ci: tighten up permissions a bit (#983)

henryiii · web-flow · commit 54f9a8989cf2 · 2025-02-04T12:33:17.000-05:00
Some suggestions from [Zizmor](https://woodruffw.github.io/zizmor/). Signed-off-by: Henry Schreiner <henryschreineriii@gmail.com>
diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
@@ -9,13 +9,16 @@ on:
 env:
   FORCE_COLOR: 3
 
+permissions: {}
+
 jobs:
   dist:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - uses: hynek/build-and-inspect-python-package@v2
 
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -15,6 +15,8 @@ concurrency:
 env:
   FORCE_COLOR: 3
 
+permissions: {}
+
 jobs:
   lint:
     name: Format
@@ -24,6 +26,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
       - uses: actions/setup-python@v5
         with:
           python-version: "3.12"
@@ -106,6 +109,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - uses: actions/setup-python@v5
         with:
@@ -172,6 +177,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - uses: actions/setup-python@v5
         with:
@@ -216,6 +223,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Prepare venv
         run: python3.13t -m venv /venv
@@ -235,6 +243,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - uses: cygwin/cygwin-install-action@v5
         with:
@@ -273,6 +282,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Install
         run: python -m pip install .[test]
@@ -305,6 +315,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Install
         run: python -m pip install .[test]
@@ -324,6 +335,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - uses: hynek/build-and-inspect-python-package@v2
 
@@ -340,6 +352,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - uses: astral-sh/setup-uv@v5
 
