From ab566cdb0394558771683bae191105729f2a49ed Mon Sep 17 00:00:00 2001
From: Florian Bruhin <me@the-compiler.org>
Date: Wed, 28 Apr 2021 23:01:43 +0200
Subject: ci: Lock down workflows

Closes #6430

(cherry picked from commit 8023b8c8fe6cfb13e4a561c87177744612bb42f9)
---
 .github/workflows/bleeding.yml               | 5 +++++
 .github/workflows/ci.yml                     | 8 ++++++++
 .github/workflows/recompile-requirements.yml | 2 ++
 3 files changed, 15 insertions(+)

diff --git a/.github/workflows/bleeding.yml b/.github/workflows/bleeding.yml
index cf65f3dc5..5d464e3ac 100644
--- a/.github/workflows/bleeding.yml
+++ b/.github/workflows/bleeding.yml
@@ -25,6 +25,8 @@ jobs:
       options: --privileged --tty
     steps:
       - uses: actions/checkout@v2
+        with:
+          persist-credentials: false
       - name: Set up problem matchers
         run: "python scripts/dev/ci/problemmatchers.py py3 ${{ runner.temp }}"
       - name: Run tox
@@ -51,6 +53,8 @@ jobs:
     timeout-minutes: 30
     steps:
       - uses: actions/checkout@v2
+        with:
+          persist-credentials: false
       - name: Set up Python
         uses: actions/setup-python@v2
         with:
@@ -61,6 +65,7 @@ jobs:
           repository: asciidoc-py/asciidoc-py
           ref: '9.x'
           path: asciidoc
+          persist-credentials: false
       - name: Move asciidoc out of the repo
         run: mv asciidoc ..
       - name: Install dependencies
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 9d1995c64..2cb239a1a 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -32,6 +32,8 @@ jobs:
           - testenv: yamllint
     steps:
       - uses: actions/checkout@v2
+        with:
+          persist-credentials: false
       - uses: actions/cache@v2
         with:
           path: |
@@ -88,6 +90,8 @@ jobs:
       options: --privileged --tty
     steps:
       - uses: actions/checkout@v2
+        with:
+          persist-credentials: false
       - name: Set up problem matchers
         run: "python scripts/dev/ci/problemmatchers.py py38 ${{ runner.temp }}"
       - name: Run tox
@@ -142,6 +146,8 @@ jobs:
     runs-on: "${{ matrix.os }}"
     steps:
       - uses: actions/checkout@v2
+        with:
+          persist-credentials: false
       - uses: actions/cache@v2
         with:
           path: |
@@ -186,6 +192,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v2
+        with:
+          persist-credentials: false
       - name: Initialize CodeQL
         uses: github/codeql-action/init@v1
         with:
diff --git a/.github/workflows/recompile-requirements.yml b/.github/workflows/recompile-requirements.yml
index efdf39950..68a0d588f 100644
--- a/.github/workflows/recompile-requirements.yml
+++ b/.github/workflows/recompile-requirements.yml
@@ -19,6 +19,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
+        with:
+          persist-credentials: false
       - name: Set up Python 3.7
         uses: actions/setup-python@v2
         with:
-- 
cgit v1.2.3-54-g00ecf