workflows: perform audit with zizmor

Zizmor[0] is a static analysis tool for GitHub actions. Perform a quick security audit with it and fix the issues it found, not including unpinned commit uses. https://woodruffw.github.io/zizmor/ Signed-off-by: Luca Zeuch <[email protected]>
botlabs-gg · Dec 16, 2024 · d28809e · d28809e
1 parent c8a8a29
commit d28809e
Showing 1 changed file with 5 additions and 2 deletions.
diff --git a/.github/workflows/hugo.yml b/.github/workflows/hugo.yml
@@ -9,8 +9,6 @@ on:
 
 permissions:
   contents: read
-  pages: write
-  id-token: write
 
 concurrency:
   group: 'pages'
@@ -26,6 +24,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Install Hugo
         uses: peaceiris/actions-hugo@v3
@@ -69,6 +69,9 @@ jobs:
       name: github-pages
       url: ${{ steps.deployment.outputs.page_url }}
     runs-on: ubuntu-latest
+    permissions:
+      pages: write
+
     steps:
       - name: Deploy to GitHub Pages
         id: deployment