Address zizmor findings

No persisting credentials, and the test and docs jobs in the test workflow
each get job-scoped content writing permissions.

.github/workflows/python.yaml

@@ -8,22 +8,23 @@ on:
     branches:
       - main
 
-permissions:
-  contents: write
-
 jobs:
   lint:
     name: Run code checks and formatting hooks
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Set up Python 3.10 and dependencies
         uses: ./.github/actions/python-deps
         with:
           pythonVersion: "3.10"
       - name: Run pre-commit checks
         run: uv run pre-commit run --all-files --verbose --show-diff-on-failure
   test:
+    permissions:
+      contents: write
     strategy:
       fail-fast: false
       matrix:
@@ -52,6 +53,8 @@ jobs:
           LAKEFS_BLOCKSTORE_TYPE: "local"
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Install uv
         uses: astral-sh/setup-uv@v5
         with:
@@ -73,6 +76,8 @@ jobs:
   docs:
     name: Build documentation for lakefs-spec
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     services:
       lakefs:
         image: treeverse/lakefs:latest
@@ -89,6 +94,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
       - name: Set up Python 3.11 and dependencies
         uses: ./.github/actions/python-deps
         with:

.github/workflows/release.yaml

@@ -27,6 +27,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0 # for documentation builds
+          persist-credentials: false
       - name: Set up Python and dependencies
         uses: ./.github/actions/python-deps
         with: