Only persist git credentials where we need to use them

- Don't leave these around when we don't need to.
- Explicitly set to true where we need them, with a comment highlighting why we're keeping them.
- Fix a few places we weren't using the centrally managed checkout version.
- Tweak the conditionals for submodules so the `with:` is always there now.

provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/build_provider.yml

@@ -40,10 +40,11 @@ jobs:
       #{{- end }}#
       - name: Checkout Repo
         uses: #{{ .Config.actionVersions.checkout }}#
-        #{{- if .Config.checkoutSubmodules }}#
         with:
+          #{{- if .Config.checkoutSubmodules }}#
           submodules: #{{ .Config.checkoutSubmodules }}#
-        #{{- end }}#
+          #{{- end }}#
+          persist-credentials: false
       - name: Setup tools
         uses: ./.github/actions/setup-tools
         with:

provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/build_sdk.yml

@@ -32,10 +32,11 @@ jobs:
       #{{- end }}#
       - name: Checkout Repo
         uses: #{{ .Config.actionVersions.checkout }}#
-#{{- if .Config.checkoutSubmodules }}#
         with:
+          #{{- if .Config.checkoutSubmodules }}#
           submodules: #{{ .Config.checkoutSubmodules }}#
-#{{- end }}#
+          #{{- end }}#
+          persist-credentials: false
       - name: Cache examples generation
         uses: actions/cache@v4
         with:

provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/check-upstream-upgrade.yml

@@ -10,10 +10,12 @@ jobs:
     steps:
     - name: Checkout Repo
       uses: #{{ .Config.actionVersions.checkout }}#
-        #{{- if .Config.checkoutSubmodules }}#
       with:
+        #{{- if .Config.checkoutSubmodules }}#
         submodules: #{{ .Config.checkoutSubmodules }}#
-    #{{- end }}#
+        #{{- end }}#
+        # Persist credentials so upgrade-provider can push a new branch.
+        persist-credentials: true
     - name: Setup tools
       uses: ./.github/actions/setup-tools
       with:

provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/main.yml

@@ -41,10 +41,11 @@ jobs:
         swap-storage: false
     - name: Checkout Repo
       uses: #{{ .Config.actionVersions.checkout }}#
-#{{- if .Config.checkoutSubmodules }}#
       with:
+        #{{- if .Config.checkoutSubmodules }}#
         submodules: #{{ .Config.checkoutSubmodules }}#
-#{{- end }}#
+        #{{- end }}#
+        persist-credentials: false
     - name: Configure AWS Credentials
       uses: #{{ .Config.actionVersions.configureAwsCredentials }}#
       with:
@@ -140,10 +141,11 @@ jobs:
 #{{- end }}#
     - name: Checkout Repo
       uses: #{{ .Config.actionVersions.checkout }}#
-#{{- if .Config.checkoutSubmodules }}#
       with:
+        #{{- if .Config.checkoutSubmodules }}#
         submodules: #{{ .Config.checkoutSubmodules }}#
-#{{- end }}#
+        #{{- end }}#
+        persist-credentials: false
     - name: Setup tools
       uses: ./.github/actions/setup-tools
       with:

provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/nightly-test.yml

@@ -50,10 +50,11 @@ jobs:
 #{{- end }}#
     - name: Checkout Repo
       uses: #{{ .Config.actionVersions.checkout }}#
-#{{- if .Config.checkoutSubmodules }}#
       with:
+        #{{- if .Config.checkoutSubmodules }}#
         submodules: #{{ .Config.checkoutSubmodules }}#
-#{{- end }}#
+        #{{- end }}#
+        persist-credentials: false
     - name: Setup tools
       uses: ./.github/actions/setup-tools
       with:

provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/prerelease.yml

@@ -80,10 +80,11 @@ jobs:
 #{{- end }}#
     - name: Checkout Repo
       uses: #{{ .Config.actionVersions.checkout }}#
-#{{- if .Config.checkoutSubmodules }}#
       with:
+        #{{- if .Config.checkoutSubmodules }}#
         submodules: #{{ .Config.checkoutSubmodules }}#
-#{{- end }}#
+        #{{- end }}#
+        persist-credentials: false
     - name: Setup tools
       uses: ./.github/actions/setup-tools
       with:

provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/prerequisites.yml

@@ -38,10 +38,11 @@ jobs:
 #{{- end }}#
     - name: Checkout Repo
       uses: #{{ .Config.actionVersions.checkout }}#
-#{{- if .Config.checkoutSubmodules }}#
       with:
+        #{{- if .Config.checkoutSubmodules }}#
         submodules: #{{ .Config.checkoutSubmodules }}#
-#{{- end }}#
+        #{{- end }}#
+        persist-credentials: false
     - uses: pulumi/provider-version-action@v1
       id: provider-version
       with:

provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/publish.yml

@@ -32,10 +32,11 @@ jobs:
       run: echo "Can't skip Go SDK for stable releases. This is likely a bug in the calling workflow." && exit 1
     - name: Checkout Repo
       uses: #{{ .Config.actionVersions.checkout }}#
-#{{- if .Config.checkoutSubmodules }}#
       with:
+        #{{- if .Config.checkoutSubmodules }}#
         submodules: #{{ .Config.checkoutSubmodules }}#
-#{{- end }}#
+        #{{- end }}#
+        persist-credentials: false
     - name: Setup tools
       uses: ./.github/actions/setup-tools
       with:
@@ -102,10 +103,12 @@ jobs:
     steps:
     - name: Checkout Repo
       uses: #{{ .Config.actionVersions.checkout }}#
-#{{- if .Config.checkoutSubmodules }}#
       with:
+        #{{- if .Config.checkoutSubmodules }}#
         submodules: #{{ .Config.checkoutSubmodules }}#
-#{{- end }}#
+        #{{- end }}#
+        # Persist credentials so we can push back to the repo
+        persist-credentials: true
     - name: Setup tools
       uses: ./.github/actions/setup-tools
       with:
@@ -168,7 +171,9 @@ jobs:
     runs-on: #{{ .Config.runner.default }}#
     steps:
     - name: Checkout Repo
-      uses: actions/checkout@v4
+      uses: #{{ .Config.actionVersions.checkout }}#
+      with:
+        persist-credentials: false
     - name: Clean up release labels
       uses: pulumi/action-release-by-pr-label@main
       with:

provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/release.yml

@@ -89,10 +89,11 @@ jobs:
 #{{- end }}#
     - name: Checkout Repo
       uses: #{{ .Config.actionVersions.checkout }}#
-#{{- if .Config.checkoutSubmodules }}#
       with:
+        #{{- if .Config.checkoutSubmodules }}#
         submodules: #{{ .Config.checkoutSubmodules }}#
-#{{- end }}#
+        #{{- end }}#
+        persist-credentials: false
     - name: Setup tools
       uses: ./.github/actions/setup-tools
       with:

provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/resync-build.yml

@@ -11,15 +11,18 @@ jobs:
     steps:
     - name: Checkout Repo
       uses: #{{ .Config.actionVersions.checkout }}#
-      #{{- if .Config.checkoutSubmodules }}#
       with:
+        #{{- if .Config.checkoutSubmodules }}#
         submodules: #{{ .Config.checkoutSubmodules }}#
-      #{{- end }}#
+        #{{- end }}#
+        # Persist credentials so we can push a new branch.
+        persist-credentials: true
     - name: Checkout repo
       uses: #{{ .Config.actionVersions.checkout }}#
       with:
         path: ci-mgmt
         repository: pulumi/ci-mgmt
+        persist-credentials: false
     - id: run-url
       name: Create URL to the run output
       run:  echo "run-url=https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" >> "$GITHUB_OUTPUT"

provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/run-acceptance-tests.yml

@@ -135,6 +135,7 @@ jobs:
         #{{- if .Config.checkoutSubmodules }}#
         submodules: #{{ .Config.checkoutSubmodules }}#
         #{{- end }}#
+        persist-credentials: false
     - name: Checkout p/examples
       if: matrix.testTarget == 'pulumiExamples'
       uses: #{{ .Config.actionVersions.checkout }}#

provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/upgrade-bridge.yml

@@ -68,10 +68,11 @@ jobs:
     #{{- end }}#
     - name: Checkout Repo
       uses: #{{ .Config.actionVersions.checkout }}#
-      #{{- if .Config.checkoutSubmodules }}#
       with:
+        #{{- if .Config.checkoutSubmodules }}#
         submodules: #{{ .Config.checkoutSubmodules }}#
-    #{{- end }}#
+        #{{- end }}#
+        persist-credentials: false
     - name: Setup tools
       uses: ./.github/actions/setup-tools
       with:

provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/upgrade-provider.yml

@@ -20,10 +20,12 @@ jobs:
       #{{- end }}#
       - name: Checkout Repo
         uses: #{{ .Config.actionVersions.checkout }}#
-        #{{- if .Config.checkoutSubmodules }}#
         with:
+          #{{- if .Config.checkoutSubmodules }}#
           submodules: #{{ .Config.checkoutSubmodules }}#
-        #{{- end }}#
+          #{{- end }}#
+          # Persist credentials so upgrade-provider can push a new branch.
+          persist-credentials: true
       - name: Setup tools
         uses: ./.github/actions/setup-tools
         with:

provider-ci/internal/pkg/templates/provider/.github/workflows/license.yml

@@ -15,7 +15,9 @@ jobs:
     runs-on: #{{ .Config.runner.default }}#
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v4
+        uses: #{{ .Config.actionVersions.checkout }}#
+        with:
+          persist-credentials: false
       - name: Setup tools
         uses: ./.github/actions/setup-tools
         with:

provider-ci/internal/pkg/templates/provider/.github/workflows/lint.yml

@@ -16,10 +16,11 @@ jobs:
     steps:
     - name: Checkout Repo
       uses: #{{ .Config.actionVersions.checkout }}#
-#{{- if .Config.checkoutSubmodules }}#
       with:
+        #{{- if .Config.checkoutSubmodules }}#
         submodules: #{{ .Config.checkoutSubmodules }}#
-#{{- end }}#
+        #{{- end }}#
+        persist-credentials: false
     - name: Install go
       uses: actions/setup-go@v5
       with:

provider-ci/internal/pkg/templates/provider/.github/workflows/pull-request.yml

@@ -10,10 +10,11 @@ jobs:
     steps:
     - name: Checkout Repo
       uses: #{{ .Config.actionVersions.checkout }}#
-#{{- if .Config.checkoutSubmodules }}#
       with:
+        #{{- if .Config.checkoutSubmodules }}#
         submodules: #{{ .Config.checkoutSubmodules }}#
-#{{- end }}#
+        #{{- end }}#
+        persist-credentials: false
     - name: Comment PR
       uses: #{{ .Config.actionVersions.prComment }}#
       with:

provider-ci/internal/pkg/templates/provider/.github/workflows/verify-release.yml

@@ -64,7 +64,9 @@ jobs:
     runs-on: ${{ matrix.runner }}
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v4
+        uses: #{{ .Config.actionVersions.checkout }}#
+        with:
+          persist-credentials: false
       - name: Setup tools
         uses: ./.github/actions/setup-tools
         with:

provider-ci/internal/pkg/templates/pulumi-provider/.github/workflows/command-dispatch.yml

@@ -9,10 +9,11 @@ jobs:
     steps:
     - name: Checkout Repo
       uses: #{{ .Config.actionVersions.checkout }}#
-#{{- if .Config.checkoutSubmodules }}#
       with:
+        #{{- if .Config.checkoutSubmodules }}#
         submodules: #{{ .Config.checkoutSubmodules }}#
-#{{- end }}#
+        #{{- end }}#
+        persist-credentials: false
     - uses: peter-evans/slash-command-dispatch@v4
       with:
         commands: |

provider-ci/internal/pkg/templates/pulumi-provider/.github/workflows/community-moderation.yml

@@ -9,10 +9,11 @@ jobs:
     steps:
     - name: Checkout Repo
       uses: #{{ .Config.actionVersions.checkout }}#
-#{{- if .Config.checkoutSubmodules }}#
       with:
+        #{{- if .Config.checkoutSubmodules }}#
         submodules: #{{ .Config.checkoutSubmodules }}#
-#{{- end }}#
+        #{{- end }}#
+        persist-credentials: false
     - id: schema_changed
       name: Check for diff in schema
       uses: #{{ .Config.actionVersions.pathsFilter }}#

provider-ci/internal/pkg/templates/pulumi-provider/.github/workflows/release_command.yml

@@ -12,6 +12,8 @@ jobs:
     steps:
     - name: Checkout Repo
       uses: #{{ .Config.actionVersions.checkout }}#
+      with:
+        persist-credentials: false
     - name: Should release PR
       uses: pulumi/action-release-by-pr-label@main
       with:

provider-ci/test-providers/acme/.github/workflows/build_provider.yml

@@ -31,6 +31,8 @@ jobs:
     steps:
       - name: Checkout Repo
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Setup tools
         uses: ./.github/actions/setup-tools
         with:

provider-ci/test-providers/acme/.github/workflows/build_sdk.yml

@@ -41,6 +41,8 @@ jobs:
     steps:
       - name: Checkout Repo
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Cache examples generation
         uses: actions/cache@v4
         with:

provider-ci/test-providers/acme/.github/workflows/check-upstream-upgrade.yml

@@ -10,6 +10,9 @@ jobs:
     steps:
     - name: Checkout Repo
       uses: actions/checkout@v4
+      with:
+        # Persist credentials so upgrade-provider can push a new branch.
+        persist-credentials: true
     - name: Setup tools
       uses: ./.github/actions/setup-tools
       with:

provider-ci/test-providers/acme/.github/workflows/license.yml

@@ -31,6 +31,8 @@ jobs:
     steps:
       - name: Checkout Repo
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Setup tools
         uses: ./.github/actions/setup-tools
         with:

provider-ci/test-providers/acme/.github/workflows/lint.yml

@@ -31,6 +31,8 @@ jobs:
     steps:
     - name: Checkout Repo
       uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - name: Install go
       uses: actions/setup-go@v5
       with:

provider-ci/test-providers/acme/.github/workflows/main.yml

@@ -56,6 +56,8 @@ jobs:
         swap-storage: false
     - name: Checkout Repo
       uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - name: Configure AWS Credentials
       uses: aws-actions/configure-aws-credentials@v4
       with:
@@ -136,6 +138,8 @@ jobs:
     steps:
     - name: Checkout Repo
       uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - name: Setup tools
       uses: ./.github/actions/setup-tools
       with:

provider-ci/test-providers/acme/.github/workflows/prerelease.yml

@@ -80,6 +80,8 @@ jobs:
     steps:
     - name: Checkout Repo
       uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - name: Setup tools
       uses: ./.github/actions/setup-tools
       with:

provider-ci/test-providers/acme/.github/workflows/prerequisites.yml

@@ -44,6 +44,8 @@ jobs:
     steps:
     - name: Checkout Repo
       uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - uses: pulumi/provider-version-action@v1
       id: provider-version
       with: