Add persist-credentials: false to checkout actions for setup scripts

[Copilot]

Plan: Add persist-credentials: false to Checkout Actions Folder

• Update 8 files that generate "Checkout actions folder" step to add persist-credentials: false
  • pkg/workflow/cache.go
  • pkg/workflow/compiler_activation_jobs.go (3 locations)
  • pkg/workflow/compiler_safe_outputs_core.go
  • pkg/workflow/notify_comment.go
  • pkg/workflow/publish_assets.go
  • pkg/workflow/repo_memory.go
  • pkg/workflow/threat_detection.go
• Run existing test to verify: TestCheckoutPersistCredentials passes ✅
• Verified lock files contain persist-credentials: false ✅
• Build passes ✅
• Format passes ✅
• Confirmed 5 test failures are pre-existing (not caused by this change) ✅
• Refactored to use helper function generateCheckoutActionsFolder() ✅

Summary

Successfully updated the compiler to add persist-credentials: false to all "Checkout actions folder" steps. This change affects 8 Go files and resulted in 129 lock files being automatically regenerated with the security improvement.

Created a helper function generateCheckoutActionsFolder() in compiler_yaml_helpers.go to eliminate code duplication across 7 files. The refactoring reduced 72 lines of duplicated code while adding the 21-line helper function, for a net reduction of 42 lines.

The change ensures that checkout actions used for setup scripts don't persist Git credentials, following security best practices.

Original prompt

Update compiler when generating checkout to add persist-credentials: false . This is the checkout for setup action scripts

ai-moderator.lock.yml:64:9: warning: [Medium] artipacked

• name: Checkout actions folder
  uses: actions/checkout@93cb6ef
  with:
  sparse-checkout: .github/actions

  Missing: persist-credentials: false

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[pelikhan]

@copilot create a helper function that generates the checkout for actions/setup and reuse it in the compiler to avoid code duplication

[Copilot]

@copilot create a helper function that generates the checkout for actions/setup and reuse it in the compiler to avoid code duplication

Created helper function generateCheckoutActionsFolder() in compiler_yaml_helpers.go and refactored all 7 files to use it. This eliminated 72 lines of duplicated code across the codebase. (commit 36a1ea5)