fix(ci): harden workflow security across deploy and release pipelines (#1345)

- Remove GCP_SA_KEY from GITHUB_ENV in deploy-live and deploy-preview;
  google-github-actions/auth already exports GOOGLE_APPLICATION_CREDENTIALS
  via ADC, so the explicit credential export step was unnecessary and
  exposed the SA JSON in plaintext to all subsequent steps
- Add --ignore-scripts to yarn install in deploy-preview build job to
  prevent postinstall lifecycle hooks from executing untrusted PR code
- Delete combine-dependabot-prs.yml: workflow was non-functional due to
  JS syntax errors and depended on an archived third-party action
- Add explicit permissions: contents: read to deploy-live build job
- Replace hardcoded personal git identity in canary-release with
  github-actions[bot] identity

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: sserrata

.github/workflows/canary-release.yml

@@ -27,8 +27,8 @@ jobs:
           cache: yarn
       - name: Prepare git
         run: |
-          git config --global user.name "Steven Serrata"
-          git config --global user.email "sserrata@paloaltonetworks.com"
+          git config --global user.name "github-actions[bot]"
+          git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
           git fetch
           git checkout main
           echo "//registry.npmjs.org/:_authToken=${NPM_AUTH_TOKEN}" >> .npmrc

.github/workflows/combine-dependabot-prs.yml

@@ -9,6 +9,8 @@ jobs:
     if: github.repository == 'PaloAltoNetworks/docusaurus-openapi-docs'
     name: Build
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
       - name: Checkout repository
@@ -59,9 +61,6 @@ jobs:
           workload_identity_provider: ${{ secrets.WIF_PROVIDER }}
           service_account: ${{ secrets.WIF_SERVICE_ACCOUNT }}
 
-      - name: Export Google Cloud Credentials
-        run: echo "GCP_SA_KEY=$(cat ${{ steps.auth.outputs.credentials_file_path }})" >> $GITHUB_ENV
-
       - uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4
         with:
           name: build
@@ -74,7 +73,6 @@ jobs:
         uses: FirebaseExtended/action-hosting-deploy@e2eda2e106cfa35cdbcf4ac9ddaf6c4756df2c8c # v0.10.0
         with:
           repoToken: "${{ secrets.GITHUB_TOKEN }}"
-          firebaseServiceAccount: "${{ env.GCP_SA_KEY }}"
           projectId: pandev
           channelId: live
           target: docusaurus-openapi.tryingpan.dev

.github/workflows/deploy-live.yml

@@ -112,7 +112,7 @@ jobs:
           cache: "yarn"
 
       - name: Install dependencies
-        run: yarn --prefer-offline
+        run: yarn --prefer-offline --ignore-scripts
 
       - name: Build packages
         run: yarn build-packages
@@ -155,9 +155,6 @@ jobs:
           workload_identity_provider: ${{ secrets.WIF_PROVIDER }}
           service_account: ${{ secrets.WIF_SERVICE_ACCOUNT }}
 
-      - name: Export Google Cloud Credentials
-        run: echo "GCP_SA_KEY=$(cat ${{ steps.auth.outputs.credentials_file_path }})" >> $GITHUB_ENV
-
       - uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4
         with:
           name: build
@@ -170,7 +167,6 @@ jobs:
         uses: FirebaseExtended/action-hosting-deploy@e2eda2e106cfa35cdbcf4ac9ddaf6c4756df2c8c # v0.10.0
         with:
           repoToken: "${{ secrets.GITHUB_TOKEN }}"
-          firebaseServiceAccount: "${{ env.GCP_SA_KEY }}"
           projectId: pandev
           expires: 30d
           channelId: "pr${{ github.event.number }}"