From 24725ba743052baac53ed30698f49357066936ee Mon Sep 17 00:00:00 2001
From: Dov Murik <dov.murik@gmail.com>
Date: Sun, 12 Oct 2025 15:24:41 -0400
Subject: [PATCH] CI: Harden permissions

Follow recommendations from zizmor scan
---
 .github/workflows/build-and-test.yml  | 4 ++++
 .github/workflows/build_container.yml | 8 ++++++++
 2 files changed, 12 insertions(+)

diff --git a/.github/workflows/build-and-test.yml b/.github/workflows/build-and-test.yml
index d6beb43..c6abb7c 100644
--- a/.github/workflows/build-and-test.yml
+++ b/.github/workflows/build-and-test.yml
@@ -6,6 +6,8 @@ on:
   pull_request:
     ignore_branches: [ no_test ]
 
+permissions: {}
+
 jobs:
 
   build:
@@ -19,6 +21,8 @@ jobs:
       run: sudo apt-get install -y rabbitmq-server
 
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
 
     - name: Set up Go
       uses: actions/setup-go@v5
diff --git a/.github/workflows/build_container.yml b/.github/workflows/build_container.yml
index 3cd57ee..ae0551b 100644
--- a/.github/workflows/build_container.yml
+++ b/.github/workflows/build_container.yml
@@ -6,6 +6,8 @@ on:
   pull_request:
     ignore_branches: [ no_test ]
 
+permissions: {}
+
 jobs:
 
   build_container_scratch:
@@ -13,6 +15,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
 
     - name: Run build_container to generate scratch image
       run: scripts/build_container -g scratch -e BASE_IMAGE=scratch
@@ -22,6 +26,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
 
     - name: Run build_container to generate and image using kaniko
       run: scripts/build_container --tag kaniko --builder kaniko -t debug -e UID=1234 -e GID=5678
@@ -37,6 +43,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
 
     - name: Run scripts/test
       run: scripts/test