Adjust CI config.

ubernostrum · ubernostrum · commit a1f39287298f · 2024-11-01T19:16:40.000-07:00
This is based on recommendations from zizmor, and followup reading on
its audit checks.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -3,7 +3,7 @@ name: CI
 
 on:
   push:
-    branches: [trunk]
+    branches: [ trunk ]
   pull_request:
   workflow_dispatch:
 
@@ -12,7 +12,7 @@ env:
   PIP_DISABLE_PIP_VERSION_CHECK: "1"
   PIP_NO_PYTHON_VERSION_WARNING: "1"
 
-permissions: {}
+permissions: { }
 
 jobs:
   build-package:
@@ -23,6 +23,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - uses: hynek/build-and-inspect-python-package@v2
         id: baipp
@@ -59,7 +60,7 @@ jobs:
       - name: Run tests
         run: "python -Im nox --non-interactive --error-on-external-run --tag tests --python ${{ matrix.python-version }}"
       - name: Upload coverage data
-        uses: actions/upload-artifact@v4
+        uses: PaloAltoNetworks/upload-secure-artifact@v1.0.5
         with:
           name: coverage-data-${{ matrix.python-version }}
           path: .coverage.*
@@ -74,6 +75,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions/setup-python@v5
         with:
           python-version: "3.12"
@@ -96,7 +99,7 @@ jobs:
           coverage report --fail-under=100
 
       - name: Upload HTML report if check failed.
-        uses: actions/upload-artifact@v4
+        uses: PaloAltoNetworks/upload-secure-artifact@v1.0.5
         with:
           name: html-report
           path: htmlcov
