fixed #485 - addressed zizmor findings in GitHub Actions (#486)

firewave · web-flow · commit 538c5c4cd8ba · 2025-08-23T10:47:23.000+02:00
diff --git a/.github/workflows/CI-unixish.yml b/.github/workflows/CI-unixish.yml
@@ -2,6 +2,9 @@ name: CI-unixish
 
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   build:
 
@@ -23,6 +26,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
 
     - name: Install missing software on ubuntu
       if: matrix.os == 'ubuntu-24.04'
diff --git a/.github/workflows/CI-windows.yml b/.github/workflows/CI-windows.yml
@@ -6,6 +6,9 @@ name: CI-windows
 
 on: [push,pull_request]
 
+permissions:
+  contents: read
+
 defaults:
   run:
     shell: cmd
@@ -23,6 +26,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Setup msbuild.exe
         uses: microsoft/setup-msbuild@v2
diff --git a/.github/workflows/clang-tidy.yml b/.github/workflows/clang-tidy.yml
@@ -4,13 +4,18 @@ name: clang-tidy
 
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   build:
 
     runs-on: ubuntu-24.04
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Install missing software
         run: |
