Merge pull request #8526 from hugovk/zizmor

Apply security fixes to GitHub Actions

.github/workflows/docs.yml

@@ -33,6 +33,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
 
     - name: Set up Python
       uses: actions/setup-python@v5

.github/workflows/lint.yml

@@ -21,6 +21,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
 
     - name: pre-commit cache
       uses: actions/cache@v4

.github/workflows/stale.yml

@@ -6,7 +6,7 @@ on:
   workflow_dispatch:
 
 permissions:
-  issues: write
+  contents: read
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -15,6 +15,8 @@ concurrency:
 jobs:
   stale:
     if: github.repository_owner == 'python-pillow'
+    permissions:
+      issues: write
 
     runs-on: ubuntu-latest
 

.github/workflows/test-cygwin.yml

@@ -48,6 +48,8 @@ jobs:
 
       - name: Checkout Pillow
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Install Cygwin
         uses: cygwin/cygwin-install-action@v4

.github/workflows/test-docker.yml

@@ -65,6 +65,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
 
     - name: Build system information
       run: python3 .github/workflows/system-info.py

.github/workflows/test-mingw.yml

@@ -46,6 +46,8 @@ jobs:
     steps:
       - name: Checkout Pillow
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Set up shell
         run: echo "C:\msys64\usr\bin\" >> $env:GITHUB_PATH

.github/workflows/test-valgrind.yml

@@ -40,6 +40,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
 
     - name: Build system information
       run: python3 .github/workflows/system-info.py

.github/workflows/test-windows.yml

@@ -44,16 +44,20 @@ jobs:
     steps:
     - name: Checkout Pillow
       uses: actions/checkout@v4
+      with:
+        persist-credentials: false
 
     - name: Checkout cached dependencies
       uses: actions/checkout@v4
       with:
+        persist-credentials: false
         repository: python-pillow/pillow-depends
         path: winbuild\depends
 
     - name: Checkout extra test images
       uses: actions/checkout@v4
       with:
+        persist-credentials: false
         repository: python-pillow/test-images
         path: Tests\test-images
 

.github/workflows/test.yml

@@ -63,6 +63,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
 
     - name: Set up Python ${{ matrix.python-version }}
       uses: actions/setup-python@v5

.github/workflows/wheels.yml

@@ -61,6 +61,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
         with:
+          persist-credentials: false
           submodules: true
 
       - uses: actions/setup-python@v5
@@ -132,6 +133,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
         with:
+          persist-credentials: false
           submodules: true
 
       - uses: actions/setup-python@v5
@@ -173,10 +175,13 @@ jobs:
           - cibw_arch: ARM64
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Checkout extra test images
         uses: actions/checkout@v4
         with:
+          persist-credentials: false
           repository: python-pillow/test-images
           path: Tests\test-images
 
@@ -253,6 +258,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
 
     - name: Set up Python
       uses: actions/setup-python@v5