ci: harden android-leap-chat-test workflow#49
Conversation
- Top-level permissions: contents: read (was inheriting org default). - actions/checkout@v4 → @v6 with persist-credentials: false. - runs-on: ubuntu-latest → ubuntu-24.04. - Firebase SA JSON now lands in $RUNNER_TEMP under umask 077 with a trap cleanup; use printf (not echo) to preserve backslash sequences in the JSON. Removes the world-readable mode 644 file that the previous flow left in /tmp.
There was a problem hiding this comment.
Pull request overview
Hardens the Android LeapChat Build GitHub Actions workflow on main by tightening default permissions, pinning runner/action versions, and improving handling of the Firebase Test Lab service-account JSON used for gcloud auth.
Changes:
- Add top-level
permissions: contents: readand disable checkout credential persistence. - Pin the runner image to
ubuntu-24.04and bumpactions/checkoutmajor version. - Write the Firebase service-account JSON into
$RUNNER_TEMPwith restrictive file permissions and ensure cleanup viatrap.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| # Test Lab via a service-account JSON; no GitHub API access needed. | ||
| permissions: | ||
| contents: read |
There was a problem hiding this comment.
Switched to gradle/actions/setup-gradle@50e97c2c # v6.1.0 in b5019df per maintainer direction — drops cache: 'gradle' from setup-java and replaces it with the dedicated Gradle action.
Worth noting on the underlying point: the GitHub Actions cache API is gated by the ACTIONS_RUNTIME_TOKEN (a separate token injected at job start), not by the GITHUB_TOKEN's actions: scope. Empirically the prior run on cbde9e3 saved the cache successfully under permissions: contents: read — Cache saved with the key: setup-java-Linux-x64-gradle-… in the run log. So the move is a code-quality improvement (matches the desktop-examples PR's pattern), not a fix for a broken cache path. Refined the permissions-block comment to clarify this.
Address PR #49 review. Copilot reviewer flagged that setup-java's cache: 'gradle' uses the Actions cache API and the "no GitHub API access needed" comment was imprecise. Empirically the cache works under contents: read (cache save succeeded on the prior run), but gradle/actions/setup-gradle is the proper modern path — matches the desktop-examples worktree (PR #48) and cleanly separates JDK setup from build-cache wiring. - Drop `cache: 'gradle'` from actions/setup-java. - Add gradle/actions@50e97c2 (v6.1.0, SHA-pinned). - Refine the permissions-block comment: the Actions cache is gated by the ACTIONS_RUNTIME_TOKEN, not GITHUB_TOKEN, so contents: read is sufficient.
Summary
Surgical security hardening of the only workflow on
main(
android-leap-chat-test.yml). The desktop-examples PR (#48) already coversthe same fixes for the four desktop chat-cli workflows it adds; this PR
closes the gap on
mainwithout waiting for #48 to merge.permissions: contents: read(was inheriting org default).actions/checkout@v4→@v6withpersist-credentials: false.runs-on: ubuntu-latest→ubuntu-24.04./tmp/service_account.json(mode 644) to\$RUNNER_TEMP/service_account.jsonunder
umask 077(mode 600), with atrapcleanup so cancellationdoesn't leave the key on disk. Use
printf(notecho) to preservebackslash sequences in the JSON.
Deliberately did NOT add the
gradle/actions/setup-gradleSHA pin or theSonatype-snapshot purge logic — those land via PR #48 merging, and adding
them on this branch would create churn.
Test plan
Android/LeapChat/**push tomain, the workflow fires,authenticates against Firebase Test Lab using the relocated SA file,
and the build + e2e test pass.
See
devlog/000005-fix-ci-security-hardening.mdfor context.