From 960e3e63faf67beb388ae700614b9b6e42cb7d47 Mon Sep 17 00:00:00 2001
From: Kisaragi Marine <kisaragi.effective@gmail.com>
Date: Sat, 11 Jan 2025 20:36:44 +0900
Subject: [PATCH] chore: zizmor compat

---
 .github/workflows/actionlint.yml              |  2 ++
 .github/workflows/cargo-deny.yml              |  2 ++
 .github/workflows/rust-wasm.yml               |  3 ++-
 .github/workflows/rust.yml                    |  2 ++
 .github/workflows/todo-as-issue.yml           | 20 +++++++++++--------
 .../validate-renovate-custom-managers.yml     |  2 ++
 .github/workflows/validate-renovate.yml       |  9 +++++----
 7 files changed, 27 insertions(+), 13 deletions(-)

diff --git a/.github/workflows/actionlint.yml b/.github/workflows/actionlint.yml
index 8bcd4075..517668fe 100644
--- a/.github/workflows/actionlint.yml
+++ b/.github/workflows/actionlint.yml
@@ -42,6 +42,8 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: actionlint
         uses: reviewdog/action-actionlint@v1.62.0
         with:
diff --git a/.github/workflows/cargo-deny.yml b/.github/workflows/cargo-deny.yml
index 748e9b36..4459865c 100644
--- a/.github/workflows/cargo-deny.yml
+++ b/.github/workflows/cargo-deny.yml
@@ -20,6 +20,8 @@ jobs:
           cargo install cargo-deny
       - name: checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: check
         run: |
           cargo deny check
diff --git a/.github/workflows/rust-wasm.yml b/.github/workflows/rust-wasm.yml
index df0e5281..2a6af400 100644
--- a/.github/workflows/rust-wasm.yml
+++ b/.github/workflows/rust-wasm.yml
@@ -32,13 +32,14 @@ jobs:
           - os: windows-2022
             wasmpack_target_triple: x86_64-pc-windows-msvc
             wasmpack_name: wasm-pack.exe
-      # FIXME: windows does not recognize /usr/local/bin, causing build to be failed
       fail-fast: false
 
     runs-on: ${{ matrix.os }}
 
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
       - name: Rust Cache
         uses: Swatinem/rust-cache@v2.7.7
         with:
diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml
index 572e1ea5..3dcd0708 100644
--- a/.github/workflows/rust.yml
+++ b/.github/workflows/rust.yml
@@ -43,6 +43,8 @@ jobs:
       run: |
         echo '${{ toJSON(matrix) }}'
     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      with:
+        persist-credentials: false
     - name: Install compiler ${{ matrix.rustc_channel }} ( ${{ matrix.rustc_version }} )
       run: |
         if [[ "${{ matrix.rustc_channel }}" == nightly ]]; then
diff --git a/.github/workflows/todo-as-issue.yml b/.github/workflows/todo-as-issue.yml
index b39b28c3..20b0238c 100644
--- a/.github/workflows/todo-as-issue.yml
+++ b/.github/workflows/todo-as-issue.yml
@@ -3,15 +3,19 @@ on:
     push:
         branches:
             - master
-permissions:
-    contents: read
-    issues: write
 jobs:
     build:
+        permissions:
+            contents: read
+            issues: write
         runs-on: "ubuntu-24.04"
         steps:
-            - uses: "actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683" # v4
-            - name: "TODO to Issue"
-              uses: "alstr/todo-to-issue-action@v5"
-              with:
-                  AUTO_ASSIGN: true
+            -
+                uses: "actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683" # v4
+                with:
+                    persist-credentials: false
+            -
+                  name: "TODO to Issue"
+                  uses: "alstr/todo-to-issue-action@v5"
+                  with:
+                      AUTO_ASSIGN: true
diff --git a/.github/workflows/validate-renovate-custom-managers.yml b/.github/workflows/validate-renovate-custom-managers.yml
index 4ab8bef7..90fe2773 100644
--- a/.github/workflows/validate-renovate-custom-managers.yml
+++ b/.github/workflows/validate-renovate-custom-managers.yml
@@ -14,5 +14,7 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: check
         run: ./.github/workflows/shell_scripts/validate-renovate-custom-managers.sh
diff --git a/.github/workflows/validate-renovate.yml b/.github/workflows/validate-renovate.yml
index 0d6781ee..dae54106 100644
--- a/.github/workflows/validate-renovate.yml
+++ b/.github/workflows/validate-renovate.yml
@@ -6,16 +6,17 @@ on:
       - 'renovate.json'
       - '.github/workflows/validate-renovate.yml'
 
-permissions:
-  contents: read
-  pull-requests: write
-
 jobs:
   lint:
+    permissions:
+      contents: read
+      pull-requests: write
     name: run renovate-config-validator
     runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: run lint and report
         env:
           URL: ${{ github.event.pull_request.html_url }}