From e07ccb8a702a2043d0108ad95956f54ff1565500 Mon Sep 17 00:00:00 2001
From: Restioson <restiosondev@gmail.com>
Date: Tue, 5 Nov 2024 13:21:51 +0200
Subject: [PATCH] fix(ci): set persist-credentials to false

This was a linting failure from
[zizmor](https://blog.yossarian.net/2024/10/27/Now-you-can-have-beautiful-clean-workflows).
See https://github.com/actions/checkout/issues/485 for more info on why this is
a potential security issue.
---
 .github/workflows/develop.yml    | 2 ++
 .github/workflows/production.yml | 2 ++
 .github/workflows/testing.yml    | 5 +++++
 3 files changed, 9 insertions(+)

diff --git a/.github/workflows/develop.yml b/.github/workflows/develop.yml
index 62347b9c..2c297fc1 100644
--- a/.github/workflows/develop.yml
+++ b/.github/workflows/develop.yml
@@ -13,6 +13,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: Login to SADiLaR Container Registry
diff --git a/.github/workflows/production.yml b/.github/workflows/production.yml
index c8383e19..59c5d727 100644
--- a/.github/workflows/production.yml
+++ b/.github/workflows/production.yml
@@ -12,6 +12,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: Login to SADiLaR Container Registry
diff --git a/.github/workflows/testing.yml b/.github/workflows/testing.yml
index c9a90702..9590f0b4 100644
--- a/.github/workflows/testing.yml
+++ b/.github/workflows/testing.yml
@@ -23,6 +23,8 @@ jobs:
         options: --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions/setup-python@v5
         with:
           python-version: 3.12
@@ -80,6 +82,8 @@ jobs:
         options: --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions/setup-python@v5
         with:
           python-version: 3.12
@@ -126,6 +130,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
       - name: Get all commits on current main
         run: git fetch origin main
       - name: Log all commits we will analyse