From f493cde305f647beba0e920d541dfcdc781ad569 Mon Sep 17 00:00:00 2001 From: Morgan Chen Date: Wed, 1 Jul 2026 15:02:19 -0700 Subject: [PATCH 1/2] add ignores for C++ to appease the scanner --- .github/workflows/android.yml | 2 ++ .github/workflows/build-report.yml | 1 + .github/workflows/checks.yml | 4 ++++ .github/workflows/checks_secure.yml | 1 + .github/workflows/cpp-packaging.yml | 11 +++++++++++ .github/workflows/desktop.yml | 3 +++ .github/workflows/integration_tests.yml | 11 +++++++++++ .github/workflows/ios.yml | 2 ++ .github/workflows/lint.yml | 2 ++ .github/workflows/retry-test-failures.yml | 1 + .github/workflows/update-dependencies.yml | 1 + .github/workflows/update-feature-branches.yml | 3 +++ 12 files changed, 42 insertions(+) diff --git a/.github/workflows/android.yml b/.github/workflows/android.yml index e2617fb6f9..a974aaf2df 100644 --- a/.github/workflows/android.yml +++ b/.github/workflows/android.yml @@ -29,6 +29,7 @@ jobs: steps: - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: + persist-credentials: true # zizmor: ignore[artipacked] submodules: false - name: Use expanded matrix if: github.event.inputs.use_expanded_matrix == '1' @@ -93,6 +94,7 @@ jobs: - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: + persist-credentials: true # zizmor: ignore[artipacked] submodules: true - name: Set env variables for subsequent steps (all) diff --git a/.github/workflows/build-report.yml b/.github/workflows/build-report.yml index 8c9473bc25..91879d2fbc 100644 --- a/.github/workflows/build-report.yml +++ b/.github/workflows/build-report.yml @@ -31,6 +31,7 @@ jobs: python-version: 3.9 - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: + persist-credentials: true # zizmor: ignore[artipacked] fetch-depth: 0 - name: Install Desktop SDK prerequisites uses: nick-invision/retry@14672906e672a08bd6eeb15720e9ed3ce869cdd4 # ratchet:nick-invision/retry@v2 diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml index cf6dc2df5d..bd5d63cfbf 100644 --- a/.github/workflows/checks.yml +++ b/.github/workflows/checks.yml @@ -24,6 +24,7 @@ jobs: steps: - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: + persist-credentials: true # zizmor: ignore[artipacked] submodules: false - name: Setup python uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # ratchet:actions/setup-python@v4 @@ -65,6 +66,7 @@ jobs: cmakeVersion: "~3.31.0" - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: + persist-credentials: true # zizmor: ignore[artipacked] submodules: false - name: Setup python uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # ratchet:actions/setup-python@v4 @@ -104,6 +106,7 @@ jobs: steps: - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: + persist-credentials: true # zizmor: ignore[artipacked] submodules: false - name: Run check_copyright.sh run: | @@ -118,6 +121,7 @@ jobs: # Skip this if the PR has the skipReleaseNotes label or if it's a merge to other than main. if: ${{!contains(github.event.pull_request.labels.*.name, env.skipReleaseNotesLabel) && (github.event.pull_request.base.ref == 'main')}} with: + persist-credentials: true # zizmor: ignore[artipacked] fetch-depth: 0 submodules: false - name: Check whether release notes have been updated diff --git a/.github/workflows/checks_secure.yml b/.github/workflows/checks_secure.yml index 31c5ec5aed..f13e236542 100644 --- a/.github/workflows/checks_secure.yml +++ b/.github/workflows/checks_secure.yml @@ -31,6 +31,7 @@ jobs: - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 if: steps.check.outputs.has-permission != 1 || github.event.pull_request.head.repo.full_name != github.repository with: + persist-credentials: true # zizmor: ignore[artipacked] submodules: false - name: Setup python if: steps.check.outputs.has-permission != 1 || github.event.pull_request.head.repo.full_name != github.repository diff --git a/.github/workflows/cpp-packaging.yml b/.github/workflows/cpp-packaging.yml index 7bb11e0cab..e7d1b78a01 100644 --- a/.github/workflows/cpp-packaging.yml +++ b/.github/workflows/cpp-packaging.yml @@ -141,6 +141,7 @@ jobs: if: ${{ matrix.tools_platform == 'darwin' && !steps.cache_llvm.outputs.cache-hit }} uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: + persist-credentials: true # zizmor: ignore[artipacked] repository: llvm/llvm-project path: llvm-src ref: ${{ env.llvmVer }} @@ -163,6 +164,7 @@ jobs: - name: fetch demumble uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: + persist-credentials: true # zizmor: ignore[artipacked] repository: nico/demumble path: demumble-src ref: ${{ env.demumbleVer }} @@ -211,6 +213,7 @@ jobs: - name: fetch SDK uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: + persist-credentials: true # zizmor: ignore[artipacked] path: sdk-src - name: Setup python @@ -266,6 +269,7 @@ jobs: - name: fetch SDK uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: + persist-credentials: true # zizmor: ignore[artipacked] path: sdk-src - name: Store git credentials for all git commands @@ -380,6 +384,7 @@ jobs: - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: + persist-credentials: true # zizmor: ignore[artipacked] submodules: true - name: Set env variables for subsequent steps (all) @@ -523,6 +528,7 @@ jobs: - name: fetch SDK uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: + persist-credentials: true # zizmor: ignore[artipacked] path: sdk-src - name: download packaging-tool artifacts @@ -733,6 +739,7 @@ jobs: - name: fetch SDK uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: + persist-credentials: true # zizmor: ignore[artipacked] path: sdk-src - name: download artifact @@ -859,6 +866,8 @@ jobs: steps: - name: Checkout repo uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 + with: + persist-credentials: true # zizmor: ignore[artipacked] - name: Setup python uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # ratchet:actions/setup-python@v4 @@ -933,6 +942,8 @@ jobs: steps: - name: Checkout repo uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 + with: + persist-credentials: true # zizmor: ignore[artipacked] - name: Setup python uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # ratchet:actions/setup-python@v4 with: diff --git a/.github/workflows/desktop.yml b/.github/workflows/desktop.yml index c609d8537d..8505186712 100644 --- a/.github/workflows/desktop.yml +++ b/.github/workflows/desktop.yml @@ -31,6 +31,7 @@ jobs: steps: - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: + persist-credentials: true # zizmor: ignore[artipacked] submodules: false - name: Use expanded matrix if: github.event.inputs.expanded_matrix == '1' @@ -117,6 +118,7 @@ jobs: - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: + persist-credentials: true # zizmor: ignore[artipacked] submodules: true - name: Set env vars (ubuntu) @@ -327,6 +329,7 @@ jobs: cmakeVersion: "~3.31.0" - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: + persist-credentials: true # zizmor: ignore[artipacked] ref: ${{needs.check_and_prepare.outputs.github_ref}} submodules: true - name: Cache vcpkg C++ dependencies diff --git a/.github/workflows/integration_tests.yml b/.github/workflows/integration_tests.yml index ff145d27e9..1ed4bb1b98 100644 --- a/.github/workflows/integration_tests.yml +++ b/.github/workflows/integration_tests.yml @@ -155,6 +155,7 @@ jobs: access_token: ${{ github.token }} - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: + persist-credentials: true # zizmor: ignore[artipacked] ref: ${{steps.set_outputs.outputs.github_ref}} fetch-depth: 0 submodules: false @@ -309,6 +310,7 @@ jobs: cmakeVersion: "~3.31.0" - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: + persist-credentials: true # zizmor: ignore[artipacked] ref: ${{needs.check_and_prepare.outputs.github_ref}} submodules: true - name: Setup python @@ -482,6 +484,7 @@ jobs: cmakeVersion: "~3.31.0" - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: + persist-credentials: true # zizmor: ignore[artipacked] ref: ${{needs.check_and_prepare.outputs.github_ref}} submodules: true - run: df -h @@ -626,6 +629,7 @@ jobs: cmakeVersion: "~3.31.0" - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: + persist-credentials: true # zizmor: ignore[artipacked] ref: ${{needs.check_and_prepare.outputs.github_ref}} submodules: true - name: Setup python @@ -748,6 +752,7 @@ jobs: cmakeVersion: "~3.31.0" - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: + persist-credentials: true # zizmor: ignore[artipacked] ref: ${{needs.check_and_prepare.outputs.github_ref}} submodules: true - name: Setup python @@ -888,6 +893,7 @@ jobs: steps: - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: + persist-credentials: true # zizmor: ignore[artipacked] ref: ${{needs.check_and_prepare.outputs.github_ref}} - name: Download Desktop integration tests artifact uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # ratchet:actions/download-artifact@v4 @@ -1018,6 +1024,7 @@ jobs: steps: - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: + persist-credentials: true # zizmor: ignore[artipacked] ref: ${{needs.check_and_prepare.outputs.github_ref}} - name: Download Android integration tests artifact uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # ratchet:actions/download-artifact@v4 @@ -1163,6 +1170,7 @@ jobs: steps: - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: + persist-credentials: true # zizmor: ignore[artipacked] ref: ${{needs.check_and_prepare.outputs.github_ref}} - name: Download iOS integration tests artifact uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # ratchet:actions/download-artifact@v4 @@ -1348,6 +1356,7 @@ jobs: steps: - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: + persist-credentials: true # zizmor: ignore[artipacked] ref: ${{needs.check_and_prepare.outputs.github_ref}} - name: Download tvOS integration tests artifact uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # ratchet:actions/download-artifact@v4 @@ -1496,6 +1505,7 @@ jobs: steps: - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: + persist-credentials: true # zizmor: ignore[artipacked] ref: ${{needs.check_and_prepare.outputs.github_ref}} - name: Setup python @@ -1576,6 +1586,7 @@ jobs: steps: - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: + persist-credentials: true # zizmor: ignore[artipacked] ref: ${{needs.check_and_prepare.outputs.github_ref}} - name: Setup python diff --git a/.github/workflows/ios.yml b/.github/workflows/ios.yml index b7a502284b..30604bd815 100644 --- a/.github/workflows/ios.yml +++ b/.github/workflows/ios.yml @@ -25,6 +25,7 @@ jobs: steps: - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: + persist-credentials: true # zizmor: ignore[artipacked] submodules: false - name: Use expanded matrix if: github.event.inputs.use_expanded_matrix == '1' @@ -60,6 +61,7 @@ jobs: - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: + persist-credentials: true # zizmor: ignore[artipacked] submodules: true - name: Setup python diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 90fc3a298e..172f1d9c9d 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -14,11 +14,13 @@ jobs: steps: - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: + persist-credentials: true # zizmor: ignore[artipacked] repository: cpplint/cpplint ref: "1.5.5" path: cpplint - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: + persist-credentials: true # zizmor: ignore[artipacked] submodules: false path: firebase diff --git a/.github/workflows/retry-test-failures.yml b/.github/workflows/retry-test-failures.yml index 9d5b12360a..d7ef9ab021 100644 --- a/.github/workflows/retry-test-failures.yml +++ b/.github/workflows/retry-test-failures.yml @@ -27,6 +27,7 @@ jobs: - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: + persist-credentials: true # zizmor: ignore[artipacked] ref: ${{ matrix.branch_name }} fetch-depth: 0 submodules: false diff --git a/.github/workflows/update-dependencies.yml b/.github/workflows/update-dependencies.yml index 621ee4f000..d5a8a7abeb 100644 --- a/.github/workflows/update-dependencies.yml +++ b/.github/workflows/update-dependencies.yml @@ -46,6 +46,7 @@ jobs: - name: Check out base branch uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: + persist-credentials: true # zizmor: ignore[artipacked] fetch-depth: 0 ref: ${{ github.event.inputs.baseBranch }} diff --git a/.github/workflows/update-feature-branches.yml b/.github/workflows/update-feature-branches.yml index a68b6f82dd..52503aca54 100644 --- a/.github/workflows/update-feature-branches.yml +++ b/.github/workflows/update-feature-branches.yml @@ -33,6 +33,8 @@ jobs: - name: Check out repo (if needed) if: ${{ github.event.inputs.branch_list == '' }} uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 + with: + persist-credentials: true # zizmor: ignore[artipacked] - name: Get list of feature branches id: get-branches @@ -87,6 +89,7 @@ jobs: - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: + persist-credentials: true # zizmor: ignore[artipacked] ref: ${{ matrix.branch_name }} fetch-depth: 0 submodules: false From 7a9b297335133492020946692aca63004d98de7f Mon Sep 17 00:00:00 2001 From: Morgan Chen Date: Wed, 1 Jul 2026 15:10:33 -0700 Subject: [PATCH 2/2] rest of the owl --- .github/workflows/android.yml | 3 +++ .github/workflows/desktop.yml | 7 ++++++- .github/workflows/ios.yml | 7 ++++++- .github/workflows/lint.yml | 6 ++++++ .github/workflows/retry-test-failures.yml | 3 +++ .github/workflows/reviewer-roulette.yml | 6 ++++++ .github/workflows/update-custom-runner.yml | 3 +++ 7 files changed, 33 insertions(+), 2 deletions(-) diff --git a/.github/workflows/android.yml b/.github/workflows/android.yml index a974aaf2df..fb1eed5a61 100644 --- a/.github/workflows/android.yml +++ b/.github/workflows/android.yml @@ -15,6 +15,9 @@ env: GITHUB_TOKEN: ${{ github.token }} xcodeVersion: "26.2" # Only affects Mac runners, and only for prerequisites. +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.head_ref || github.ref }} cancel-in-progress: true diff --git a/.github/workflows/desktop.yml b/.github/workflows/desktop.yml index 8505186712..e401618145 100644 --- a/.github/workflows/desktop.yml +++ b/.github/workflows/desktop.yml @@ -14,6 +14,9 @@ env: CCACHE_DIR: ${{ github.workspace }}/ccache_dir GITHUB_TOKEN: ${{ github.token }} +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.head_ref || github.ref }} cancel-in-progress: true @@ -114,7 +117,9 @@ jobs: - name: Setup Xcode version (macos) if: runner.os == 'macOS' - run: sudo xcode-select -s /Applications/Xcode_${{ matrix.xcode_version }}.app/Contents/Developer + run: sudo xcode-select -s /Applications/Xcode_${XCODE_VERSION}.app/Contents/Developer + env: + XCODE_VERSION: ${{ matrix.xcode_version }} - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: diff --git a/.github/workflows/ios.yml b/.github/workflows/ios.yml index 30604bd815..e6fbcd0cda 100644 --- a/.github/workflows/ios.yml +++ b/.github/workflows/ios.yml @@ -13,6 +13,9 @@ on: env: GITHUB_TOKEN: ${{ github.token }} +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.head_ref || github.ref }} cancel-in-progress: true @@ -57,7 +60,9 @@ jobs: - name: setup Xcode version (macos) if: runner.os == 'macOS' - run: sudo xcode-select -s /Applications/Xcode_${{ matrix.xcode_version }}.app/Contents/Developer + run: sudo xcode-select -s /Applications/Xcode_${XCODE_VERSION}.app/Contents/Developer + env: + XCODE_VERSION: ${{ matrix.xcode_version }} - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 172f1d9c9d..030a616f17 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -4,6 +4,9 @@ on: pull_request: types: [opened,synchronize] +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.ref }} cancel-in-progress: true @@ -11,6 +14,9 @@ concurrency: jobs: lint_warnings_check_and_comment: runs-on: ubuntu-22.04 + permissions: + contents: read + pull-requests: write steps: - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: diff --git a/.github/workflows/retry-test-failures.yml b/.github/workflows/retry-test-failures.yml index d7ef9ab021..07ff259075 100644 --- a/.github/workflows/retry-test-failures.yml +++ b/.github/workflows/retry-test-failures.yml @@ -7,6 +7,9 @@ on: default: '' required: true +permissions: + contents: read + jobs: check_results_and_retry_if_needed: name: check-results-and-retry-if-needed diff --git a/.github/workflows/reviewer-roulette.yml b/.github/workflows/reviewer-roulette.yml index e8d3e96a58..5a099120d3 100644 --- a/.github/workflows/reviewer-roulette.yml +++ b/.github/workflows/reviewer-roulette.yml @@ -7,10 +7,16 @@ on: env: reviewerList: "jonsimantov a-maurice cynthiajoan chkuang-g AlmostMatt" +permissions: + contents: read + jobs: assign_random_reviewer: if: github.event.action == 'labeled' && github.event.label.name == 'reviewer-roulette' runs-on: ubuntu-22.04 + permissions: + contents: read + pull-requests: write steps: - name: Unset label uses: buildsville/add-remove-label@6008d7bd99d3baeb7c04033584e68f8ec80b198b # ratchet:buildsville/add-remove-label@v1 diff --git a/.github/workflows/update-custom-runner.yml b/.github/workflows/update-custom-runner.yml index ec7f485529..bcf03f0a77 100644 --- a/.github/workflows/update-custom-runner.yml +++ b/.github/workflows/update-custom-runner.yml @@ -19,6 +19,9 @@ on: env: GITHUB_TOKEN: ${{ github.token }} +permissions: + contents: read + jobs: update_custom_runners: name: update-custom-runner-${{ matrix.runner_hostname }}