CI: auto-fix via zizmor

tacaswell · tacaswell · commit a19a823fe073 · 2025-07-17T23:06:25.000-04:00
May include:

- Avoids risky string interpolation.
- Prevents checkout premissions from leaking
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -28,6 +28,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v3
+        with:
+          persist-credentials: false
 
       - name: Initialize CodeQL
         uses: github/codeql-action/init@v1
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -9,6 +9,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
+        with:
+          persist-credentials: false
 
       - name: Set up Python 3
         uses: actions/setup-python@v3
@@ -34,6 +36,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v3
+        with:
+          persist-credentials: false
 
       - name: Set up Python 3
         uses: actions/setup-python@v3
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -11,6 +11,8 @@ jobs:
         python-version: ["3.11", "3.12"]
     steps:
       - uses: actions/checkout@v3
+        with:
+          persist-credentials: false
 
       - name: Install Python ${{ matrix.python-version }}
         uses: actions/setup-python@v3
