From 3ca9a0cb35b620ce6635d6009f781d5e5dc46c74 Mon Sep 17 00:00:00 2001
From: Christopher Horrell <christopher@horrell.ca>
Date: Thu, 21 May 2026 19:30:35 -0400
Subject: [PATCH] security: disable git credential persistence in checkout
 actions

Remediate zizmor security finding by setting persist-credentials: false on all
actions/checkout usages. This prevents unnecessary storage of git credentials
in the GitHub Actions runner environment, reducing the attack surface if the
runner is compromised.

Changes:
- Set persist-credentials: false on all 6 checkout actions across 3 workflows
- Applied to dockerimage.yml, linting.yml, and update-current-image.yml
- Credentials are still available for the current job but not persisted after
---
 .github/workflows/dockerimage.yml          | 2 ++
 .github/workflows/linting.yml              | 6 ++++++
 .github/workflows/update-current-image.yml | 4 ++++
 3 files changed, 12 insertions(+)

diff --git a/.github/workflows/dockerimage.yml b/.github/workflows/dockerimage.yml
index 0e76190..0975202 100644
--- a/.github/workflows/dockerimage.yml
+++ b/.github/workflows/dockerimage.yml
@@ -31,6 +31,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: ccache
         uses: hendrikmuhs/ccache-action@d62db5f07c26379fc4b4e0916f098a92573c3b03 # v1.2.23
diff --git a/.github/workflows/linting.yml b/.github/workflows/linting.yml
index b5efa28..6b72b73 100644
--- a/.github/workflows/linting.yml
+++ b/.github/workflows/linting.yml
@@ -9,6 +9,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: shfmt
         run: |
@@ -20,6 +22,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Shellcheck
         run: |
@@ -31,6 +35,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Markdownlint
         uses: DavidAnson/markdownlint-cli2-action@ded1f9488f68a970bc66ea5619e13e9b52e601cd # v23.2.0
diff --git a/.github/workflows/update-current-image.yml b/.github/workflows/update-current-image.yml
index a49a82e..679eccf 100644
--- a/.github/workflows/update-current-image.yml
+++ b/.github/workflows/update-current-image.yml
@@ -21,6 +21,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Validate and Get NODE_VERSION
         id: get_version
@@ -69,6 +71,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: ccache
         uses: hendrikmuhs/ccache-action@d62db5f07c26379fc4b4e0916f098a92573c3b03 # v1.2.23