Don't persist credentials #229

	name: CI

	on: [pull_request, push]

	permissions: {}

	concurrency:
	group: ${{ github.workflow }}-${{ github.head_ref \|\| github.run_id }}
	cancel-in-progress: ${{ github.head_ref != '' }}

	jobs:
	ci:
	name: Check
	runs-on: ubuntu-latest
	permissions:
	security-events: write
	steps:
	- name: Checkout repository
	uses: actions/checkout@v4
	with:
	persist-credentials: false

	- name: Setup nodejs
	uses: actions/setup-node@v4
	with:
	node-version: 'lts/*'

	- name: Install tools
	run: \|
	npm install
	npm ls
	npm ls --all

	- name: Lint code
	run: npm run lint

	- name: Format code
	run: \|
	npm run format
	git diff --exit-code

	- name: Build code
	run: \|
	rm -r _site
	npm run build
	git diff \
	--exit-code \
	':(exclude)_site/news_feed.atom'
	git diff \
	--exit-code \
	-I '<updated>.*</updated>' \
	_site/news_feed.atom

	- name: Check html
	run: \|
	npm run check-html

	- name: Upload build artifacts
	uses: actions/upload-artifact@v4
	with:
	name: website
	path: _site

	- name: Check GitHub Actions workflow
	env:
	GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	run: \|
	pip install zizmor
	zizmor \
	--format sarif \
	--pedantic \
	./ \
	\| jq '(.runs[].results \|= map(select(.ruleId != "unpinned-uses")))
	\| (.runs[].tool.driver.rules \|= map(select(.id != "unpinned-uses")))' \
	> "${{ runner.temp }}/zizmor_results.sarif"

	- name: Upload zizmor results
	uses: github/codeql-action/upload-sarif@v3
	with:
	category: zizmor
	sarif_file: "${{ runner.temp }}/zizmor_results.sarif"

Provide feedback