Improve GHA security

Author: michaelmior

.github/workflows/ci.yml

@@ -8,6 +8,8 @@ on:
   pull_request:
     branches:
       - master
+permissions:
+  contents: read
 jobs:
   test:
     runs-on: ubuntu-latest
@@ -22,6 +24,8 @@ jobs:
           - "3.13"
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - uses: actions/setup-python@v5
       with:
         allow-prereleases: true

.github/workflows/codeql.yml

@@ -23,6 +23,8 @@ jobs:
     steps:
     - name: Checkout repository
       uses: actions/checkout@v4
+      with:
+        persist-credentials: false
 
     - name: Initialize CodeQL
       uses: github/codeql-action/init@v3