ifix(ci): do not persist checkout credentials when not required

.github/reusable-workflows/setup-gradle/action.yml

@@ -17,6 +17,10 @@ inputs:
     description: 'dependency-graph input for gradle/actions/setup-gradle'
     required: false
     default: 'disabled'
+  persist-credentials:
+    description: 'Control the actions/checkout persist-credentials setting'
+    required: false
+    default: false
 runs:
   using: "composite"
   steps:
@@ -26,6 +30,7 @@ runs:
         fetch-depth: ${{ inputs.fetch-depth }}
         token: ${{ inputs.token }}
         lfs: true
+        persist-credentials: ${{ inputs.persist-credentials }}
 
     - name: Set up JDK
       uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4.5.0

.github/workflows/ci.yml

@@ -49,6 +49,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
       - name: Dependency Review
         uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4

.github/workflows/release.yml

@@ -21,6 +21,7 @@ jobs:
         token: ${{ secrets.POST_RELEASE_GH_TOKEN }}
         fetch-depth: 0
         cache-read-only: ${{ github.ref != 'refs/heads/main' }}
+        persist-credentials: true
 
     - name: Set up Git author
       shell: bash