CI: Harden permissions (#22)

dubek · web-flow · commit 4e8ff36c3a03 · 2025-10-12T22:34:26.000+03:00
Follow recommendations from zizmor scan
diff --git a/.github/workflows/build-and-test.yml b/.github/workflows/build-and-test.yml
@@ -6,6 +6,8 @@ on:
   pull_request:
     ignore_branches: [ no_test ]
 
+permissions: {}
+
 jobs:
 
   build:
@@ -19,6 +21,8 @@ jobs:
       run: sudo apt-get install -y rabbitmq-server
 
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
 
     - name: Set up Go
       uses: actions/setup-go@v5
diff --git a/.github/workflows/build_container.yml b/.github/workflows/build_container.yml
@@ -6,13 +6,17 @@ on:
   pull_request:
     ignore_branches: [ no_test ]
 
+permissions: {}
+
 jobs:
 
   build_container_scratch:
 
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
 
     - name: Run build_container to generate scratch image
       run: scripts/build_container -g scratch -e BASE_IMAGE=scratch
@@ -22,6 +26,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
 
     - name: Run build_container to generate and image using kaniko
       run: scripts/build_container --tag kaniko --builder kaniko -t debug -e UID=1234 -e GID=5678
@@ -37,6 +43,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
 
     - name: Run scripts/test
       run: scripts/test
