Automatically remove persisted-credentials
Most of the time when check-spelling is run with checkout: true, it has no use for credentials after the checkout step finishes.
Users would like the security of not having credentials lying around, and this seems like a reasonable feature.
Background
It's an optional feature of actions/checkout in the form of the persist-credentials flag.
Unfortunately, actions/checkout's implementation interacts poorly with git's submodules feature, and it doesn't work for repositories with submodules in some circumstances.
Generally, check-spelling with checkout: true doesn't check submodules anyway.
Approach
check-spelling as of v0.0.25 when set to checkout: true will remove persisted unless it is updating the expect list.
It does not use the actions/checkout implementation, although the general behavior is the same:
actions/checkoutsets up a repository (with the credentials necessary to fetch)actions/checkoutfetches the repository data (using the configured credentials)actions/checkoutchecks out the desired reference- something attempts to iterate over the checked out repository to remove the credentials
The implementation lives in remove-persisted-credentials.
FAQ | Showcase | Event descriptions | Configuration information | Known Issues | Possible features | Deprecations | Release notes | Helpful scripts