ci: apply zizmor recommendations

[james-d-elliott]

Summary by CodeRabbit

• Chores
  • Updated automated development workflows with enhanced security configuration for credential handling across continuous integration processes.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9e1f1b1e-c419-4b2b-9b11-0cbf04e3587a

📥 Commits

Reviewing files that changed from the base of the PR and between e4498f2 and aede4aa.

📒 Files selected for processing (3)

• .github/workflows/codeql.yml
• .github/workflows/dependency-review.yml
• .github/workflows/go.yml

---

📝 Walkthrough

Walkthrough

Three GitHub Actions workflow files are updated to disable credential persistence in all actions/checkout steps. Each checkout step now includes a with: block setting persist-credentials: false, preventing repository credentials from being retained in the runner environment after checkout completes.

Changes

Workflow Security Hardening

Layer / File(s)	Summary
Disable credential persistence in all checkout steps .github/workflows/codeql.yml, .github/workflows/dependency-review.yml, .github/workflows/go.yml	All actions/checkout steps across CodeQL, dependency review, and Go workflows add persist-credentials: false configuration to prevent credential leakage in runner environments.

🎯 1 (Trivial) | ⏱️ ~3 minutes

🐰 Three workflows stand in a line,
Each checkout now shows discipline divine,
persist-credentials: false they declare,
Credentials safe, kept with utmost care! 🔐

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci-zizmor

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}