Make main.yaml workflow safer

Author: dalito

.github/workflows/main.yaml

@@ -1,11 +1,10 @@
-# Built from:
-# https://docs.github.com/en/actions/guides/building-and-testing-python
-# https://github.com/actions/setup-python/
-
+# Action passes pedantic check with zizmor 1.3.0, https://woodruffw.github.io/zizmor/
 name: Build and test linkml-runtime
 
 on: [pull_request]
 
+permissions: {}
+
 jobs:
   test:
     strategy:
@@ -17,7 +16,8 @@ jobs:
         - os: windows-latest
           python-version: "3.8"
     runs-on: ${{ matrix.os }}
-
+    permissions:
+      contents: read
     steps:
 
       #----------------------------------------------
@@ -33,6 +33,7 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Set up Python ${{ matrix.python-version }}
         uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b