Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/test.yml:
- Around line 15-16: The checkout step currently uses actions/checkout@v4
without disabling token persistence; update the Checkout repository step
(actions/checkout) to set persist-credentials: false so the GitHub token is not
written to local git config during this job. Locate the step that uses
actions/checkout@v4 and add the persist-credentials: false option under that
step's with: block.
- Around line 15-16: Replace floating version tags for GitHub Actions with full
commit SHAs: update each uses: entry (e.g., uses: actions/checkout@v4 and the
other uses: lines flagged at 19 and 33) to reference the corresponding action's
full commit SHA (for example actions/checkout@<full-sha>) by looking up the
canonical commit for the tagged release in the action's GitHub repo and
substituting the tag with that SHA so the workflow is pinned to an immutable
commit.

In `@src/main/java/tf/tuff/TuffX.java`:
- Around line 103-105: TuffX currently only calls
PacketEvents.getAPI().terminate() and unregisters incoming channels via
getServer().getMessenger().unregisterIncomingPluginChannel(this); update
TuffX.shutdown/disable logic to explicitly unregister any plugin channels that
other classes register by calling
getServer().getMessenger().unregisterOutgoingPluginChannel(...) and
getServer().getMessenger().unregisterIncomingPluginChannel(...) for the exact
channel names used in Y0Plugin (the channels registered in Y0Plugin.register...
at the Y0Plugin class) and in TuffActions (the channels registered in
TuffActions at its register calls), ensuring every
registerOutgoing/registerIncoming has a matching unregister to prevent
“registration already exists” on reload.

In `@src/test/TuffXTest.java`:
- Around line 31-65: Tests reference plugin.latestAvailableVersion but TuffX has
no such member, causing compile failures; add a package-visible String field
named latestAvailableVersion to class TuffX (initialize to null) so tests can
read/write it, and update any existing update-check logic (e.g., the method that
detects versions) to assign to this field when an available version is found;
alternatively, expose equivalent package-visible getter/setter on TuffX with the
name latestAvailableVersion so the tests can access the value.
- Around line 1-10: The test class TuffXTest is outside Gradle’s default test
source set; move the file TuffXTest (which declares package tf.tuff) into the
standard test directory so its path matches the package
(src/test/java/tf/tuff/TuffXTest.java) or alternatively update Gradle’s
sourceSets configuration to include its current location; ensure the package
declaration remains tf.tuff and that the class name TuffXTest and imports are
unchanged so JUnit (test { useJUnitPlatform() }) will run it in CI.

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In @.github/workflows/test.yml:
- Around line 15-16: The checkout step using actions/checkout@v6 currently
leaves the GitHub token in git config; update the checkout step (the action
invocation "actions/checkout@v6") to include the input persist-credentials:
false so credentials are not persisted to the repository config for the job (add
the persist-credentials: false field under the checkout step).