fix(workflows): restore git push credentials in workflows that use persist-credentials: false

vpomerleau · vpomerleau · commit 04c56631ea97 · 2026-03-10T13:26:40.000-07:00
Because:

* A prior security hardening commit added persist-credentials: false to all checkouts across three workflows. While appropriate for read-only checkouts, this setting strips the credential helper from the git config, which broke git push in any checkout that a
   subsequent push step depends on. The affected checkouts were the gh-pages branch checkouts in cleanup-storybooks and deploy-storybooks, and the sole checkout in tag-release.

This commit:

* Removes persist-credentials: false from the specific checkouts that feed into push steps, while leaving it in place on read-only checkouts (e.g. the main-repo script checkout in cleanup-storybooks and the repo checkout in deploy-storybooks). This
  restores implicit GITHUB_TOKEN credential persistence for those steps without widening the credential scope of unrelated checkouts in the same job.

Closes #
diff --git a/.github/workflows/cleanup-storybooks.yml b/.github/workflows/cleanup-storybooks.yml
@@ -23,7 +23,6 @@ jobs:
           ref: gh-pages
           path: gh-pages
           fetch-depth: 1
-          persist-credentials: false
 
       - name: Remove PR directory
         run: |
diff --git a/.github/workflows/deploy-storybooks.yml b/.github/workflows/deploy-storybooks.yml
@@ -113,7 +113,6 @@ jobs:
           ref: gh-pages
           path: gh-pages
           fetch-depth: 1
-          persist-credentials: false
 
       - name: Set deployment directory
         id: deploy-dir
diff --git a/.github/workflows/tag-release.yml b/.github/workflows/tag-release.yml
@@ -18,8 +18,6 @@ jobs:
 
       - name: Check out code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
-          persist-credentials: false
 
       - name: Fetch all git tags
         run: git fetch --tags origin
