ci: add persist-credentials: false to checkout step

jyotshnayaparla-00 · jyotshnayaparla-00 · commit 2dc83b9362e7 · 2026-03-20T16:31:15.000Z
actions/checkout@v6 stores credentials using includeIf scoped to the repo
and its worktrees. The docs deploy action creates a temporary worktree,
causing checkout's GITHUB_TOKEN credentials to override the app token,
resulting in a 403 as github-actions[bot].

Setting persist-credentials: false prevents checkout from storing any
credentials, so only the deploy action's own app token is used.
diff --git a/.github/workflows/ci-release.yml b/.github/workflows/ci-release.yml
@@ -62,6 +62,7 @@ jobs:
         with:
           fetch-tags: true
           ref: ${{ env.SHA_TO_RELEASE }}
+          persist-credentials: false
 
       - name: Download artifact
         id: download-artifact
