From 696fb80833d0ff55c14b3c26bebeda808c93d786 Mon Sep 17 00:00:00 2001
From: Michael Howitz <icemac@gmx.net>
Date: Wed, 29 Jan 2025 07:59:48 +0100
Subject: [PATCH 1/3] Secure GHA setup

Fixes #290.
---
 .github/workflows/tests.yml        | 2 ++
 .meta.toml                         | 2 +-
 src/zope/meta/default/tests.yml.j2 | 2 ++
 3 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 275490a..ac25395 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -37,6 +37,8 @@ jobs:
     name: ${{ matrix.config[1] }}
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - name: Set up Python
       uses: actions/setup-python@v5
       with:
diff --git a/.meta.toml b/.meta.toml
index bb592ae..cd6c1cf 100644
--- a/.meta.toml
+++ b/.meta.toml
@@ -2,7 +2,7 @@
 # https://github.com/zopefoundation/meta/tree/master/config/pure-python
 [meta]
 template = "pure-python"
-commit-id = "c95980ef"
+commit-id = "55111d56"
 
 [python]
 with-windows = false
diff --git a/src/zope/meta/default/tests.yml.j2 b/src/zope/meta/default/tests.yml.j2
index 40cf253..c8977d6 100644
--- a/src/zope/meta/default/tests.yml.j2
+++ b/src/zope/meta/default/tests.yml.j2
@@ -90,6 +90,8 @@ jobs:
     %(line)s
 {% endfor %}
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - name: Set up Python
       uses: actions/setup-python@v5
       with:

From b5bcf6d7cf042fe7d313febe096b311683762509 Mon Sep 17 00:00:00 2001
From: Michael Howitz <icemac@gmx.net>
Date: Wed, 29 Jan 2025 08:04:06 +0100
Subject: [PATCH 2/3] Update more places in the config.

---
 .github/workflows/pre-commit.yml        | 2 ++
 .meta.toml                              | 2 +-
 src/zope/meta/c-code/tests-cache.j2     | 2 ++
 src/zope/meta/default/pre-commit.yml.j2 | 2 ++
 4 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
index ff77ae6..c1e2378 100644
--- a/.github/workflows/pre-commit.yml
+++ b/.github/workflows/pre-commit.yml
@@ -22,6 +22,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - uses: actions/setup-python@v5
       with:
         python-version: 3.x
diff --git a/.meta.toml b/.meta.toml
index cd6c1cf..125093f 100644
--- a/.meta.toml
+++ b/.meta.toml
@@ -2,7 +2,7 @@
 # https://github.com/zopefoundation/meta/tree/master/config/pure-python
 [meta]
 template = "pure-python"
-commit-id = "55111d56"
+commit-id = "696fb808"
 
 [python]
 with-windows = false
diff --git a/src/zope/meta/c-code/tests-cache.j2 b/src/zope/meta/c-code/tests-cache.j2
index c8e03b7..d052380 100644
--- a/src/zope/meta/c-code/tests-cache.j2
+++ b/src/zope/meta/c-code/tests-cache.j2
@@ -1,5 +1,7 @@
       - name: checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Set up Python ${{ matrix.python-version }}
         uses: actions/setup-python@v5
         with:
diff --git a/src/zope/meta/default/pre-commit.yml.j2 b/src/zope/meta/default/pre-commit.yml.j2
index a5f2072..7ed21af 100644
--- a/src/zope/meta/default/pre-commit.yml.j2
+++ b/src/zope/meta/default/pre-commit.yml.j2
@@ -20,6 +20,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - uses: actions/setup-python@v5
       with:
         python-version: 3.x

From 75c6251b22403dfce775f4a6bf9a40ff7c9d01d0 Mon Sep 17 00:00:00 2001
From: Michael Howitz <icemac@gmx.net>
Date: Wed, 29 Jan 2025 08:05:40 +0100
Subject: [PATCH 3/3] Undo change for pre-commit: It needs the credentials to
 push changes to the repository.

---
 .github/workflows/pre-commit.yml        | 2 --
 .meta.toml                              | 2 +-
 src/zope/meta/default/pre-commit.yml.j2 | 2 --
 3 files changed, 1 insertion(+), 5 deletions(-)

diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
index c1e2378..ff77ae6 100644
--- a/.github/workflows/pre-commit.yml
+++ b/.github/workflows/pre-commit.yml
@@ -22,8 +22,6 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4
-      with:
-        persist-credentials: false
     - uses: actions/setup-python@v5
       with:
         python-version: 3.x
diff --git a/.meta.toml b/.meta.toml
index 125093f..7cd4163 100644
--- a/.meta.toml
+++ b/.meta.toml
@@ -2,7 +2,7 @@
 # https://github.com/zopefoundation/meta/tree/master/config/pure-python
 [meta]
 template = "pure-python"
-commit-id = "696fb808"
+commit-id = "b5bcf6d7"
 
 [python]
 with-windows = false
diff --git a/src/zope/meta/default/pre-commit.yml.j2 b/src/zope/meta/default/pre-commit.yml.j2
index 7ed21af..a5f2072 100644
--- a/src/zope/meta/default/pre-commit.yml.j2
+++ b/src/zope/meta/default/pre-commit.yml.j2
@@ -20,8 +20,6 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4
-      with:
-        persist-credentials: false
     - uses: actions/setup-python@v5
       with:
         python-version: 3.x