Update workflows to pass zizmor check (#146)

simonswine · web-flow · commit 6ff1a6aa4df0 · 2025-04-28T14:43:09.000-03:00
diff --git a/.github/workflows/check_golang_profiler_changes.yml b/.github/workflows/check_golang_profiler_changes.yml
@@ -5,13 +5,18 @@ on:
     - cron: '20 4 * * *'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   check_golang_profiler_changes:
     runs-on: ubuntu-latest
     if: github.repository == 'grafana/pyroscope-go' # avoid running on forks
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions/setup-go@v5
         with:
           go-version: '1.20'
diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [main]
 
+permissions:
+  contents: read
+
 jobs:
   go:
     runs-on: ubuntu-latest
@@ -16,6 +19,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Install Go ${{ matrix.go }}
         if: matrix.go != 'tip'
diff --git a/.github/workflows/gotip_cron_test.yml b/.github/workflows/gotip_cron_test.yml
@@ -5,12 +5,17 @@ on:
     - cron: '37 1 * * *'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   go:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Install Go stable
         uses: actions/setup-go@v5
         with:
