lock down actions

jmelahman · jmelahman · commit 2f67dcbf1448 · 2024-12-16T18:25:11.000-08:00
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -5,16 +5,16 @@ on:
     tags:
       - "v*.*.*"
 
-permissions:
-  contents: write
 
 jobs:
   goreleaser:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
-      - name: Checkout
-        uses: actions/checkout@v4
+      - uses: actions/checkout@v4
         with:
+          persist-credentials: false
           fetch-depth: 0
       - name: Set up Go
         uses: actions/setup-go@v5
@@ -33,6 +33,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+          fetch-depth: 0
       - uses: actions/setup-python@v5
         with:
           python-version: "3.12"
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -9,10 +9,11 @@ on:
 jobs:
   test:
     runs-on: ubuntu-latest
-
     steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+          fetch-depth: 0
       - name: Set up Go
         uses: actions/setup-go@v5
         with:
