From 9c5c417f5af6f9a63923ef1c979318bbce6e97a1 Mon Sep 17 00:00:00 2001
From: Thomas A Caswell <tcaswell@bnl.gov>
Date: Tue, 8 Jul 2025 18:27:31 -0400
Subject: [PATCH 1/2] CI: harden GHA configuration

This adjusts the defaults per suggestions of zizmor to
reduce possible risks from giving GHA tasks more permissions
that required.
---
 .github/workflows/linux_gpu.yml | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/.github/workflows/linux_gpu.yml b/.github/workflows/linux_gpu.yml
index 50c351c..302d829 100644
--- a/.github/workflows/linux_gpu.yml
+++ b/.github/workflows/linux_gpu.yml
@@ -23,10 +23,8 @@ jobs:
       
       with:
         submodules: true
-        # a personal access token is added as a secret to this repo
         token: ${{ secrets.GH_ACTIONS_TOKEN }}
-
-    # Runs a single command using the runners shell
+        persist-credentials: false
     - name: Ensure the right machine
       run: hostname
 

From 41fe242d896ed57330b77233c39e6abff5f38fe0 Mon Sep 17 00:00:00 2001
From: Thomas A Caswell <tcaswell@bnl.gov>
Date: Tue, 8 Jul 2025 20:31:54 -0400
Subject: [PATCH 2/2] CI: Restrict default permissions

Reduces risk of arbitrary code is run by attacker.
---
 .github/workflows/linux_gpu.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/linux_gpu.yml b/.github/workflows/linux_gpu.yml
index 302d829..9963230 100644
--- a/.github/workflows/linux_gpu.yml
+++ b/.github/workflows/linux_gpu.yml
@@ -1,4 +1,6 @@
 name: CI
+permissions:
+  contents: read
 
 # Controls when the action will run. Triggers the workflow on push or pull request
 # events but only for the master branch