From 06db288c12e72cf54bd6a2ca5969bbb812605b5d Mon Sep 17 00:00:00 2001
From: William Martin <williammartin@github.com>
Date: Wed, 20 May 2026 16:01:26 +0200
Subject: [PATCH] Harden CI workflow per zizmor

- Add top-level 'permissions: contents: read' (fixes excessive-permissions)
- Set 'persist-credentials: false' on actions/checkout (fixes artipacked)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 .github/workflows/push.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml
index d2d142f..7e74061 100644
--- a/.github/workflows/push.yml
+++ b/.github/workflows/push.yml
@@ -1,6 +1,10 @@
 on: [push, pull_request]
 
 name: CI
+
+permissions:
+  contents: read
+
 jobs:
   test:
     strategy:
@@ -13,6 +17,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
       - name: Setup go
         uses: actions/setup-go@v6
         with: