Harden ci workflow

.github/workflows/ci.yml

@@ -8,12 +8,16 @@ on:
 
 jobs:
   test:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     strategy:
       matrix:
         python-version: ["3.13"]
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
       - uses: actions/setup-python@v6
         with:
           python-version: ${{ matrix.python-version }}
@@ -27,6 +31,9 @@ jobs:
         run: mypy ./src/runboat ./tests
       - uses: codecov/codecov-action@v5
   build-image:
+    permissions:
+      contents: read
+      packages: write
     runs-on: ubuntu-latest
     needs:
       - test