Skip to content

Commit 45733b9

Browse files
fxaifxai
committed
chore: implement zizmor recommendations
1 parent a18aa3f commit 45733b9

4 files changed

Lines changed: 25 additions & 4 deletions

File tree

.github/workflows/ci.yml

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,16 +6,22 @@ on:
66
branches: [ "main" ]
77

88

9+
permissions: {}
10+
911
jobs:
1012
backend-checks:
1113
runs-on: ubuntu-latest
14+
permissions:
15+
contents: read
1216

1317
defaults:
1418
run:
1519
working-directory: ./backend
1620

1721
steps:
1822
- uses: actions/checkout@v4
23+
with:
24+
persist-credentials: false
1925

2026
- name: Set up Python 3.14
2127
uses: actions/setup-python@v5
@@ -39,13 +45,17 @@ jobs:
3945

4046
frontend-checks:
4147
runs-on: ubuntu-latest
48+
permissions:
49+
contents: read
4250

4351
defaults:
4452
run:
4553
working-directory: ./frontend
4654

4755
steps:
4856
- uses: actions/checkout@v4
57+
with:
58+
persist-credentials: false
4959

5060
- name: Set up Bun
5161
uses: oven-sh/setup-bun@v2
@@ -77,8 +87,12 @@ jobs:
7787

7888
docker-build-check:
7989
runs-on: ubuntu-latest
90+
permissions:
91+
contents: read
8092
steps:
8193
- uses: actions/checkout@v4
94+
with:
95+
persist-credentials: false
8296

8397
- name: Set up Docker Buildx
8498
uses: docker/setup-buildx-action@v3

.github/workflows/docs.yml

Lines changed: 7 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -7,10 +7,7 @@ on:
77
paths:
88
- 'docs/**'
99

10-
permissions:
11-
contents: read
12-
pages: write
13-
id-token: write
10+
permissions: {}
1411

1512
concurrency:
1613
group: "pages"
@@ -22,10 +19,16 @@ jobs:
2219
name: github-pages
2320
url: ${{ steps.deployment.outputs.page_url }}
2421
runs-on: ubuntu-latest
22+
permissions:
23+
contents: read
24+
pages: write
25+
id-token: write
2526
steps:
2627
- uses: actions/configure-pages@v5
2728

2829
- uses: actions/checkout@v4
30+
with:
31+
persist-credentials: false
2932

3033
- name: Setup uv
3134
uses: astral-sh/setup-uv@v5

.github/workflows/release.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,8 @@ jobs:
2222
steps:
2323
- name: Checkout repository
2424
uses: actions/checkout@v4
25+
with:
26+
persist-credentials: false
2527

2628
- name: Log in to the Container registry
2729
uses: docker/login-action@v3

.github/workflows/sandbox.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,8 @@ on:
66
- cron: '0 0 * * *'
77
workflow_dispatch:
88

9+
permissions: {}
10+
911
jobs:
1012
redeploy:
1113
runs-on: ubuntu-latest

0 commit comments

Comments
 (0)