workflows: perform audit with zizmor

Zizmor[0] is a static analysis tool for GitHub actions. Perform a quick
security audit with it and fix the issues it found, not including
unpinned commit uses.

https://woodruffw.github.io/zizmor/

Signed-off-by: Luca Zeuch <[email protected]>

Author: l-zeuch

.github/workflows/hugo.yml

@@ -9,8 +9,6 @@ on:
 
 permissions:
   contents: read
-  pages: write
-  id-token: write
 
 concurrency:
   group: 'pages'
@@ -26,6 +24,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Install Hugo
         uses: peaceiris/actions-hugo@v3
@@ -69,6 +69,9 @@ jobs:
       name: github-pages
       url: ${{ steps.deployment.outputs.page_url }}
     runs-on: ubuntu-latest
+    permissions:
+      pages: write
+
     steps:
       - name: Deploy to GitHub Pages
         id: deployment