Various zizmor warning fixes

Author: lazka

.github/workflows/test.yml

@@ -4,10 +4,14 @@ on:
   push:
   pull_request:
 
+permissions: {}
+
 jobs:
 
   msys2:
     runs-on: windows-latest
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
       matrix:
@@ -19,6 +23,8 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: setup-msys2
         uses: msys2/setup-msys2@e9898307ac31d1a803454791be09ab9973336e1c # v2.31.1
@@ -65,12 +71,16 @@ jobs:
 
   ubuntu:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
       matrix:
         python-version: ['3.10', '3.11', '3.12', '3.13', '3.14', '3.14t', 'pypy-3.11']
     steps:
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        persist-credentials: false
 
     - name: Set up Python ${{ matrix.python-version }}
       uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
@@ -123,6 +133,8 @@ jobs:
 
   msvc:
     runs-on: ${{ matrix.os }}
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
       matrix:
@@ -141,6 +153,8 @@ jobs:
             os: 'windows-11-arm'
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Set up Python ${{ matrix.python-version }}
         id: setup-python
@@ -156,13 +170,17 @@ jobs:
           arch : ${{ matrix.architecture }}
 
       - name: Download and extract Cairo Binary
+        env:
+          PYCAIRO_ARCH: ${{ matrix.architecture }}
         run: |
-          python .ci/download-cairo-win32.py "${{ matrix.architecture }}"
+          python .ci/download-cairo-win32.py "$env:PYCAIRO_ARCH"
 
       - name: Install dependencies
+        env:
+          PYTHON_PATH: ${{ steps.setup-python.outputs.python-path }}
         run: |
-          pipx install --python "${{ steps.setup-python.outputs.python-path }}" uv
-          pipx install --python "${{ steps.setup-python.outputs.python-path }}" meson
+          pipx install --python "$env:PYTHON_PATH" uv
+          pipx install --python "$env:PYTHON_PATH" meson
           uv sync
 
       - name: Build & Test with meson
@@ -195,10 +213,13 @@ jobs:
 
   macos:
     runs-on: macos-latest
-
+    permissions:
+      contents: read
     steps:
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Install dependencies
         run: |

.github/workflows/wheels.yml

@@ -2,13 +2,20 @@ name: Build
 
 on: [push, pull_request]
 
+permissions: {}
+
 jobs:
 
   build_sdist:
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: read
+
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Set up Python
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
@@ -32,6 +39,8 @@ jobs:
   build_wheels:
     name: Build wheels on ${{ matrix.os }} (${{ matrix.platform_id }})
     runs-on: ${{ matrix.os }}
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
       matrix:
@@ -48,6 +57,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Setup MSVC
         uses: ilammy/msvc-dev-cmd@0b201ec74fa43914dc39ae48a89fd1d8cb592756 # v1.13.0