From 6cf8a344a5c2f99dc80e11d4204570a6b8854c3a Mon Sep 17 00:00:00 2001
From: Daniel McCarney <daniel@binaryparadox.net>
Date: Fri, 6 Dec 2024 15:05:18 -0500
Subject: [PATCH 1/2] ci: disable persist-credentials in test.yml

We already do this in most of the other Rustls crates, and Zizmor 0.7.0
flags[0] its absence in this repo.

[0]: https://woodruffw.github.io/zizmor/audits/#artipacked
---
 .github/workflows/test.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 47a8b2c..52203e7 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -17,6 +17,8 @@ jobs:
     steps:
       - name: Check out repository code
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Set up sccache (part 1)
         uses: mozilla-actions/sccache-action@v0.0.3
         with:

From c01c03b8cb6830325e5b138a1654daad940c61b8 Mon Sep 17 00:00:00 2001
From: Daniel McCarney <daniel@binaryparadox.net>
Date: Fri, 6 Dec 2024 15:06:07 -0500
Subject: [PATCH 2/2] ci: remove release-plz workflow

We've traditionally favoured manual releases in the Rustls org, and
there are several Zizmor findings with the existing `release-plz.yaml`
config. Rather than fix them, let's remove the workflow for now and get
on the trusted publishers train when the upstream Rust RFC stabilizes.
---
 .github/workflows/release-plz.yaml | 24 ------------------------
 1 file changed, 24 deletions(-)
 delete mode 100644 .github/workflows/release-plz.yaml

diff --git a/.github/workflows/release-plz.yaml b/.github/workflows/release-plz.yaml
deleted file mode 100644
index a0378b6..0000000
--- a/.github/workflows/release-plz.yaml
+++ /dev/null
@@ -1,24 +0,0 @@
-name: release-plz
-
-permissions:
-  pull-requests: write
-  contents: write
-
-on:
-  push:
-    branches: ["main"]
-
-jobs:
-  release-plz:
-    name: release-plz
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-      - name: Run release-plz
-        uses: MarcoIeni/release-plz-action@v0.5
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}