[security] Escalate concerning default `persist-credentials=true` please

[hartwork]

Hi! Thanks for this important piece of infrastructure!

Through issue #2299 I learned about commit c170eef making persist-credentials=true the default with actions/checkout from version v2-beta on in 2019. There is an open issue #485 already from 2021 that came forward with security concerns where the issue is named a "severe security issue" and where it was directly linked to past "successful" PyTorch supply chain attacks and yet — from what I can see — no one employed by GitHub commented in that issue: pure silence. There is a related pull request #1687 from April 2024 that flips the default to false that has not received any replies from GitHub since then.

I would like to ask:

• Why are these public concerns being ignored since 2021?
• Is persist-credentials=true considered safe by GitHub and what is the officially assumed threat model for persist-credentials=true?
• Does recent pull request Persist creds to a separate file #2286 of v6-betaand after change this picture in any meaningful way? If yes: could you elaborate how?
• What am I missing in this picture?

Thanks for your time!

Best, Sebastian

CC @briansmith @haampie @eregon @michi-covalent @ericsciple @hannob