From 99db1ecb8b76628ada8fe30c85f6f98a2a8b246c Mon Sep 17 00:00:00 2001
From: Don Naro <dnaro@redhat.com>
Date: Wed, 3 Dec 2025 19:13:49 +0000
Subject: [PATCH] ci: fix issues identified by zizmor GHA linter

Co-authored-by: Maxwell G <9920591+gotmax23@users.noreply.github.com>
---
 .github/workflows/ci.yaml          | 3 +++
 .github/workflows/labeler.yml      | 5 +++++
 .github/workflows/reusable-nox.yml | 2 ++
 3 files changed, 10 insertions(+)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 58ab8908fa6..93ee76ba728 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -16,6 +16,9 @@ name: Ansible Docsite CI
     - ready_for_review  # used in PRs created from GitHub Actions workflows
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   nox:
     uses: ./.github/workflows/reusable-nox.yml
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
index c2ad213f33c..7ca18b73634 100644
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -29,6 +29,9 @@
 
 name: "Triage Issues and PRs"
 
+permissions:
+  contents: read
+
 jobs:
   label_prs:
     runs-on: ubuntu-latest
@@ -48,6 +51,8 @@ jobs:
           private-key: ${{ secrets.BOT_APP_KEY }}
       - name: Checkout parent repository
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - name: Install Python 3.12
         uses: actions/setup-python@v6
         with:
diff --git a/.github/workflows/reusable-nox.yml b/.github/workflows/reusable-nox.yml
index c46f4a4552d..a114df97d5f 100644
--- a/.github/workflows/reusable-nox.yml
+++ b/.github/workflows/reusable-nox.yml
@@ -38,6 +38,8 @@ jobs:
     steps:
       - name: Check out repo
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - name: Setup nox
         uses: wntrblm/nox@2025.10.16
         with: