fix high priority findings

morganchen12 · morganchen12 · commit f3aa324b1cbe · 2026-06-11T16:07:32.000-07:00
diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml
@@ -4,7 +4,8 @@ on:
   pull_request:
     types: [opened, reopened, synchronize, labeled, unlabeled]
 
-permissions: write-all
+permissions:
+  contents: read
 
 env:
   triggerLabelFull: "tests-requested: full"
@@ -44,6 +45,9 @@ jobs:
   check_integration_test_labels:
     # This check fails if integration tests are queued, in progress, or failed.
     runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      pull-requests: read
     steps:
     - uses: docker://index.docker.io/agilepathway/pull-request-label-checker@sha256:14f5f3dfda922496d07d53494e2d2b42885165f90677a1c03d600059b7706a61 # ratchet:docker://agilepathway/pull-request-label-checker:latest
       with:
@@ -53,6 +57,9 @@ jobs:
   generated_docs_check:
     # This check succeeds if Doxygen documentation generates without errors.
     runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      pull-requests: write
     steps:
       - uses: lukka/get-cmake@591817e96fcad43505fb4eae36172462abb3a42e # ratchet:lukka/get-cmake@latest
         with:
diff --git a/.github/workflows/checks_secure.yml b/.github/workflows/checks_secure.yml
@@ -2,6 +2,9 @@ name: Checks (secure)
 # These are run on base branch with read/write access.
 
 on:
+  # This trigger is only safe-ish to use if steps are gated behind the
+  # action-has-permission check.
+  # zizmor: ignore[dangerous-triggers]
   pull_request_target:
     types: [synchronize]
 
diff --git a/.github/workflows/cpp-packaging.yml b/.github/workflows/cpp-packaging.yml
@@ -566,7 +566,7 @@ jobs:
             tools_platform=darwin
           fi
           verbose_flag=
-          if [[ -n "${{ github.event.inputs.verboseBuild }}" && "${{ github.event.inputs.verboseBuild }}" -ne 0 ]]; then
+          if [[ -n "${GITHUB_EVENT_INPUTS_VERBOSEBUILD}" && "${GITHUB_EVENT_INPUTS_VERBOSEBUILD}" -ne 0 ]]; then
             verbose_flag=-v
           fi
           declare -a additional_flags
@@ -606,6 +606,8 @@ jobs:
           fi
           cd firebase-cpp-sdk-${{ matrix.sdk_platform }}${{ matrix.suffix }}-package
           tar -czhf ../firebase-cpp-sdk-${{ matrix.sdk_platform }}${{ matrix.suffix }}-package.tgz .
+        env:
+          GITHUB_EVENT_INPUTS_VERBOSEBUILD: ${{ github.event.inputs.verboseBuild }}
 
       - name: Print package contents
         shell: bash
diff --git a/.github/workflows/integration_tests.yml b/.github/workflows/integration_tests.yml
@@ -42,7 +42,8 @@ on:
       firestore_dep_source:
         description: 'Optional: Where to get firestore iOS SDK from: "RELEASED", "TIP" or "<git-commit> from firestore-ios-sdk"'
 
-permissions: write-all
+permissions:
+  contents: read
 
 env:
   triggerLabelPrefix: "tests-requested: "
@@ -57,6 +58,10 @@ env:
 jobs:
   check_and_prepare:
     runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      pull-requests: write
+      actions: write
     outputs:
       trigger: ${{ steps.set_outputs.outputs.trigger }}
       github_ref: ${{ steps.set_outputs.outputs.github_ref }}
@@ -265,6 +270,9 @@ jobs:
     name: build-desktop-${{ matrix.os }}-${{ matrix.arch }}-${{ matrix.ssl_variant }}
     needs: [check_and_prepare]
     runs-on: ${{ matrix.os }}
+    permissions:
+      contents: read
+      pull-requests: write
     # Skip this if there is an empty matrix (which can happen if "auto" was set above).
     # But check cancelled() && !failure() so it runs even if check_trigger was skipped.
     if: contains(needs.check_and_prepare.outputs.matrix_platform, 'Desktop') && needs.check_and_prepare.outputs.apis != '' && !cancelled() && !failure()
@@ -462,6 +470,9 @@ jobs:
     name: build-android-${{ matrix.os }}
     needs: [check_and_prepare]
     runs-on: ${{ matrix.os }}
+    permissions:
+      contents: read
+      pull-requests: write
     if: contains(needs.check_and_prepare.outputs.matrix_platform, 'Android') && needs.check_and_prepare.outputs.apis != '' && !cancelled() && !failure()
     strategy:
       fail-fast: false
@@ -604,6 +615,9 @@ jobs:
     name: build-ios-${{ matrix.os }}
     needs: [check_and_prepare]
     runs-on: ${{ matrix.os }}
+    permissions:
+      contents: read
+      pull-requests: write
     if: contains(needs.check_and_prepare.outputs.matrix_platform, 'iOS') && needs.check_and_prepare.outputs.apis != '' && !cancelled() && !failure()
     strategy:
       fail-fast: false
@@ -724,6 +738,9 @@ jobs:
     name: build-tvos-${{ matrix.os }}
     needs: [check_and_prepare]
     runs-on: ${{ matrix.os }}
+    permissions:
+      contents: read
+      pull-requests: write
     if: contains(needs.check_and_prepare.outputs.matrix_platform, 'tvOS') && needs.check_and_prepare.outputs.apis != '' && !cancelled() && !failure()
     strategy:
       fail-fast: false
@@ -841,6 +858,9 @@ jobs:
     name: test-desktop-${{ matrix.os }}-${{ matrix.arch }}-${{ matrix.ssl_variant }}
     needs: [check_and_prepare, build_desktop]
     runs-on: ${{ matrix.os }}
+    permissions:
+      contents: read
+      pull-requests: write
     if: contains(needs.check_and_prepare.outputs.matrix_platform, 'Desktop') && needs.check_and_prepare.outputs.apis != '' && !cancelled()
     strategy:
       fail-fast: false
@@ -986,6 +1006,9 @@ jobs:
     name: test-android-${{ matrix.build_os }}-${{ matrix.android_device }}-${{ matrix.test_type }}
     needs: [check_and_prepare, build_android]
     runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      pull-requests: write
     if: contains(needs.check_and_prepare.outputs.matrix_platform, 'Android') && needs.check_and_prepare.outputs.apis != '' && !cancelled()
     strategy:
       fail-fast: false
@@ -1130,6 +1153,9 @@ jobs:
     name: test-ios-${{ matrix.build_os }}-${{ matrix.ios_device }}-${{ matrix.test_type }}
     needs: [check_and_prepare, build_ios]
     runs-on: macos-15
+    permissions:
+      contents: read
+      pull-requests: write
 
     if: contains(needs.check_and_prepare.outputs.matrix_platform, 'iOS') && needs.check_and_prepare.outputs.apis != '' && !cancelled()
     strategy:
@@ -1317,6 +1343,9 @@ jobs:
     name: test-tvos-${{ matrix.build_os }}-${{ matrix.tvos_device }}
     needs: [check_and_prepare, build_tvos]
     runs-on: macos-15
+    permissions:
+      contents: read
+      pull-requests: write
     if: contains(needs.check_and_prepare.outputs.matrix_platform, 'tvOS') && needs.check_and_prepare.outputs.apis != '' && !cancelled()
     strategy:
       fail-fast: false
@@ -1468,6 +1497,10 @@ jobs:
     name: "summarize-results"
     needs: [check_and_prepare, test_desktop, test_android, test_ios, test_tvos]
     runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      pull-requests: write
+      issues: write
     if: ${{ !cancelled() }}
     steps:
       - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3
@@ -1546,6 +1579,8 @@ jobs:
     name: "attempt-retry"
     needs: [check_and_prepare, summarize_results]
     runs-on: ubuntu-22.04
+    permissions:
+      contents: read
     if: ${{ failure() && needs.check_and_prepare.outputs.trigger == 'scheduled_trigger' }}
     steps:
       - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3
diff --git a/.github/workflows/reviewer-roulette.yml b/.github/workflows/reviewer-roulette.yml
@@ -41,8 +41,8 @@ jobs:
           # Get the current reviewers and the author of the PR, to exclude them from the list.
           # Duplicates don't matter, so get the list of requested reviewers *and* the list of
           # completed reviews.
-          requested_reviewers='${{ join(github.event.pull_request.requested_reviewers.*.login, ' ') }} '
-          completed_reviewers='${{ join(fromJSON(env.PR_REVIEWS).*.user.login, ' ') }} '
+          requested_reviewers='${REQUESTED_REVIEWERS} '
+          completed_reviewers='${COMPLETED_REVIEWERS} '
           author="${GITHUB_EVENT_PULL_REQUEST_USER_LOGIN}"
           echo "Requested reviewers: ${requested_reviewers}"
           echo "Completed reviewers: ${completed_reviewers}"
@@ -71,6 +71,8 @@ jobs:
             echo "::warning ::No reviewers available"
           fi
         env:
+          COMPLETED_REVIEWERS: ${{ join(fromJSON(env.PR_REVIEWS).*.user.login, ' ') }}
+          REQUESTED_REVIEWERS: ${{ join(github.event.pull_request.requested_reviewers.*.login, ' ') }}
           GITHUB_EVENT_PULL_REQUEST_USER_LOGIN: ${{ github.event.pull_request.user.login }}
 
       - name: Choose random reviewer
diff --git a/.github/workflows/update-feature-branches.yml b/.github/workflows/update-feature-branches.yml
@@ -13,7 +13,8 @@ on:
   schedule:
     - cron: "0 16 * * 1"  # Mondays, 4pm UTC = 9am PST / 10am PDT
 
-permissions: write-all
+permissions:
+  contents: read
 
 env:
   defaultBranchPattern: "feature_branch/*"
@@ -64,6 +65,8 @@ jobs:
     name: create-merge-pr-${{ matrix.branch_name }}
     needs: [ list_feature_branches ]
     runs-on: ubuntu-22.04
+    permissions:
+      contents: write
     if: ${{ needs.list_feature_branches.outputs.branch_list != '[]' }}
     strategy:
       fail-fast: false
