From c9ffdff91369bea6aefaaffa661b32734b186a7d Mon Sep 17 00:00:00 2001
From: jrfnl <jrfnl@users.noreply.github.com>
Date: Sat, 20 Sep 2025 05:29:03 +0200
Subject: [PATCH 1/2] GH Actions: do not persist credentials

> By default, using `actions/checkout` causes a credential to be persisted in the checked-out repo's `.git/config`, so that subsequent `git` operations can be authenticated.
>
> Subsequent steps may accidentally publicly persist `.git/config`, e.g. by including it in a publicly accessible artifact via `actions/upload-artifact`.
>
> However, even without this, persisting the credential in the `.git/config` is non-ideal unless actually needed.
>
> **Remediation**
>
> Unless needed for `git` operations, `actions/checkout` should be used with `persist-credentials: false`.
>
> If the persisted credential is needed, it should be made explicit with `persist-credentials: true`.

This has now been addressed in the gh-pages test workflow.

Refs:
* https://unit42.paloaltonetworks.com/github-repo-artifacts-leak-tokens/
* https://docs.zizmor.sh/audits/#artipacked
---
 .github/workflows/test-ghpages.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/test-ghpages.yml b/.github/workflows/test-ghpages.yml
index 84732f0ce..861277211 100644
--- a/.github/workflows/test-ghpages.yml
+++ b/.github/workflows/test-ghpages.yml
@@ -15,6 +15,8 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Set up Ruby
         uses: ruby/setup-ruby@v1

From 67ae8ae6c1d3ddae83fb545d179f7d2ebc212e25 Mon Sep 17 00:00:00 2001
From: jrfnl <jrfnl@users.noreply.github.com>
Date: Sat, 20 Sep 2025 05:29:51 +0200
Subject: [PATCH 2/2] GH Actions: set permissions for each workflow/job

> Users frequently over-scope their workflow and job permissions, or set broad workflow-level permissions without realizing that all jobs inherit those permissions.
>
> Furthermore, users often don't realize that the _default_ `GITHUB_TOKEN` permissions can be very broad, meaning that workflows that don't configure any permissions at all can _still_ provide excessive credentials to their individual jobs.
>
> **Remediation**
> In general, permissions should be declared as minimally as possible, and as close to their usage site as possible.
>
> In practice, this means that workflows should almost always set `permissions: {}` at the workflow level to disable all permissions by default, and then set specific job-level permissions as needed.

Refs:
* https://docs.zizmor.sh/audits/#excessive-permissions
---
 .github/workflows/test-ghpages.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/test-ghpages.yml b/.github/workflows/test-ghpages.yml
index 861277211..8e821bc75 100644
--- a/.github/workflows/test-ghpages.yml
+++ b/.github/workflows/test-ghpages.yml
@@ -5,6 +5,8 @@ on:
   # Allow manually triggering the workflow.
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   #### TEST THAT THE GH PAGES SITE GETS BUILT WITHOUT ERRORS ####
   test: