workflows: fix zizmor findings (part 1) (#190)

Signed-off-by: Patrick Linnane <patrick@linnane.io>

.github/workflows/docker-pr.yml

@@ -19,6 +19,7 @@ jobs:
         with:
           fetch-tags: true
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Set up Homebrew
         uses: Homebrew/actions/setup-homebrew@master
@@ -62,4 +63,6 @@ jobs:
 
       - run: |
           echo "Test this with:"
-          echo "docker pull ${{ steps.build.outputs.docker_image }}"
+          echo "docker pull ${DOCKER_IMAGE}"
+        env:
+          DOCKER_IMAGE: ${{ steps.build.outputs.docker_image }}

.github/workflows/docker.yml

@@ -25,6 +25,7 @@ jobs:
         with:
           fetch-tags: true
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Set up Homebrew
         uses: Homebrew/actions/setup-homebrew@master

.github/workflows/docs-deploy.yml

@@ -17,6 +17,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3

.github/workflows/go.yml

@@ -16,6 +16,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
 
     - name: build essential
       run: |

docs/docs/CHANGELOG.md

@@ -31,6 +31,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Added support for passing the ed25519 signing key in a file with `-ed25519-private-key-hex-file` or `ED25519_PRIVATE_KEY_HEX_FILE`.
 - Fixed minor typos
 - Added `zizmor` for GitHub Actions static analysis
+- Fixed most `zizmor` findings
 
 ## v1.15.1