From 2ff9d4fadf48a751c1f98cefb42031c12c88d874 Mon Sep 17 00:00:00 2001
From: Stefan Boca <stefan.r.boca@gmail.com>
Date: Fri, 10 Jan 2025 22:30:53 -0800
Subject: [PATCH] fix(ci): don't persist credentials in actions/checkout

Identified with [zizmor](https://woodruffw.github.io/zizmor/).
It's also possible to [run zizmore in ci](https://woodruffw.github.io/zizmor/usage/#use-in-github-actions),
but I didn't implement this because it requires a GITHUB_TOKEN secret.
---
 .github/workflows/nix.yaml     | 2 ++
 .github/workflows/release.yaml | 4 ++++
 2 files changed, 6 insertions(+)

diff --git a/.github/workflows/nix.yaml b/.github/workflows/nix.yaml
index 54086f13..f2a4d840 100644
--- a/.github/workflows/nix.yaml
+++ b/.github/workflows/nix.yaml
@@ -15,6 +15,8 @@ jobs:
       contents: read
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: DeterminateSystems/nix-installer-action@main
         with:
           extra-conf: |
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index b2d643d6..858485ad 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -49,6 +49,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Install Rust
         run: |
@@ -116,6 +118,8 @@ jobs:
       contents: read
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions/setup-node@v4
 
       - name: Build