[plan] Fix artipacked credential persistence in daily-copilot-token-report workflow

[github-actions]

Objective

Fix a Medium severity security vulnerability (artipacked) in the daily-copilot-token-report workflow identified by zizmor in discussion #19004.

Context

The daily-copilot-token-report.lock.yml workflow uses actions/checkout which by default persists credentials in .git/config. If a subsequent artifact upload step captures the workspace, the short-lived GITHUB_TOKEN could be included in the artifact and accessible to anyone with read access to the repository's Actions artifacts.

Source: Static Analysis Report - 2026-03-01, zizmor artipacked finding at line 300.

Approach

1. Open .github/workflows/daily-copilot-token-report.md (the source markdown file)
2. Locate the actions/checkout step in the workflow frontmatter or steps
3. Add persist-credentials: false to the checkout step configuration:

   - uses: actions/checkout@v4
     with:
       persist-credentials: false

4. Run make recompile to regenerate daily-copilot-token-report.lock.yml
5. Verify the lock file contains persist-credentials: false on the checkout step

Files to Modify

• .github/workflows/daily-copilot-token-report.md — add persist-credentials: false to checkout step
• .github/workflows/daily-copilot-token-report.lock.yml — regenerated via make recompile

Acceptance Criteria

• actions/checkout step in daily-copilot-token-report has persist-credentials: false
• Lock file is regenerated and contains the fix
• make agent-finish passes without errors

Generated by Plan Command for issue #discussion #19004

• expires on Mar 3, 2026, 6:38 AM UTC

[github-actions]

This issue was automatically closed because it expired on 2026-03-03T06:38:20.908Z.

Closed by Workflow