From b9e21e1c70e75a93780eead18ba574a9280c8212 Mon Sep 17 00:00:00 2001
From: Landon Grindheim <landon.grindheim@gmail.com>
Date: Tue, 17 Jun 2025 12:52:58 -0400
Subject: [PATCH 1/2] Opt out of persisting credentials

`actions/checkout` uses a default value of `true` for
`persist-credentials`, which results in credentials being written to
the Git config.
---
 .github/workflows/build.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 15d100f..f811beb 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -27,6 +27,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Setup Ruby
         uses: ruby/setup-ruby@v1
         with:

From fe2f7221bffd6d1ec0efcc8c2a5a9e701c4d150a Mon Sep 17 00:00:00 2001
From: Landon Grindheim <landon.grindheim@gmail.com>
Date: Tue, 17 Jun 2025 12:54:56 -0400
Subject: [PATCH 2/2] Use `persist-credentials: false` in example

Since this snippet is meant to be exemplary, it makes sense to
explicitly set `persist-credentials` to `false`. The default value is
`true`.
---
 _posts/2023-12-14-trusted-publishing.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/_posts/2023-12-14-trusted-publishing.md b/_posts/2023-12-14-trusted-publishing.md
index afb424e..8a222d7 100644
--- a/_posts/2023-12-14-trusted-publishing.md
+++ b/_posts/2023-12-14-trusted-publishing.md
@@ -37,6 +37,8 @@ jobs:
     steps:
       # Set up
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Set up Ruby
         uses: ruby/setup-ruby@v1
         with: