From 1183cc2933f922f928472397bc89606c6def3359 Mon Sep 17 00:00:00 2001
From: jon <nikuscs@gmail.com>
Date: Tue, 12 May 2026 10:50:56 +0100
Subject: [PATCH] chore: harden GitHub Actions CI

---
 .github/workflows/ci.yml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 4ae7b23..a4c3b2d 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -6,13 +6,20 @@ on:
       - main
   pull_request:
 
+permissions: {}
+
 jobs:
   check:
     runs-on: ubuntu-latest
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
+    permissions:
+      contents: read
 
     steps:
       - name: Checkout
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
 
       - name: Setup Bun
         uses: oven-sh/setup-bun@v2