Document (and move unrelated change elsewhere)

.github/workflows/build.yaml

@@ -29,11 +29,11 @@ jobs:
     runs-on: ${{ matrix.os }}
     continue-on-error: ${{ matrix.experimental }}
     steps:
-      # We run the build twice for each supported JDK: once against the
-      # original Error Prone release, using only Error Prone checks available
-      # on Maven Central, and once against the Picnic Error Prone fork,
-      # additionally enabling all checks defined in this project and any Error
-      # Prone checks available only from other artifact repositories.
+        # We run the build twice for each supported JDK: once against the
+        # original Error Prone release, using only Error Prone checks available
+        # on Maven Central, and once against the Picnic Error Prone fork,
+        # additionally enabling all checks defined in this project and any
+        # Error Prone checks available only from other artifact repositories.
       - name: Check out code
         uses: actions/[email protected]
       - name: Set up JDK

.github/workflows/codeql.yml

@@ -1,3 +1,7 @@
+# Analyzes the code base using Github's default CodeQL query database.
+# Identified issues are registered with GitHub's code scanning dashboard. When
+# a pull request is analyzed, any offending lines are annotated. See
+# https://codeql.github.com for details.
 name: CodeQL analysis
 on:
   pull_request:
@@ -19,6 +23,8 @@ jobs:
     steps:
       - name: Check out code
         uses: actions/[email protected]
+        with:
+          persist-credentials: false
       - name: Set up JDK
         uses: actions/[email protected]
         with: