Skip to content

chore(ci): address security findings flagged by zizmor#766

Open
morganchen12 wants to merge 34 commits into
devfrom
mc/zizmor
Open

chore(ci): address security findings flagged by zizmor#766
morganchen12 wants to merge 34 commits into
devfrom
mc/zizmor

Conversation

@morganchen12

Copy link
Copy Markdown
  • Applied persist-credentials: false to checkout steps to prevent credential leakage.
  • Added explicit workflow-level contents: read permissions.
  • Added explicit job-level permissions to publish_release in release.yml.

google-oss-bot and others added 30 commits May 21, 2020 11:49
* chore: Added and `AGENTS.md` file to instruct AI agents how to interact with this repository (#710)

* fix(auth): Fixed auth error code parsing (#712)

* fix(auth): Fixed auth error code parsing

* fix(auth): Fixed test to use error message prefix

* chore: update copyright headers from Google Inc. to Google LLC (#713)

* chore: Update github actions workflows and integration test resources (#740)

* chore: Pinned github actions to a full-length commit SHA

* chore: Update integration test resources

* chore: Added environment label to release action

* Trigger integration tests

* feat(firestore): Added Firestore Multi Database Support (#733)

* feat(firestore): Add Firestore Multi Database Support

* fix: Address gemini review

* fix: gemini review

* fix: Update name from API review

* fix: Address review comments

* chore: Fix CONTRIBUTING.md typo

Co-authored-by: Lahiru Maramba <llahiru@gmail.com>

---------

Co-authored-by: Lahiru Maramba <llahiru@gmail.com>

* feat(auth): Add `QueryUsers` API (#727)

This change implements the accounts:query functionality, providing a new QueryUsers method that allows searching for users with filters and sorting options.

RELEASE_NOTE: Added QueryUsers() API to support querying user accounts with filters, sorting, and pagination.

* Update the release actions process (#741)

This PR refactors the release automation to improve security by removing the direct merge from the workflow.

* [chore] Release 4.19.0 (#742)

* Revert "[chore] Release 4.19.0 (#742)" (#744)

This reverts commit 3a86709.

* chore: Update Release Workflows for Push triggers (#745)

* chore: Update release actions to run on Release env

* Trigger CI

* update the actions

* update the base_ref

* remove fetch-depth to prevent conflicts

* [chore] Release 4.19.0 Take 2 (#746)

---------

Co-authored-by: Jonathan Edey <145066863+jonathanedey@users.noreply.github.com>
Co-authored-by: Lahiru Maramba <llahiru@gmail.com>
lahirumaramba and others added 3 commits May 14, 2026 16:13
- Applied `persist-credentials: false` to checkout steps to prevent credential leakage.
- Added explicit workflow-level `contents: read` permissions.
- Added explicit job-level permissions to `publish_release` in `release.yml`.
@gemini-code-assist

Copy link
Copy Markdown
Contributor

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

@jonathanedey jonathanedey left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thinking this should be staged against dev instead.

@lahirumaramba I just noticed that the dev and master versions of the release workflows are slightly out of sync since I thought we removed the tag_release workflow and pr creation permissions in #751. I think aa29809 may have overwritten these.

@morganchen12

Copy link
Copy Markdown
Author

Synced this PR with dev: dev...mc/zizmor

Does this diff look correct?

@lahirumaramba lahirumaramba changed the base branch from master to dev July 7, 2026 12:42
@lahirumaramba

Copy link
Copy Markdown
Member

Ah, good catch @jonathanedey. Thanks!

I changed the base to dev, but yeah the workflow needs fixing before we can merge this I think

@lahirumaramba lahirumaramba left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's hold off on this until we figure out the workflow issues. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants