[WIP] Fix credential persistence in release.md workflow

[Copilot]

Thanks for assigning this issue to me. I'm starting to work on it and will keep this PR's description up to date as I form a plan and make progress.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[plan] Fix credential persistence (artipacked) in release.md workflow</issue_title>
<issue_description>## Objective

Prevent credentials from persisting in GitHub Actions artifacts for .github/workflows/release.md workflow.

Context

Severity: Medium
Tool: zizmor (2 findings)
Issue: Credentials may be exposed through artifact downloads
Reference: https://docs.zizmor.sh/audits/#artipacked

When workflows use actions/upload-artifact after authentication steps, there's a risk that credentials (tokens, keys, etc.) could be included in the artifacts. This creates a security risk if artifacts are accessible to unauthorized users.

Approach

1. Review .github/workflows/release.md to identify artifact upload steps
2. Check if any authentication credentials are present in uploaded directories
3. Implement one or more mitigations:
   • Use actions/upload-artifact exclude patterns for sensitive files
   • Clear credentials before artifact upload (e.g., remove .netrc, clear env vars)
   • Move artifact uploads before authentication steps (if possible)
   • Add explicit cleanup steps before uploads

Files to Modify

• .github/workflows/release.md

Example Mitigations

Option 1: Exclude sensitive files

- name: Upload artifacts
  uses: actions/upload-artifact@v4
  with:
    name: release-assets
    path: dist/
    if-no-files-found: error
    # Exclude credential files
    exclude: |
      **/.netrc
      **/.npmrc
      **/.git-credentials

Option 2: Explicit cleanup

- name: Clean credentials before upload
  run: |
    rm -f ~/.netrc ~/.npmrc ~/.git-credentials
    unset GITHUB_TOKEN GH_TOKEN

- name: Upload artifacts
  uses: actions/upload-artifact@v4
  with:
    name: release-assets
    path: dist/

Acceptance Criteria

• Credentials cannot be found in uploaded artifacts
• Workflow compiles successfully with make recompile
• Zizmor scan no longer reports artipacked for release.md
• Release functionality remains intact
• Artifacts still contain all necessary release assets

Testing

# Compile workflow
make build
./gh-aw compile .github/workflows/release.md

# Run zizmor to verify the fix
zizmor .github/workflows/release.lock.yml

# Test release workflow (if safe to trigger)
# Manually verify artifacts don't contain credentials

Related to #9990

AI generated by Plan Command for discussion #9966

Comments on the Issue (you are @copilot in this section)

@pelikhan @copilot option 1

• Fixes [plan] Fix credential persistence (artipacked) in release.md workflow #9993

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.