ci: Fix zizmor findings in .github/workflows/

yedayak · yedayak · commit bdce8ce81f3c · 2025-09-18T15:55:15.000+03:00
In preparation for adding it to the pre-commit configuration.
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -6,12 +6,15 @@ on:
     branches:
       - main
 
+permissions: {}
+
 jobs:
   pre-commit:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with: # for gitlint
+          persist-credentials: false
           ref: ${{ github.event.pull_request.head.sha }}
           fetch-depth: 0
       - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
@@ -53,6 +56,8 @@ jobs:
       fail-fast: false
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - uses: googleapis/release-please-action@5792afc6b46e9bb55deda9eda973a18c226bc3fc # v4.1.5
         with:
           config-file: .github/release-please-config.json
@@ -87,10 +92,13 @@ jobs:
             sha256sums.txt
         if: matrix.dist == 'alpine'
       - name: Upload release assets
+        permissions:
+          contents: write
         run: |
           set -x
-          gh release upload ${{steps.release.outputs.tag_name}} \
+          gh release upload ${RELEASE_PLEASE_TAG_NAME} \
             bash-completion-$(cat version.txt).tar.xz sha256sums.txt
         env:
           GH_TOKEN: ${{github.token}}
+          RELEASE_PLEASE_TAG_NAME: ${{steps.release.outputs.tag_name}}
         if: steps.release.outputs.release_created
diff --git a/.github/workflows/update-docker-images.yml b/.github/workflows/update-docker-images.yml
@@ -15,6 +15,8 @@ on:
       - test/docker/*/install-packages.sh
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   update-test-image:
     runs-on: ubuntu-latest
@@ -29,7 +31,11 @@ jobs:
           - dist: ubuntu14
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        permissions:
+          packages: write # Get token that can write to ghcr.io
         with:
           registry: ghcr.io
           username: ${{github.repository_owner}}
