fix(ci): persist credentials in dependabot-tidy so push succeeds

[thehowl]

Summary

The tidy_go_mods job in .github/workflows/meta-dependabot-tidy.yml runs make tidy on dependabot PRs that touch go.mod/go.sum, then uses stefanzweifel/git-auto-commit-action to commit and push the result back to the PR branch.

Since #5452 added persist-credentials: false to the actions/checkout step, every run of this job that produces changes fails at the push step:

fatal: could not read Username for 'https://github.com': No such device or address
Error: Invalid status code: 128

The auto-commit action does a plain git push and relies on the credentials persisted into .git/config by actions/checkout. With persist-credentials: false, no credentials are available and the push fails with exit code 128. The GITHUB_TOKEN env var passed to the step is not consumed by recent versions of the action for HTTPS auth.

Example failure: https://github.com/gnolang/gno/actions/runs/25812055587/job/76559999785 (PR #5292).

This fix flips persist-credentials back to true (the default) and adds a comment explaining why. The job already requests contents: write, so persisting the token is the intended behavior here.

zizmor passes on the default persona (the one CI runs). The auditor persona flags this as artipacked (low confidence), but that persona is not enabled in CI.

Test plan

• Wait for the next dependabot bump touching go.mod/go.sum and confirm the tidy_go_mods check passes.
• Alternatively, rebase chore(deps): bump the golang-x group across 1 directory with 7 updates #5292 (or similar) onto this fix and observe the job succeed.

[Gno2D2]

🛠 PR Checks Summary

All Automated Checks passed. ✅

Manual Checks (for Reviewers):

• IGNORE the bot requirements for this PR (force green CI check)

Read More

🤖 This bot helps streamline PR reviews by verifying automated checks and providing guidance for contributors and reviewers.

✅ Automated Checks (for Contributors):

🟢 Maintainers must be able to edit this pull request (more info)

☑️ Contributor Actions:

1. Fix any issues flagged by automated checks.
2. Follow the Contributor Checklist to ensure your PR is ready for review.
   • Add new tests, or document why they are unnecessary.
   • Provide clear examples/screenshots, if necessary.
   • Update documentation, if required.
   • Ensure no breaking changes, or include BREAKING CHANGE notes.
   • Link related issues/PRs, where applicable.

☑️ Reviewer Actions:

1. Complete manual checks for the PR, including the guidelines and additional checks if applicable.

📚 Resources:

• Report a bug with the bot.
• View the bot’s configuration file.

Debug

Automated Checks

Maintainers must be able to edit this pull request (more info)

If

🟢 Condition met
└── 🟢 And
    ├── 🟢 The base branch matches this pattern: ^master$
    └── 🟢 The pull request was created from a fork (head branch repo: thehowl/gno)

Then

🟢 Requirement satisfied
└── 🟢 Maintainer can modify this pull request

Manual Checks

**IGNORE** the bot requirements for this PR (force green CI check)

If

🟢 Condition met
└── 🟢 On every pull request

Can be checked by

• Any user with comment edit permission

[thehowl]

verified on #5292 (merged in this pr, workflow works again)

[jefft0]

The test passed on #5292. Waiting to merge this PR and recreate other dependabot PRs for confirmation.