From 05a08f2253e9263695af346bf84d91caa5b48bc5 Mon Sep 17 00:00:00 2001
From: John Bampton <jbampton@gmail.com>
Date: Thu, 12 Mar 2026 16:16:31 +1000
Subject: [PATCH] gha: clean up workflows

- Separate workflows for each job
- add default top level read permisssions
- set persist credentials to false for actions/checkout
- minor workflow naming clean up
---
 .github/workflows/check-gems.yml              | 22 +++++++++++++++++++
 .../workflows/{lint.yml => pre-commit.yml}    | 21 +++++++-----------
 .github/workflows/super-linter.yml            |  4 ++++
 3 files changed, 34 insertions(+), 13 deletions(-)
 create mode 100644 .github/workflows/check-gems.yml
 rename .github/workflows/{lint.yml => pre-commit.yml} (69%)

diff --git a/.github/workflows/check-gems.yml b/.github/workflows/check-gems.yml
new file mode 100644
index 0000000..15d8a2a
--- /dev/null
+++ b/.github/workflows/check-gems.yml
@@ -0,0 +1,22 @@
+name: Lint
+
+on: [pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  check-gems:
+    name: Check gem files
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+      - uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '3.2' # Not needed with a .ruby-version file
+          bundler: 'default'
+          bundler-cache: true # runs 'bundle install' and caches installed gems automatically
+      - run: bundle exec .check.rb
diff --git a/.github/workflows/lint.yml b/.github/workflows/pre-commit.yml
similarity index 69%
rename from .github/workflows/lint.yml
rename to .github/workflows/pre-commit.yml
index c49c521..dd219f8 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/pre-commit.yml
@@ -1,24 +1,19 @@
-name: Lint
+name: pre-commit
 
 on: [pull_request]
 
+permissions:
+  contents: read
+
 jobs:
-  check-gems:
-    name: Check gem files
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v6
-      - uses: ruby/setup-ruby@v1
-        with:
-          ruby-version: '3.2' # Not needed with a .ruby-version file
-          bundler: 'default'
-          bundler-cache: true # runs 'bundle install' and caches installed gems automatically
-      - run: bundle exec .check.rb
   pre-commit:
     name: Run pre-commit # https://pre-commit.com/
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - name: Checkout Code
+        uses: actions/checkout@v6
+        with:
+          persist-credentials: false
       - uses: actions/setup-python@v6 # https://www.python.org/
         with:
           python-version: '3.x' # Version range or exact version of a Python version to use, using SemVer's version range syntax
diff --git a/.github/workflows/super-linter.yml b/.github/workflows/super-linter.yml
index ed45b42..04dbc2c 100644
--- a/.github/workflows/super-linter.yml
+++ b/.github/workflows/super-linter.yml
@@ -3,6 +3,9 @@ name: Super-Linter
 
 on: [pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Lint Code Base
@@ -13,6 +16,7 @@ jobs:
         with:
           # Full git history is needed to get a proper list of changed files within `super-linter`
           fetch-depth: 0
+          persist-credentials: false
       - name: Lint Code Base
         uses: super-linter/super-linter/slim@v8.5.0
         env: