From 733d581bb2a3c6ac9f48473759dab089f3ef49b7 Mon Sep 17 00:00:00 2001
From: Morgan Chen <morganchen12@gmail.com>
Date: Fri, 26 Jun 2026 16:30:40 -0700
Subject: [PATCH] fix zizmor findings

---
 .github/workflows/ci.yml      | 5 +++++
 .github/workflows/nightly.yml | 4 ++++
 .github/workflows/release.yml | 7 +++++++
 3 files changed, 16 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 0e829db2fe..7d545c117c 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -2,6 +2,9 @@ name: Continuous Integration
 
 on: pull_request
 
+permissions:
+  contents: read
+
 jobs:
   build:
 
@@ -13,6 +16,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        persist-credentials: false
     - name: Set up Node.js ${{ matrix.node-version }}
       uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
       with:
diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
index 40d7c5b3e0..d7f9d16776 100644
--- a/.github/workflows/nightly.yml
+++ b/.github/workflows/nightly.yml
@@ -22,6 +22,9 @@ on:
   repository_dispatch:
     types: [firebase_nightly_build]
 
+permissions:
+  contents: read
+
 jobs:
   nightly:
 
@@ -32,6 +35,7 @@ jobs:
       uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       with:
         ref: ${{ github.event.client_payload.ref || github.ref }}
+        persist-credentials: false
 
     - name: Set up Node.js
       uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index b50b8d10df..5f5028bf72 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -32,6 +32,9 @@ on:
     types:
       - firebase_build
 
+permissions:
+  contents: read
+
 jobs:
   stage_release:
     # To publish a release, merge a PR with the title prefix '[chore] Release ' to main
@@ -47,6 +50,8 @@ jobs:
     steps:
     - name: Checkout source for staging
       uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        persist-credentials: false
 
     - name: Set up Node.js
       uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
@@ -110,6 +115,8 @@ jobs:
     steps:
     - name: Checkout source for publish
       uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        persist-credentials: false
 
     # Download the artifacts created by the stage_release job.
     - name: Download release candidates