Do not persist GHA credentials on checkout

Author: bkoelman

.github/workflows/build.yml

@@ -58,6 +58,8 @@ jobs:
         Write-Host "Active .NET SDK: $(dotnet --version)"
     - name: Git checkout
       uses: actions/checkout@v6
+      with:
+        persist-credentials: false
     - name: Restore tools
       run: dotnet tool restore
     - name: Restore packages
@@ -166,6 +168,8 @@ jobs:
           10.0.*
     - name: Git checkout
       uses: actions/checkout@v6
+      with:
+        persist-credentials: false
     - name: Restore tools
       run: dotnet tool restore
     - name: InspectCode
@@ -228,6 +232,7 @@ jobs:
     - name: Git checkout
       uses: actions/checkout@v6
       with:
+        persist-credentials: false
         fetch-depth: 2
     - name: Restore tools
       run: dotnet tool restore

.github/workflows/codeql.yml

@@ -31,6 +31,8 @@ jobs:
           10.0.*
     - name: Git checkout
       uses: actions/checkout@v6
+      with:
+        persist-credentials: false
     - name: Initialize CodeQL
       uses: github/codeql-action/init@v4
       with:

.github/workflows/deps-review.yml

@@ -8,7 +8,9 @@ jobs:
   dependency-review:
     runs-on: ubuntu-latest
     steps:
-      - name: 'Checkout Repository'
-        uses: actions/checkout@v6
-      - name: 'Dependency Review'
-        uses: actions/dependency-review-action@v4
+    - name: 'Checkout Repository'
+      uses: actions/checkout@v6
+      with:
+        persist-credentials: false
+    - name: 'Dependency Review'
+      uses: actions/dependency-review-action@v4

.github/workflows/qodana.yml

@@ -31,6 +31,7 @@ jobs:
     - name: Git checkout
       uses: actions/checkout@v6
       with:
+        persist-credentials: false
         ref: ${{ github.event.pull_request.head.sha }}  # to check out the actual pull request commit, not the merge commit
         fetch-depth: 0  # a full history is required for pull request analysis
     - name: Restore tools