From eaaa7c06a71865c300af7010cf9b035a6b7a2a0f Mon Sep 17 00:00:00 2001
From: zerolab <dan@zerolab.org>
Date: Fri, 20 Dec 2024 15:54:48 +0100
Subject: [PATCH] Tidy up GitHub Actions configuration

using https://github.com/woodruffw/zizmor
---
 .github/workflows/nigthly-tests.yml | 6 ++++--
 .github/workflows/publish.yml       | 4 ++--
 .github/workflows/ruff.yml          | 2 ++
 .github/workflows/test.yml          | 7 +++++++
 4 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/nigthly-tests.yml b/.github/workflows/nigthly-tests.yml
index b159ce7d..3a96a774 100644
--- a/.github/workflows/nigthly-tests.yml
+++ b/.github/workflows/nigthly-tests.yml
@@ -16,10 +16,12 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
-      - name: Set up Python 3.12
+        with:
+          persist-credentials: false
+      - name: Set up Python
         uses: actions/setup-python@v5
         with:
-          python-version: '3.12'
+          python-version: '3.13'
       - name: Install dependencies
         run: |
           python -m pip install --upgrade pip tox
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 6c6e85c7..bc8e4150 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -12,7 +12,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
         with:
-          fetch-depth: 0
+          persist-credentials: false
 
       - name: Set up Node
         uses: actions/setup-node@v4
@@ -27,7 +27,7 @@ jobs:
 
       - uses: actions/setup-python@v5
         with:
-          python-version: '3.12'
+          python-version: '3.13'
           cache: 'pip'
           cache-dependency-path: '**/pyproject.toml'
 
diff --git a/.github/workflows/ruff.yml b/.github/workflows/ruff.yml
index dfec5abc..27055c02 100644
--- a/.github/workflows/ruff.yml
+++ b/.github/workflows/ruff.yml
@@ -14,6 +14,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       # keep in sync with .pre-commit-config.yaml
       - run: python -Im pip install --user ruff==0.8.4
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 5bab3aef..b7710099 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -31,6 +31,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Set up Python ${{ matrix.python }}
         uses: actions/setup-python@v5
         with:
@@ -76,6 +78,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Set up Python
         id: setup-python
@@ -113,6 +117,9 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
       - uses: actions/setup-python@v5
         with:
           # Use latest Python, so it understands all syntax.