Limit workflow permissions (#693)

Author: sylwia-budzynska

.github/workflows/ci.yml

@@ -3,6 +3,11 @@ on:
   pull_request_target:
     types: [labeled]
 
+permissions:  
+  checks: write #This is required by FirebaseExtended/action-hosting-deploy@v0
+  contents: read #This is required for private repositories for the actions/checkout@v4 action
+  pull-requests: write #This is required by FirebaseExtended/action-hosting-deploy@v0
+  
 jobs:
   build:
     name: Build and preview site
@@ -14,6 +19,7 @@ jobs:
         with:
           ref: ${{ github.event.pull_request.head.sha }}
           fetch-depth: 0
+          persist-credentials: false # This will not store the git credentials on disk, only in memory
 
       - name: Set up Python
         uses: actions/setup-python@v5