chore(ci): address security findings flagged by zizmor#766
chore(ci): address security findings flagged by zizmor#766morganchen12 wants to merge 34 commits into
Conversation
- Release 4.12.0
* chore: Added and `AGENTS.md` file to instruct AI agents how to interact with this repository (#710) * fix(auth): Fixed auth error code parsing (#712) * fix(auth): Fixed auth error code parsing * fix(auth): Fixed test to use error message prefix * chore: update copyright headers from Google Inc. to Google LLC (#713) * chore: Update github actions workflows and integration test resources (#740) * chore: Pinned github actions to a full-length commit SHA * chore: Update integration test resources * chore: Added environment label to release action * Trigger integration tests * feat(firestore): Added Firestore Multi Database Support (#733) * feat(firestore): Add Firestore Multi Database Support * fix: Address gemini review * fix: gemini review * fix: Update name from API review * fix: Address review comments * chore: Fix CONTRIBUTING.md typo Co-authored-by: Lahiru Maramba <llahiru@gmail.com> --------- Co-authored-by: Lahiru Maramba <llahiru@gmail.com> * feat(auth): Add `QueryUsers` API (#727) This change implements the accounts:query functionality, providing a new QueryUsers method that allows searching for users with filters and sorting options. RELEASE_NOTE: Added QueryUsers() API to support querying user accounts with filters, sorting, and pagination. * Update the release actions process (#741) This PR refactors the release automation to improve security by removing the direct merge from the workflow. * [chore] Release 4.19.0 (#742) * Revert "[chore] Release 4.19.0 (#742)" (#744) This reverts commit 3a86709. * chore: Update Release Workflows for Push triggers (#745) * chore: Update release actions to run on Release env * Trigger CI * update the actions * update the base_ref * remove fetch-depth to prevent conflicts * [chore] Release 4.19.0 Take 2 (#746) --------- Co-authored-by: Jonathan Edey <145066863+jonathanedey@users.noreply.github.com> Co-authored-by: Lahiru Maramba <llahiru@gmail.com>
- Applied `persist-credentials: false` to checkout steps to prevent credential leakage. - Added explicit workflow-level `contents: read` permissions. - Added explicit job-level permissions to `publish_release` in `release.yml`.
|
Note Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported. |
jonathanedey
left a comment
There was a problem hiding this comment.
Thinking this should be staged against dev instead.
@lahirumaramba I just noticed that the dev and master versions of the release workflows are slightly out of sync since I thought we removed the tag_release workflow and pr creation permissions in #751. I think aa29809 may have overwritten these.
|
Synced this PR with dev: dev...mc/zizmor Does this diff look correct? |
|
Ah, good catch @jonathanedey. Thanks! I changed the base to |
lahirumaramba
left a comment
There was a problem hiding this comment.
Let's hold off on this until we figure out the workflow issues. Thanks!
persist-credentials: falseto checkout steps to prevent credential leakage.contents: readpermissions.publish_releaseinrelease.yml.