more secure actions, due to zizmor

Author: nedbat

.github/workflows/ci.yml

@@ -21,6 +21,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
       - uses: chartboost/ruff-action@v1
         with:
           args: 'format --check'
@@ -29,6 +32,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
       - uses: chartboost/ruff-action@v1
 
   tests:
@@ -67,6 +73,8 @@ jobs:
     steps:
       - name: "Check out the repo"
         uses: "actions/checkout@v4"
+        with:
+          persist-credentials: false
 
       - name: "Set up Python"
         uses: "actions/setup-python@v5"
@@ -98,6 +106,7 @@ jobs:
         uses: "actions/checkout@v4"
         with:
           fetch-depth: "0"
+          persist-credentials: false
 
       - name: "Set up Python"
         uses: "actions/setup-python@v5"