Harden GH checkout action

.github/workflows/ci.yml

@@ -41,6 +41,8 @@ jobs:
             pypi.org:443
             api.github.com:443
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Set up Python ${{ matrix.python-version }}
         uses: actions/setup-python@v5
         with:
@@ -78,6 +80,8 @@ jobs:
             pypi.org:443
             api.github.com:443
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions/setup-python@v5
         with:
           # Use latest Python, so it understands all syntax.

.github/workflows/codeql-analysis.yml

@@ -23,6 +23,8 @@ jobs:
     steps:
     - name: Checkout repository
       uses: actions/checkout@v4
+      with:
+        persist-credentials: false
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL

.github/workflows/nightly-tests.yaml

@@ -16,14 +16,15 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
-      - name: Set up Python 3.12
+        with:
+          persist-credentials: false
+      - name: Set up Python
         uses: actions/setup-python@v5
         with:
-          python-version: "3.12"
+          python-version: "3.13"
       - name: Install dependencies
         run: |
-          python -m pip install --upgrade pip
-          python -m pip install --upgrade tox
+          python -m pip install --upgrade pip tox
       - name: Test
         id: test
         continue-on-error: true

.github/workflows/publish.yml

@@ -13,6 +13,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
         with:
+          persist-credentials: false
           fetch-depth: 0
 
       - uses: actions/setup-python@v5

.github/workflows/ruff.yml

@@ -14,6 +14,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Install Python
         uses: actions/setup-python@v5
         with: