From 3b6f12093c3e216f88a460fe91898ad68597c699 Mon Sep 17 00:00:00 2001
From: Jamie Cunningham <james.cunningham@udri.udayton.edu>
Date: Mon, 16 Dec 2024 16:12:30 -0500
Subject: [PATCH] ci: don't persist credentials on checkout (#30)

* don't persist credentials on checkout

* add no persistence to other stages
---
 .github/workflows/build.yml        | 2 ++
 .github/workflows/release-pypi.yml | 1 +
 2 files changed, 3 insertions(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index a019b84..d52dc3c 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -84,6 +84,8 @@ jobs:
     steps:
       - name: Check out repository
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Setup Python
         uses: actions/setup-python@v5
         with:
diff --git a/.github/workflows/release-pypi.yml b/.github/workflows/release-pypi.yml
index 00249a2..f28b358 100644
--- a/.github/workflows/release-pypi.yml
+++ b/.github/workflows/release-pypi.yml
@@ -26,6 +26,7 @@ jobs:
           name: package-distributions
           github-token: ${{ secrets.RELEASE_TOKEN }}
           path: dist/
+          persist-credentials: false
       - name: Sign the dists
         uses: sigstore/gh-action-sigstore-python@v2.1.1
         with: