From f74eec8e00ab0b87b5b3589249b445e4fe1eb04d Mon Sep 17 00:00:00 2001
From: William Storey <wstorey@maxmind.com>
Date: Thu, 11 Jun 2026 16:14:12 +0000
Subject: [PATCH] Don't persist credentials in pages checkout

zizmor flags the checkout step in pages.yml for artipacked: without
persist-credentials: false, the GitHub token is written into the local
git config and could leak via later steps or artifacts. Nothing after
the checkout needs git credentials.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
---
 .github/workflows/pages.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/pages.yml b/.github/workflows/pages.yml
index f1491df..2b64551 100644
--- a/.github/workflows/pages.yml
+++ b/.github/workflows/pages.yml
@@ -30,6 +30,8 @@ jobs:
     steps:
       - name: "Checkout"
         uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false
 
       - name: "Setup Ruby"
         uses: ruby/setup-ruby@12fd324f1d0b43274fdc8130f6980590a667c455 # v1.312.0