Fix zizmor findings on CI (#221)

hugovk · web-flow · commit 767c7cb0b21f · 2024-12-08T00:37:46.000+02:00
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -8,6 +8,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Set up Python
         uses: actions/setup-python@v5
diff --git a/.github/workflows/labels.yml b/.github/workflows/labels.yml
@@ -1,8 +1,5 @@
 name: Sync labels
 
-permissions:
-  pull-requests: write
-
 on:
   push:
     branches:
@@ -13,9 +10,13 @@ on:
 
 jobs:
   sync:
+    permissions:
+      pull-requests: write
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: micnncim/action-label-syncer@v1
         with:
           prune: false
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -4,28 +4,30 @@ on: [push, pull_request, workflow_dispatch]
 
 env:
   FORCE_COLOR: 1
-  PIP_DISABLE_PIP_VERSION_CHECK: 1
-
-permissions:
-  contents: read
 
 jobs:
   lint:
     runs-on: ubuntu-latest
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions/setup-python@v5
         with:
           python-version: "3.x"
-          cache: pip
-      - uses: pre-commit/action@v3.0.1
+      - uses: tox-dev/action-pre-commit-uv@v1
 
   mypy:
     runs-on: ubuntu-latest
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.x"
       - name: Install uv
         uses: hynek/setup-cached-uv@v2
       - name: Mypy
diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml
@@ -14,9 +14,6 @@ on:
   #   types: [opened, reopened, synchronize]
   workflow_dispatch:
 
-permissions:
-  contents: read
-
 jobs:
   update_release_draft:
     if: github.repository_owner == 'python-humanize'
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -11,9 +11,6 @@ on:
       - published
   workflow_dispatch:
 
-permissions:
-  contents: read
-
 env:
   FORCE_COLOR: 1
 
@@ -27,6 +24,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - uses: hynek/build-and-inspect-python-package@v2
 
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -2,9 +2,6 @@ name: Test
 
 on: [push, pull_request, workflow_dispatch]
 
-permissions:
-  contents: read
-
 env:
   FORCE_COLOR: 1
 
@@ -19,6 +16,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Set up Python ${{ matrix.python-version }}
         uses: actions/setup-python@v5
