fix(github): add persist-credentials: false to workflow templates (#8202)

2026-02-01 22:48:16 +00:00 · 2026-01-13 16:53:30 +01:00
parent 883a6577d5
commit a092f567b7
3 changed files with 20 additions and 10 deletions
--- a/github/README.md
+++ b/github/README.md
@@ -81,12 +81,13 @@ This will walk you through installing the GitHub app, creating the workflow, and
       permissions:
         id-token: write
       steps:
-         - name: Checkout repository
-           uses: actions/checkout@v6
-           with:
-             fetch-depth: 1
+          - name: Checkout repository
+            uses: actions/checkout@v6
+            with:
+              fetch-depth: 1
+              persist-credentials: false

-         - name: Run opencode
+          - name: Run opencode
           uses: anomalyco/opencode/github@latest
           env:
             ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
--- a/packages/opencode/src/cli/cmd/github.ts
+++ b/packages/opencode/src/cli/cmd/github.ts
@@ -394,6 +394,8 @@ jobs:
    steps:
      - name: Checkout repository
        uses: actions/checkout@v6
+        with:
+          persist-credentials: false

      - name: Run opencode
        uses: anomalyco/opencode/github@latest${envStr}
--- a/packages/web/src/content/docs/github.mdx
+++ b/packages/web/src/content/docs/github.mdx
@@ -57,12 +57,13 @@ Or you can set it up manually.
       permissions:
         id-token: write
       steps:
-         - name: Checkout repository
-           uses: actions/checkout@v6
-           with:
-             fetch-depth: 1
+          - name: Checkout repository
+            uses: actions/checkout@v6
+            with:
+              fetch-depth: 1
+              persist-credentials: false

-         - name: Run OpenCode
+          - name: Run OpenCode
           uses: anomalyco/opencode/github@latest
           env:
             ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
@@ -135,6 +136,8 @@ jobs:
    steps:
      - name: Checkout repository
        uses: actions/checkout@v6
+        with:
+          persist-credentials: false

      - name: Run OpenCode
        uses: anomalyco/opencode/github@latest
@@ -172,6 +175,8 @@ jobs:
      issues: read
    steps:
      - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
      - uses: anomalyco/opencode/github@latest
        env:
          ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
@@ -223,6 +228,8 @@ jobs:

      - uses: actions/checkout@v6
        if: steps.check.outputs.result == 'true'
+        with:
+          persist-credentials: false

      - uses: anomalyco/opencode/github@latest
        if: steps.check.outputs.result == 'true'