ -37,7 +37,7 @@ jobs:
         with:
           ref: "refs/pull/${{ github.event.number }}/merge"
           fetch-depth: 0
-
+          persist-credentials: false
       - name: Set up JDK17
         uses: actions/setup-java@v5
         with:
diff --git a/.github/workflows/ui.yml b/.github/workflows/ui.yml
index 56b04a6f9c96..7ee1c2023940 100644
--- a/.github/workflows/ui.yml
+++ b/.github/workflows/ui.yml
@@ -32,6 +32,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
 
       - name: Set up Node
         uses: actions/setup-node@v5