chore(ci): don't persist creds during checkout

.github/workflows/action_compliance.yaml

@@ -15,6 +15,8 @@ jobs:
     steps:
       - name: checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: 'false'
       - name: Ensure SHA pinned actions
         uses: zgosalvez/github-actions-ensure-sha-pinned-actions@64418826697dcd77c93a8e4a1f7601a1942e57b5 # v3.0.18
         with:
@@ -26,6 +28,8 @@ jobs:
     steps:
       - name: checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: 'false'
       - name: check-missing-teardown
         run: .github/workflows/scripts/teardown-check.sh
       - name: actionlint

.github/workflows/codeql.yml

@@ -76,11 +76,14 @@ jobs:
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         submodules: recursive
+        persist-credentials: 'false'
         fetch-depth: 0
 
     - if: matrix.build-mode != 'manual'
       name: Checkout repository
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        persist-credentials: 'false'
 
     - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5
       with:

.github/workflows/commit_compliance.yml

@@ -20,6 +20,8 @@ jobs:
           accessToken: ${{ secrets.GITHUB_TOKEN }} # github access token is only required if checkAllCommitMessages is true
       - name: checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: 'false'
       - name: linelint
         uses: fernandrone/linelint@8136e0fa9997122d80f5f793e0bb9a45e678fbb1 # 0.0.4
         id: linelint

.github/workflows/concrete_compiler_benchmark.yml

@@ -54,6 +54,7 @@ jobs:
         with:
           submodules: recursive
           fetch-depth: 0
+          persist-credentials: 'false'
       - name: Ouput benchmark details
         id: benchmark-details
         run: |
@@ -126,6 +127,7 @@ jobs:
           repository: zama-ai/slab
           path: slab
           token: ${{ secrets.CONCRETE_ACTIONS_TOKEN }}
+          persist-credentials: 'false'
       - name: Send data to Slab
         shell: bash
         run: |

.github/workflows/concrete_compiler_publish_docker_images.yml

@@ -58,6 +58,7 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
+          persist-credentials: 'false'
       - name: Set up env
         run: |
           echo "HOME=/home/ubuntu" >> "${GITHUB_ENV}"
@@ -110,6 +111,7 @@ jobs:
         with:
           fetch-depth: 0
           submodules: recursive
+          persist-credentials: 'false'
       - name: Get changed files
         id: changed-files
         uses: tj-actions/changed-files@bab30c2299617f6615ec02a68b9a40d10bd21366 # v44.5.24
@@ -176,6 +178,7 @@ jobs:
         with:
           fetch-depth: 0
           submodules: recursive
+          persist-credentials: 'false'
       - name: Get changed files
         id: changed-files
         uses: tj-actions/changed-files@bab30c2299617f6615ec02a68b9a40d10bd21366 # v44.5.24

.github/workflows/concrete_compiler_test_cpu.yml

@@ -45,6 +45,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: 'false'
       - name: Format with clang-format (Cpp)
         run: |
           sudo apt install moreutils
@@ -97,6 +99,7 @@ jobs:
         with:
           submodules: recursive
           fetch-depth: 0
+          persist-credentials: 'false'
       - name: Create build dir
         run: mkdir build
       - name: Build compiler

.github/workflows/concrete_compiler_test_cpu_distributed.yml

@@ -53,6 +53,7 @@ jobs:
         with:
           fetch-depth: 0
           submodules: recursive
+          persist-credentials: 'false'
 
       - name: Set up home
         # "Install rust" step require root user to have a HOME directory which is not set.

.github/workflows/concrete_compiler_test_gpu.yml

@@ -52,6 +52,7 @@ jobs:
         with:
           fetch-depth: 0
           submodules: recursive
+          persist-credentials: 'false'
       - name: Create build dir
         run: mkdir build
       - name: Build and test compiler

.github/workflows/concrete_compiler_test_macos_cpu.yml

@@ -45,6 +45,7 @@ jobs:
         with:
           submodules: recursive
           fetch-depth: 0
+          persist-credentials: 'false'
       - name: Setup rust toolchain for concrete-cpu
         uses: ./.github/actions/setup_rust_toolchain_for_concrete_cpu
       - name: Set python variables

.github/workflows/concrete_cpu_test.yml

@@ -26,6 +26,8 @@ jobs:
       RUSTFLAGS: -D warnings
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: 'false'
 
       - name: Rust install
         uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7

.github/workflows/concrete_ml_test.yml

@@ -50,6 +50,7 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           submodules: recursive
+          persist-credentials: 'false'
       - name: Set release version
         run: echo "__version__ = \"$(date +"%Y.%m.%d")\"" >| frontends/concrete-python/version.txt
       - name: Expose release version from Python

.github/workflows/concrete_optimizer.yml

@@ -35,6 +35,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: 'false'
       - name: Setup
         uses: ./.github/actions/optimizer_setup
       - name: Formatting
@@ -63,9 +65,14 @@ jobs:
 
   benchmarks:
     runs-on: ubuntu-latest
+    permissions:
+      # to comment the benchmark result in the PR
+      pull-requests: write
     steps:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: 'false'
       - name: Setup
         uses: ./.github/actions/optimizer_setup
       - name: Run benchmark

.github/workflows/concrete_python_benchmark.yml

@@ -44,6 +44,7 @@ jobs:
         with:
           submodules: recursive
           fetch-depth: 0
+          persist-credentials: 'false'
 
       - name: Benchmark
         uses: addnab/docker-run-action@4f65fabd2431ebc8d299f8e5a018d79a769ae185 # v3
@@ -86,6 +87,7 @@ jobs:
           repository: zama-ai/slab
           path: slab
           token: ${{ secrets.CONCRETE_ACTIONS_TOKEN }}
+          persist-credentials: 'false'
 
       - name: Send data to Slab
         shell: bash

.github/workflows/concrete_python_finalize_release.yml

@@ -47,6 +47,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: 'false'
       - name: Get version from tag
         run: |
           # remove leading 'v' and '-' from tag

.github/workflows/concrete_python_release.yml

@@ -33,6 +33,7 @@ jobs:
         with:
           submodules: recursive
           fetch-depth: 0
+          persist-credentials: 'false'
       - name: Avoid releasing nightly twice
         if: ${{ env.RELEASE_TYPE == 'nightly' }}
         run: |
@@ -74,6 +75,7 @@ jobs:
         with:
           submodules: recursive
           fetch-depth: 0
+          persist-credentials: 'false'
       - name: Set release version (nightly)
         if: ${{ env.RELEASE_TYPE == 'nightly' }}
         run: |
@@ -215,6 +217,7 @@ jobs:
         with:
           submodules: recursive
           fetch-depth: 0
+          persist-credentials: 'false'
       - name: Setup Python
         uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
         with:
@@ -258,6 +261,7 @@ jobs:
         with:
           submodules: recursive
           fetch-depth: 0
+          persist-credentials: 'false'
       - name: Install OS Dependencies
         run: |
           brew install ninja ccache
@@ -413,6 +417,7 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
+          persist-credentials: 'false'
       - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           path: wheels
@@ -494,6 +499,7 @@ jobs:
         with:
           submodules: recursive
           path: repo
+          persist-credentials: 'false'
       - name: Test wheel
         run: |
           WHEEL_DIR=$(pwd)/${{ format('cpu-wheel-{0}-linux-x86', matrix.python-version) }}/
@@ -610,6 +616,7 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           path: repo
+          persist-credentials: 'false'
 
       - name: Test wheel
         run: |
@@ -679,6 +686,7 @@ jobs:
         with:
           submodules: recursive
           path: repo
+          persist-credentials: 'false'
       - name: Test wheel
         run: |
           WHEEL_DIR=$(pwd)/${{ format('cpu-wheel-{0}-{1}', matrix.python-version, matrix.runs-on) }}/

.github/workflows/concrete_python_test_macos.yml

@@ -40,6 +40,7 @@ jobs:
         with:
           submodules: recursive
           fetch-depth: 0
+          persist-credentials: 'false'
       - name: Install build dependencies
         run: |
           brew install ninja ccache

.github/workflows/concrete_python_tests_linux.yml

@@ -43,6 +43,8 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: 'false'
       - name: Install platform dependencies
         run: |
           sudo apt install -y graphviz libgraphviz-dev
@@ -70,6 +72,7 @@ jobs:
         with:
           submodules: recursive
           fetch-depth: 0
+          persist-credentials: 'false'
       - name: Create concrete build directory
         run: mkdir build
 
@@ -150,6 +153,7 @@ jobs:
         with:
           submodules: recursive
           fetch-depth: 0
+          persist-credentials: 'false'
       - name: Setup Python
         uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
         with:
@@ -193,6 +197,7 @@ jobs:
         with:
           submodules: recursive
           fetch-depth: 0
+          persist-credentials: 'false'
       - name: Download concrete-compiler python-bindings
         uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
@@ -239,6 +244,7 @@ jobs:
         with:
           submodules: recursive
           fetch-depth: 0
+          persist-credentials: 'false'
       - name: Download concrete-compiler python-bindings
         uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:

.github/workflows/docker_compliance.yml

@@ -17,6 +17,8 @@ jobs:
       image: hadolint/hadolint@sha256:27173fe25e062448490a32de410c08491c626a0bef360aa2ce5d5bdd9384b50d #2.12.0-debian
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: 'false'
 
       - name: Lint All Dockerfiles (except third_party)
         run: find  . -name "*Dockerfile*" -not -path "./third_party/*" -exec hadolint -V {} \;

.github/workflows/refresh_zama_pypi.yml

@@ -8,6 +8,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3
+        with:
+          persist-credentials: 'false'
 
       - name: Update index and invalidate cache
         env:

.github/workflows/trivy_scan.yml

@@ -25,6 +25,7 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           submodules: true
+          persist-credentials: 'false'
 
       - name: Export DateTime
         run: |