fix zizmor findings

morganchen12 · morganchen12 · commit 0ff73c2db5e2 · 2026-06-26T15:34:58.000-07:00
diff --git a/.github/workflows/agent-evals.yaml b/.github/workflows/agent-evals.yaml
@@ -26,8 +26,11 @@ jobs:
     env:
       GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }}
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v3
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # ratchet:actions/checkout@v4
+        with:
+          # Ignored since the GITHUB_TOKEN needs to be persisted for this workflow.
+          persist-credentials: true # zizmor: ignore[artipacked]
+      - uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # ratchet:actions/setup-node@v3
         with:
           node-version: ${{ matrix.node-version }}
           cache: npm
diff --git a/.github/workflows/functions.yaml b/.github/workflows/functions.yaml
@@ -23,12 +23,15 @@ jobs:
   deploy:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-node@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3
+        with:
+          # Ignored since the GITHUB_TOKEN needs to be persisted for this workflow.
+          persist-credentials: true # zizmor: ignore[artipacked]
+      - uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # ratchet:actions/setup-node@v3
         with:
           node-version: "24"
 
-      - uses: google-github-actions/auth@v0
+      - uses: google-github-actions/auth@09cecabe1f169596b81c2ef22b40faff87acc460 # ratchet:google-github-actions/auth@v0
         with:
           credentials_json: "${{ secrets.CF3_INTEGRATION_TEST_GOOGLE_CREDENTIALS }}"
           create_credentials_file: true
diff --git a/.github/workflows/node-test.yml b/.github/workflows/node-test.yml
@@ -29,10 +29,12 @@ jobs:
         node-version:
           - "24"
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # ratchet:actions/checkout@v4
         with:
           fetch-depth: 0
-      - uses: actions/setup-node@v3
+          # Ignored since the GITHUB_TOKEN needs to be persisted for this workflow.
+          persist-credentials: true # zizmor: ignore[artipacked]
+      - uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # ratchet:actions/setup-node@v3
         with:
           node-version: ${{ matrix.node-version }}
           cache: npm
@@ -52,8 +54,11 @@ jobs:
           - "22"
           - "24"
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v3
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # ratchet:actions/checkout@v4
+        with:
+          # Ignored since the GITHUB_TOKEN needs to be persisted for this workflow.
+          persist-credentials: true # zizmor: ignore[artipacked]
+      - uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # ratchet:actions/setup-node@v3
         with:
           node-version: ${{ matrix.node-version }}
           cache: npm
@@ -67,7 +72,7 @@ jobs:
         working-directory: firebase-vscode
       - run: npm run test:unit
         working-directory: firebase-vscode
-      - uses: codecov/codecov-action@v5
+      - uses: codecov/codecov-action@0fb7174895f61a3b6b78fc075e0cd60383518dac # ratchet:codecov/codecov-action@v5
         if: matrix.node-version == '24'
 
   # vscode_integration:
@@ -135,8 +140,11 @@ jobs:
         node-version:
           - "24"
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v3
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # ratchet:actions/checkout@v4
+        with:
+          # Ignored since the GITHUB_TOKEN needs to be persisted for this workflow.
+          persist-credentials: true # zizmor: ignore[artipacked]
+      - uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # ratchet:actions/setup-node@v3
         with:
           node-version: ${{ matrix.node-version }}
           cache: npm
@@ -157,15 +165,18 @@ jobs:
           - "22"
           - "24"
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v3
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # ratchet:actions/checkout@v4
+        with:
+          # Ignored since the GITHUB_TOKEN needs to be persisted for this workflow.
+          persist-credentials: true # zizmor: ignore[artipacked]
+      - uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # ratchet:actions/setup-node@v3
         with:
           node-version: ${{ matrix.node-version }}
           cache: npm
           cache-dependency-path: npm-shrinkwrap.json
 
       - name: Cache ESLint
-        uses: actions/cache@v4
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # ratchet:actions/cache@v4
         with:
           path: .eslintcache
           key: eslint-${{ runner.os }}-node${{ matrix.node-version }}-${{ hashFiles('**/*.ts', '**/*.js') }}
@@ -176,7 +187,7 @@ jobs:
       - run: npm ci
       - run: npm test -- -- --forbid-only
 
-      - uses: codecov/codecov-action@v5
+      - uses: codecov/codecov-action@0fb7174895f61a3b6b78fc075e0cd60383518dac # ratchet:codecov/codecov-action@v5
         if: matrix.node-version == '24'
         with:
           files: ./.coverage/lcov.info
@@ -218,24 +229,27 @@ jobs:
           - node-version: "22"
             script: "npm run test:storage-emulator-integration"
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v3
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # ratchet:actions/checkout@v4
+        with:
+          # Ignored since the GITHUB_TOKEN needs to be persisted for this workflow.
+          persist-credentials: true # zizmor: ignore[artipacked]
+      - uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # ratchet:actions/setup-node@v3
         with:
           node-version: ${{ matrix.node-version }}
           cache: npm
           cache-dependency-path: npm-shrinkwrap.json
       - name: Setup Java JDK
-        uses: actions/setup-java@v3.3.0
+        uses: actions/setup-java@860f60056505705214d223b91ed7a30f173f6142 # ratchet:actions/setup-java@v3.3.0
         with:
           java-version: 21
           distribution: temurin
       - name: Setup Chrome
-        uses: browser-actions/setup-chrome@v1.7.2
+        uses: browser-actions/setup-chrome@facf10a55b9caf92e0cc749b4f82bf8220989148 # ratchet:browser-actions/setup-chrome@v1.7.2
         with:
           install-dependencies: true
           install-chromedriver: true
       - name: Cache firebase emulators
-        uses: actions/cache@v3
+        uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # ratchet:actions/cache@v3
         with:
           path: ${{ env.FIREBASE_EMULATORS_PATH }}
           key: ${{ runner.os }}-firebase-emulators-${{ hashFiles('emulator-cache/**') }}
@@ -288,20 +302,23 @@ jobs:
             script: "npm run test:functions-discover"
     steps:
       - name: Setup Java JDK
-        uses: actions/setup-java@v3.3.0
+        uses: actions/setup-java@860f60056505705214d223b91ed7a30f173f6142 # ratchet:actions/setup-java@v3.3.0
         with:
           java-version: 21
           distribution: temurin
 
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v3
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # ratchet:actions/checkout@v4
+        with:
+          # Ignored since the GITHUB_TOKEN needs to be persisted for this workflow.
+          persist-credentials: true # zizmor: ignore[artipacked]
+      - uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # ratchet:actions/setup-node@v3
         with:
           node-version: ${{ matrix.node-version }}
           cache: npm
           cache-dependency-path: npm-shrinkwrap.json
 
       - name: Cache firebase emulators
-        uses: actions/cache@v3
+        uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # ratchet:actions/cache@v3
         with:
           path: ${{ env.FIREBASE_EMULATORS_PATH }}
           key: ${{ runner.os }}-firebase-emulators-${{ hashFiles('emulator-cache/**') }}
@@ -325,9 +342,12 @@ jobs:
           - "24"
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # ratchet:actions/checkout@v4
+        with:
+          # Ignored since the GITHUB_TOKEN needs to be persisted for this workflow.
+          persist-credentials: true # zizmor: ignore[artipacked]
       - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # ratchet:actions/setup-node@v3
         with:
           node-version: ${{ matrix.node-version }}
       - run: npm i -g npm@11.9
@@ -344,9 +364,12 @@ jobs:
           - "24"
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # ratchet:actions/checkout@v4
+        with:
+          # Ignored since the GITHUB_TOKEN needs to be persisted for this workflow.
+          persist-credentials: true # zizmor: ignore[artipacked]
       - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # ratchet:actions/setup-node@v3
         with:
           node-version: ${{ matrix.node-version }}
       - run: npm i -g npm@11.9
@@ -363,9 +386,12 @@ jobs:
           - "24"
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # ratchet:actions/checkout@v4
+        with:
+          # Ignored since the GITHUB_TOKEN needs to be persisted for this workflow.
+          persist-credentials: true # zizmor: ignore[artipacked]
       - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # ratchet:actions/setup-node@v3
         with:
           node-version: ${{ matrix.node-version }}
           cache: npm
