From 8075958891cfa83206385d76f34cf9504eb473af Mon Sep 17 00:00:00 2001
From: Morgan Chen <morganchen12@gmail.com>
Date: Fri, 26 Jun 2026 15:51:36 -0700
Subject: [PATCH] chore(ci): Fix zizmor security findings in workflows

Resolved findings flagged by zizmor:
- Added explicit global `contents: read` permissions to `ci.yml`, `nightly.yml`, and `release.yml`.
- Configured checkouts to set `persist-credentials: false` in `ci.yml`, `nightly.yml`, and the staging phase of `release.yml`.
- Added explicit `persist-credentials: true` with a `# zizmor: ignore[artipacked]` comment to the checkout step in the publishing phase of `release.yml`, where credentials are required for git commands inside `publish_preflight_check.sh`.
---
 .github/workflows/ci.yml      | 7 +++++++
 .github/workflows/nightly.yml | 4 ++++
 .github/workflows/release.yml | 8 ++++++++
 3 files changed, 19 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 5bf78a56..f995f8d7 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -2,6 +2,9 @@ name: Continuous Integration
 
 on: pull_request
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -12,6 +15,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # 4.3.1
+      with:
+        persist-credentials: false
 
     - name: Set up Python 3.13 for emulator
       uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # 5.6.0
@@ -53,6 +58,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # 4.3.1
+      with:
+        persist-credentials: false
     - name: Set up Python 3.9
       uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # 5.6.0
       with:
diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
index d60b3cd0..3a9d14c7 100644
--- a/.github/workflows/nightly.yml
+++ b/.github/workflows/nightly.yml
@@ -22,6 +22,9 @@ on:
   repository_dispatch:
     types: [firebase_nightly_build]
 
+permissions:
+  contents: read
+
 jobs:
   nightly:
 
@@ -32,6 +35,7 @@ jobs:
       uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # 4.3.1
       with:
         ref: ${{ github.event.client_payload.ref || github.ref }}
+        persist-credentials: false
 
     - name: Set up Python
       uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # 5.6.0
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 6bbf19aa..aaab4c8d 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -32,6 +32,9 @@ on:
     types:
       - firebase_build
 
+permissions:
+  contents: read
+
 jobs:
   stage_release:
     # To publish a release, merge a PR with the title prefix '[chore] Release ' to main
@@ -47,6 +50,8 @@ jobs:
     steps:
     - name: Checkout source for staging
       uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # 4.3.1
+      with:
+        persist-credentials: false
 
     - name: Set up Python
       uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # 5.6.0
@@ -106,6 +111,9 @@ jobs:
     steps:
     - name: Checkout source for publish
       uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # 4.3.1
+      with:
+        # Ignored since the GITHUB_TOKEN needs to be persisted for this workflow.
+        persist-credentials: true # zizmor: ignore[artipacked]
 
     # Download the artifacts created by the stage_release job.
     - name: Download release candidates