From d8deb6a705c739d9fe376c6917d1d574b60f0a36 Mon Sep 17 00:00:00 2001
From: Philipp Wendler <uni@philippwendler.de>
Date: Mon, 9 Dec 2024 07:17:15 +0100
Subject: [PATCH] Implement hardening suggestion of zizmor for GitHub Actions

The checkout action by default stores GitHub credentials on disk.
We do not need them, so we can disable this.
---
 .github/workflows/black.yml      | 2 ++
 .github/workflows/javascript.yml | 6 ++++++
 .github/workflows/reuse.yml      | 2 ++
 .github/workflows/ruff.yml       | 2 ++
 4 files changed, 12 insertions(+)

diff --git a/.github/workflows/black.yml b/.github/workflows/black.yml
index de353f374..c45e90b9d 100644
--- a/.github/workflows/black.yml
+++ b/.github/workflows/black.yml
@@ -14,6 +14,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: psf/black@stable
         with:
           options: "--check --diff"
diff --git a/.github/workflows/javascript.yml b/.github/workflows/javascript.yml
index 18a9f1dce..a14e06e2a 100644
--- a/.github/workflows/javascript.yml
+++ b/.github/workflows/javascript.yml
@@ -16,6 +16,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Setup Node.js
         uses: actions/setup-node@v4
@@ -43,6 +45,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Setup Node.js
         uses: actions/setup-node@v4
@@ -70,6 +74,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Setup Node.js
         uses: actions/setup-node@v4
diff --git a/.github/workflows/reuse.yml b/.github/workflows/reuse.yml
index a324b38a4..fd78f3027 100644
--- a/.github/workflows/reuse.yml
+++ b/.github/workflows/reuse.yml
@@ -14,4 +14,6 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: fsfe/reuse-action@v3
diff --git a/.github/workflows/ruff.yml b/.github/workflows/ruff.yml
index bdcf477f6..80cd8c04f 100644
--- a/.github/workflows/ruff.yml
+++ b/.github/workflows/ruff.yml
@@ -14,4 +14,6 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: chartboost/ruff-action@v1