fix(github): add persist-credentials: false to workflow templates (#8202)

author: Leonidas <[email protected]> 2026-01-13 16:53:30 +0100
committer: GitHub <[email protected]> 2026-01-13 09:53:30 -0600
commit: a092f567b76770cedaea0e3e9a13c574584b4fcb (patch)
tree: 2e411d0d266a52d971332b48f3aceb2fa3531305
parent: 883a6577d570f5e98af81229716e409dbf20493f (diff)
download: opencode-a092f567b76770cedaea0e3e9a13c574584b4fcb.tar.gz
opencode-a092f567b76770cedaea0e3e9a13c574584b4fcb.zip
3 files changed, 20 insertions, 10 deletions
diff --git a/github/README.md b/github/README.md
index 954710f23..8238bdc42 100644
--- a/github/README.md
+++ b/github/README.md
@@ -81,12 +81,13 @@ This will walk you through installing the GitHub app, creating the workflow, and
        permissions:
          id-token: write
        steps:
-         - name: Checkout repository
-           uses: actions/checkout@v6
-           with:
-             fetch-depth: 1
+          - name: Checkout repository
+            uses: actions/checkout@v6
+            with:
+              fetch-depth: 1
+              persist-credentials: false
 
-         - name: Run opencode
+          - name: Run opencode
            uses: anomalyco/opencode/github@latest
            env:
              ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
diff --git a/packages/opencode/src/cli/cmd/github.ts b/packages/opencode/src/cli/cmd/github.ts
index d8b1bea30..927c964c9 100644
--- a/packages/opencode/src/cli/cmd/github.ts
+++ b/packages/opencode/src/cli/cmd/github.ts
@@ -394,6 +394,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - name: Run opencode
         uses: anomalyco/opencode/github@latest${envStr}
diff --git a/packages/web/src/content/docs/github.mdx b/packages/web/src/content/docs/github.mdx
index 879914c74..6e8b9de4d 100644
--- a/packages/web/src/content/docs/github.mdx
+++ b/packages/web/src/content/docs/github.mdx
@@ -57,12 +57,13 @@ Or you can set it up manually.
        permissions:
          id-token: write
        steps:
-         - name: Checkout repository
-           uses: actions/checkout@v6
-           with:
-             fetch-depth: 1
+          - name: Checkout repository
+            uses: actions/checkout@v6
+            with:
+              fetch-depth: 1
+              persist-credentials: false
 
-         - name: Run OpenCode
+          - name: Run OpenCode
            uses: anomalyco/opencode/github@latest
            env:
              ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
@@ -135,6 +136,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - name: Run OpenCode
         uses: anomalyco/opencode/github@latest
@@ -172,6 +175,8 @@ jobs:
       issues: read
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
       - uses: anomalyco/opencode/github@latest
         env:
           ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
@@ -223,6 +228,8 @@ jobs:
 
       - uses: actions/checkout@v6
         if: steps.check.outputs.result == 'true'
+        with:
+          persist-credentials: false
 
       - uses: anomalyco/opencode/github@latest
         if: steps.check.outputs.result == 'true'
author	Leonidas <[email protected]>	2026-01-13 16:53:30 +0100
committer	GitHub <[email protected]>	2026-01-13 09:53:30 -0600
commit	a092f567b76770cedaea0e3e9a13c574584b4fcb (patch)
tree	2e411d0d266a52d971332b48f3aceb2fa3531305
parent	883a6577d570f5e98af81229716e409dbf20493f (diff)
download	opencode-a092f567b76770cedaea0e3e9a13c574584b4fcb.tar.gz opencode-a092f567b76770cedaea0e3e9a13c574584b4fcb.zip