ci: add some suggestions from zizmor (#925)

henryiii · web-flow · commit ae83927f28fd · 2025-02-05T11:34:52.000-05:00
Signed-off-by: Henry Schreiner &lt;henryschreineriii@gmail.com&gt;
diff --git a/.github/release.yml b/.github/release.yml
@@ -0,0 +1,5 @@
+changelog:
+  exclude:
+    authors:
+      - dependabot
+      - pre-commit-ci
diff --git a/.github/workflows/action.yml b/.github/workflows/action.yml
@@ -11,8 +11,12 @@ on:
       - "action.yml"
   workflow_dispatch:
     # allow manual runs on branches without a PR
+
 env:
   FORCE_COLOR: "1"
+
+permissions: {}
+
 jobs:
   action-default-tests:
     runs-on: ${{ matrix.os }}
@@ -28,6 +32,8 @@ jobs:
           - macos-14
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: astral-sh/setup-uv@v5
       - uses: ./
       - run: nox --non-interactive --error-on-missing-interpreter --session github_actions_default_tests
@@ -36,6 +42,8 @@ jobs:
     runs-on: windows-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions/setup-python@v5
         with:
           python-version: 3.9
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -13,6 +13,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   build:
     runs-on: ${{ matrix.os }}
@@ -32,6 +34,8 @@ jobs:
             python-version: "3.12"
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Set up non-default Pythons
         uses: actions/setup-python@v5
         with:
@@ -69,6 +73,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Set up Python 3.12
         uses: actions/setup-python@v5
         with:
@@ -91,6 +97,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Set up Python 3.12
         uses: actions/setup-python@v5
         with:
@@ -103,6 +111,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Set up Python 3.12
         uses: actions/setup-python@v5
         with:
@@ -119,6 +129,8 @@ jobs:
     if: github.event_name == 'push' && contains(github.ref, 'refs/tags/')
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Build sdist and wheel
         run: pipx run build
       - name: Publish distribution PyPI
