chore(ci): Fix zizmor security findings in workflows

morganchen12 · morganchen12 · commit 8075958891cf · 2026-06-26T15:51:36.000-07:00
Resolved findings flagged by zizmor:
- Added explicit global `contents: read` permissions to `ci.yml`, `nightly.yml`, and `release.yml`.
- Configured checkouts to set `persist-credentials: false` in `ci.yml`, `nightly.yml`, and the staging phase of `release.yml`.
- Added explicit `persist-credentials: true` with a `# zizmor: ignore[artipacked]` comment to the checkout step in the publishing phase of `release.yml`, where credentials are required for git commands inside `publish_preflight_check.sh`.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -2,6 +2,9 @@ name: Continuous Integration
 
 on: pull_request
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -12,6 +15,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # 4.3.1
+      with:
+        persist-credentials: false
 
     - name: Set up Python 3.13 for emulator
       uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # 5.6.0
@@ -53,6 +58,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # 4.3.1
+      with:
+        persist-credentials: false
     - name: Set up Python 3.9
       uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # 5.6.0
       with:
diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
@@ -22,6 +22,9 @@ on:
   repository_dispatch:
     types: [firebase_nightly_build]
 
+permissions:
+  contents: read
+
 jobs:
   nightly:
 
@@ -32,6 +35,7 @@ jobs:
       uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # 4.3.1
       with:
         ref: ${{ github.event.client_payload.ref || github.ref }}
+        persist-credentials: false
 
     - name: Set up Python
       uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # 5.6.0
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -32,6 +32,9 @@ on:
     types:
       - firebase_build
 
+permissions:
+  contents: read
+
 jobs:
   stage_release:
     # To publish a release, merge a PR with the title prefix '[chore] Release ' to main
@@ -47,6 +50,8 @@ jobs:
     steps:
     - name: Checkout source for staging
       uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # 4.3.1
+      with:
+        persist-credentials: false
 
     - name: Set up Python
       uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # 5.6.0
@@ -106,6 +111,9 @@ jobs:
     steps:
     - name: Checkout source for publish
       uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # 4.3.1
+      with:
+        # Ignored since the GITHUB_TOKEN needs to be persisted for this workflow.
+        persist-credentials: true # zizmor: ignore[artipacked]
 
     # Download the artifacts created by the stage_release job.
     - name: Download release candidates
