CI: auto-fix via zizmor, restrict default permissions

tacaswell · anntzer · commit 02dd33a78bba · 2025-07-20T15:40:39.000+02:00
Prevents checkout premissions from leaking
Reduces risk of arbitrary code is run by attacker.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -1,4 +1,6 @@
 name: build
+permissions:
+  contents: read
 
 on: [push, pull_request]
 
@@ -12,6 +14,8 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - uses: actions/setup-python@v5
       with:
         python-version: ${{ matrix.python-version }}
