chore: fix security issues according to zizmor

danfimov · danfimov · commit 130a747e0551 · 2025-10-23T12:25:40.000+02:00
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -10,6 +10,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - name: Install poetry
         run: pipx install poetry
       - name: Set up Python
@@ -19,7 +21,7 @@ jobs:
       - name: Install deps
         run: poetry install
       - name: Set version
-        run: poetry version "${{ github.ref_name }}"
+        run: poetry version "${GITHUB_REF_NAME}"
       - name: Release package
         env:
           POETRY_PYPI_TOKEN_PYPI: ${{ secrets.PYPI_TOKEN }}
diff --git a/.github/workflows/release_docs.yaml b/.github/workflows/release_docs.yaml
@@ -14,6 +14,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - name: Setup pnpm
         uses: pnpm/action-setup@v4
       - name: Setup Node.js
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -7,6 +7,11 @@ on:
       - '*.md'
   push:
 
+permissions:
+  actions: read
+  contents: read
+  pull-requests: read
+
 jobs:
   lint:
     strategy:
@@ -18,6 +23,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - name: Install poetry
         run: pipx install poetry
       - name: Set up Python
@@ -38,6 +45,8 @@ jobs:
     runs-on: "${{ matrix.os }}"
     steps:
       - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - name: Install poetry
         run: pipx install poetry
       - name: Set up Python
