From 7c9477be6ed3b2b05b96cb0210f9ec2724f09ad5 Mon Sep 17 00:00:00 2001
From: honorless <86894501+lesshonor@users.noreply.github.com>
Date: Mon, 25 Mar 2024 14:26:35 -0400
Subject: [PATCH] ci(build): improve security posture

* Limit unnecessary permissions.

* Avoid storing credentials.
---
 .github/workflows/build.yml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 804c35f1..b54c9eef 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -12,6 +12,8 @@ on:
   schedule:
     - cron: "22 4 * * *"
 
+permissions: {}
+
 jobs:
   build:
     if: ${{ always() }}
@@ -25,6 +27,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Cache west modules
         uses: actions/cache@v4
         env:
@@ -179,6 +183,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Use Node.js
         uses: actions/setup-node@v4
         with:
@@ -335,6 +341,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Use Node.js
         uses: actions/setup-node@v4
         with:
@@ -415,6 +423,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: tj-actions/changed-files@v44
         id: changed-files
         with: