From 6fa26fe651979bbda7e7fe449d8c87c92097e687 Mon Sep 17 00:00:00 2001
From: Daniel McCarney <daniel@binaryparadox.net>
Date: Fri, 6 Dec 2024 13:42:10 -0500
Subject: [PATCH] ci: add some missing persist-credentials

Most of the checkout action usages in `ci.yml` already specified
`persist-credentials: false`, but a few were missing it. This is
flagged[0] when running Zizmor 0.7.0 on the repo's CI config.

[0]: https://woodruffw.github.io/zizmor/audits/#artipacked
---
 .github/workflows/ci.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index db6d0af..f813113 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -147,6 +147,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       # Turn on Linux KVM features/support for faster Android emulation.
       # References:
@@ -199,6 +201,8 @@ jobs:
     runs-on: macos-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Run iOS tests
         run: |
           rustup target add aarch64-apple-ios-macabi
@@ -209,6 +213,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: test on freebsd
         uses: vmactions/freebsd-vm@v1
         # Settings adopted from https://github.com/quinn-rs/quinn