From e781a467f16387412cb2087ff48dc746dfd394a8 Mon Sep 17 00:00:00 2001
From: Chris Rose <offline@offby1.net>
Date: Sat, 2 Nov 2024 14:43:37 -0700
Subject: [PATCH] security: don't persist git credentials in checkout

---
 .github/workflows/main.yml    |  7 +++++++
 .github/workflows/release.yml | 13 +++++++++++--
 .pre-commit-config.yaml       |  8 ++++----
 3 files changed, 22 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 97f66da..dff0fc7 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -40,6 +40,8 @@ jobs:
         with:
           # We want our tags here
           fetch-depth: 0
+          persist-credentials: false
+
       - name: Install the latest version of uv
         id: setup-uv
         uses: astral-sh/setup-uv@v3
@@ -65,6 +67,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Install the latest version of uv
         id: setup-uv
         uses: astral-sh/setup-uv@v3
@@ -104,6 +108,7 @@ jobs:
         with:
           # We want our tags here
           fetch-depth: 0
+          persist-credentials: false
       - uses: hynek/build-and-inspect-python-package@v2
 
   install-dev:
@@ -116,6 +121,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Install the latest version of uv
         id: setup-uv
         uses: astral-sh/setup-uv@v3
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 3338970..9f8bcce 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -16,8 +16,6 @@ on:
 
 permissions:
   contents: read
-  # Needed for trusted publishing.
-  id-token: write
 
 jobs:
   pure-python-wheel-and-sdist:
@@ -29,11 +27,17 @@ jobs:
         with:
           # Fetch all tags; this is needed for hatch-vcs
           fetch-depth: 0
+          persist-credentials: false
 
       - uses: hynek/build-and-inspect-python-package@v2
 
   # Upload to Test PyPI on every commit on main.
   publish-test-release:
+    permissions:
+      contents: read
+      # Needed for trusted publishing.
+      id-token: write
+
     name: Publish in-dev package to test.pypi.org
     environment: publish-test-release
     if: github.event_name == 'push' && github.ref == 'refs/heads/main'
@@ -54,6 +58,11 @@ jobs:
           repository-url: https://test.pypi.org/legacy/
 
   publish-release:
+    permissions:
+      contents: read
+      # Needed for trusted publishing.
+      id-token: write
+
     name: Publish release
     environment: publish-release
     needs:
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 4e44025..5f3a161 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -5,22 +5,22 @@ repos:
       - id: check-useless-excludes
 
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.6.0
+    rev: v5.0.0
     hooks:
       - id: debug-statements
 
   - repo: https://github.com/asottile/blacken-docs
-    rev: 1.18.0
+    rev: 1.19.1
     hooks:
       - id: blacken-docs
         # args: ["-l100"]
 
   - repo: https://github.com/astral-sh/ruff-pre-commit
     # Ruff version.
-    rev: v0.6.8
+    rev: v0.7.2
     hooks:
       # Run the linter.
       - id: ruff
-        args: [ --fix ]
+        args: [--fix]
       # Run the formatter.
       - id: ruff-format