From 6e7eba2262b8bac6d973bb38d74a6039c83ee123 Mon Sep 17 00:00:00 2001
From: Nicholas Junge <nicholas.junge@web.de>
Date: Tue, 7 Jan 2025 18:44:23 +0100
Subject: [PATCH] Address zizmor findings

No persisting credentials, and the test and docs jobs in the test workflow
each get job-scoped content writing permissions.
---
 .github/workflows/python.yaml  | 12 +++++++++---
 .github/workflows/release.yaml |  1 +
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/python.yaml b/.github/workflows/python.yaml
index 5b6a7170..83498fc3 100644
--- a/.github/workflows/python.yaml
+++ b/.github/workflows/python.yaml
@@ -8,15 +8,14 @@ on:
     branches:
       - main
 
-permissions:
-  contents: write
-
 jobs:
   lint:
     name: Run code checks and formatting hooks
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Set up Python 3.10 and dependencies
         uses: ./.github/actions/python-deps
         with:
@@ -24,6 +23,8 @@ jobs:
       - name: Run pre-commit checks
         run: uv run pre-commit run --all-files --verbose --show-diff-on-failure
   test:
+    permissions:
+      contents: write
     strategy:
       fail-fast: false
       matrix:
@@ -52,6 +53,8 @@ jobs:
           LAKEFS_BLOCKSTORE_TYPE: "local"
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Install uv
         uses: astral-sh/setup-uv@v5
         with:
@@ -73,6 +76,8 @@ jobs:
   docs:
     name: Build documentation for lakefs-spec
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     services:
       lakefs:
         image: treeverse/lakefs:latest
@@ -89,6 +94,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
       - name: Set up Python 3.11 and dependencies
         uses: ./.github/actions/python-deps
         with:
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 57ab89f0..58096416 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -27,6 +27,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0 # for documentation builds
+          persist-credentials: false
       - name: Set up Python and dependencies
         uses: ./.github/actions/python-deps
         with: