From 373a77b460cc0fc57455d368218e1ece85762607 Mon Sep 17 00:00:00 2001
From: jonathanedey <jedey@google.com>
Date: Wed, 7 Jan 2026 14:47:41 -0500
Subject: [PATCH 1/3] chore: Pinned github actions to full-length comit SHAs

---
 .github/workflows/ci.yml      | 14 +++++++-------
 .github/workflows/nightly.yml | 10 +++++-----
 .github/workflows/release.yml | 14 +++++++-------
 3 files changed, 19 insertions(+), 19 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index fa980083..5bf78a56 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -11,10 +11,10 @@ jobs:
         python: ['3.9', '3.10', '3.11', '3.12', '3.13', 'pypy3.9']
 
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # 4.3.1
 
     - name: Set up Python 3.13 for emulator
-      uses: actions/setup-python@v5
+      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # 5.6.0
       with:
         python-version: '3.13'
     - name: Setup functions emulator environment
@@ -24,7 +24,7 @@ jobs:
         pip install -r integration/emulators/functions/requirements.txt
         deactivate
     - name: Set up Python ${{ matrix.python }}
-      uses: actions/setup-python@v5
+      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # 5.6.0
       with:
         python-version: ${{ matrix.python }}
     - name: Install dependencies
@@ -34,11 +34,11 @@ jobs:
     - name: Test with pytest
       run: pytest
     - name: Set up Node.js 20
-      uses: actions/setup-node@v4
+      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # 4.4.0
       with:
         node-version: 20
     - name: Set up Java 21
-      uses: actions/setup-java@v5
+      uses: actions/setup-java@f2beeb24e141e01a676f977032f5a29d81c9e27e # 5.1.0
       with:
         distribution: 'temurin'
         java-version: '21'
@@ -52,9 +52,9 @@ jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # 4.3.1
     - name: Set up Python 3.9
-      uses: actions/setup-python@v5
+      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # 5.6.0
       with:
         python-version: 3.9
     - name: Install dependencies
diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
index 61644e80..d60b3cd0 100644
--- a/.github/workflows/nightly.yml
+++ b/.github/workflows/nightly.yml
@@ -29,12 +29,12 @@ jobs:
 
     steps:
     - name: Checkout source for staging
-      uses: actions/checkout@v4
+      uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # 4.3.1
       with:
         ref: ${{ github.event.client_payload.ref || github.ref }}
 
     - name: Set up Python
-      uses: actions/setup-python@v5
+      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # 5.6.0
       with:
         python-version: 3.9
 
@@ -63,14 +63,14 @@ jobs:
     # Attach the packaged artifacts to the workflow output. These can be manually
     # downloaded for later inspection if necessary.
     - name: Archive artifacts
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
       with:
         name: dist
         path: dist
 
     - name: Send email on failure
       if: failure()
-      uses: firebase/firebase-admin-node/.github/actions/send-email@main
+      uses: firebase/firebase-admin-node/.github/actions/send-email@2e2b36a84ba28679bcb7aecdacabfec0bded2d48 # Admin Node SDK v13.6.0
       with:
         api-key: ${{ secrets.OSS_BOT_MAILGUN_KEY }}
         domain: ${{ secrets.OSS_BOT_MAILGUN_DOMAIN }}
@@ -85,7 +85,7 @@ jobs:
 
     - name: Send email on cancelled
       if: cancelled()
-      uses: firebase/firebase-admin-node/.github/actions/send-email@main
+      uses: firebase/firebase-admin-node/.github/actions/send-email@2e2b36a84ba28679bcb7aecdacabfec0bded2d48 # Admin Node SDK v13.6.0
       with:
         api-key: ${{ secrets.OSS_BOT_MAILGUN_KEY }}
         domain: ${{ secrets.OSS_BOT_MAILGUN_DOMAIN }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 738dfca5..ac4298b9 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -40,12 +40,12 @@ jobs:
     # via the 'ref' client parameter.
     steps:
     - name: Checkout source for staging
-      uses: actions/checkout@v4
+      uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # 4.3.1
       with:
         ref: ${{ github.event.client_payload.ref || github.ref }}
 
     - name: Set up Python
-      uses: actions/setup-python@v5
+      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # 5.6.0
       with:
         python-version: 3.9
 
@@ -74,7 +74,7 @@ jobs:
     # Attach the packaged artifacts to the workflow output. These can be manually
     # downloaded for later inspection if necessary.
     - name: Archive artifacts
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
       with:
         name: dist
         path: dist
@@ -102,11 +102,11 @@ jobs:
 
     steps:
     - name: Checkout source for publish
-      uses: actions/checkout@v4
+      uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # 4.3.1
 
     # Download the artifacts created by the stage_release job.
     - name: Download release candidates
-      uses: actions/download-artifact@v4.1.7
+      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
       with:
         name: dist
         path: dist
@@ -124,13 +124,13 @@ jobs:
             --notes '${{ steps.preflight.outputs.changelog }}'
 
     - name: Publish to Pypi
-      uses: pypa/gh-action-pypi-publish@release/v1
+      uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
 
     # Post to Twitter if explicitly opted-in by adding the label 'release:tweet'.
     - name: Post to Twitter
       if: success() &&
         contains(github.event.pull_request.labels.*.name, 'release:tweet')
-      uses: firebase/firebase-admin-node/.github/actions/send-tweet@main
+      uses: firebase/firebase-admin-node/.github/actions/send-tweet@2e2b36a84ba28679bcb7aecdacabfec0bded2d48 # Admin Node SDK v13.6.0
       with:
         status: >
           ${{ steps.preflight.outputs.version }} of @Firebase Admin Python SDK is available.

From bfb73712483c04c1c4e5fbe0bdfbf098540b5c25 Mon Sep 17 00:00:00 2001
From: jonathanedey <jedey@google.com>
Date: Fri, 9 Jan 2026 09:29:07 -0500
Subject: [PATCH 2/3] chore: Update integration test resource

---
 .../resources/integ-service-account.json.gpg  | Bin 1762 -> 1756 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)

diff --git a/.github/resources/integ-service-account.json.gpg b/.github/resources/integ-service-account.json.gpg
index 7740dccd8bdada2eecc181f75c552c00e912e5c2..5a52805c9a854fdea91101dfa1822cdd5e79c874 100644
GIT binary patch
literal 1756
zcmV<21|#{54Fm}T3b4{&ennUfga6X%0rw}><=tSBuPhv7FQy8=I?3Lmw%%fwb*z*z
z=6KA27D5iuBgx~x$Nyfl&GpjP(Qv$$D`=U2l?uxu35Sn`=|kyz<8?VA+jsyF+7=2@
z<@|}U!==V573LAFo)Fk!&)W@2^oQ_BI8xVK1@Fz@nY52<W1^AwTlQOK0=uu?yY~6&
z)uUsm{MI|xEXZ|_8{y5>OgWsOxEWs4?ws$bNy2VpekV}20eGu8>0Z((IN{nq@79Jv
z>qJM3@B0X3ROSPK`6JTc9rmfZp<%iCo=L%D$)96DgP`ezf<5a55_+{><$|JWn2{6-
zu8|~zd^P6mDHo4^^s;zYo=gn$v3_|-6h#Q*v>YB4FwzzYxJ$OFI2qsh-<}WE`UP0o
zvNc^F5c1`|u5^Lo6gM(449xUT0J_lPfT`o-Rv3YXMm45zU)xYv%V8E`t!^%3W2T@d
zME7SXe{`62EFI}_gg}|*iwSRjWZ)dX-wOf2SENE#%c{=78oej87A$)iafd`bW8SH6
zJ-kB6gL(_ov>A`sM?z99l_M;#(lNwfS+_jn-)(p+mR%!(X&i-aQ;uoOep`8uJh{NU
z`;X((7+wEarUlyb_5_u^G<rVV2b#c+$g&!kzSp)Ic_;0lwZ8-yGnF`zER`(4V>Xdq
zaHU$=fZ8&|fJOjb;?BfCUET*97w=(u`g8iTDN%`zGy@e26Rze|?C<LrYU$Po5iWny
z3kjEi2E{-_NTJ#zbDa$&yHg5rPx2OW6>=eo-{bX~^~<v6=J01Xk?hkp+?kh9IkdUT
z0mc#4ql%O0@D3~RO)0(u$7Fl;Q>{(OslofH)*vmX`q?uh;mD5YR6@E1U1-|M>X0?*
znFf7wQOrblD<R^(W;JNS{`FG4B08Z*$^qRF$oAoCZg7;k@gjQ<1XWqxvQIFRcGOpv
zR94@D<M40+%Trc~CQV_1=Dn?@j(}PHjqC^w^D7J{nhw+>2(asM#I1dWRAPl@zh(QD
z3XsUb(1C36YvZSlmD6!_%N!na+}IMOU|^m>_N`m<cRcI_@5SQAgc{ahr10eeB>zbT
zZz&Ee7(3&M^=M8Xx_;F26O2}mG$#jR3sA&;ot)ktfCj624V{@9&f|P1`hLMTpnf^v
zyhk%W;T7PT7K8gpz*`iIN{Id&dQVMOU|K%KwbY*8!(h}Mh1@VUgaWc{)H1_HNj{KH
zq!~m9Ks6xb#27@Jch`+}Rsh!qa(SViGg&w78YzoJc~jys?pKii|FV@TzhUOuk}*;X
z4UM8Nu9^|{7&XbCsEJX@rHSaw)%Fuy4-8YCUH<)teY{M^oANVK%EBx4h~)y7RP!u+
zG4q4$%cl%;>0k?v&6UdW=S7~lH-VQ%rOiDIg!tzMdLHwerG6__b|UZ{+x*``6FM_x
z9Q%*J0L1Bea||NK+{ND-NlRa5UL%ezMBxFUxC1VlSB|DLWU6iI+7OPXmC?g<h8S<j
z;9BLFgSq|LkV`1}thFoWA>b}g23VDc?X&{)zPJ~y80<QyS8f|$EdaS$t@GmJws!;(
zGdI9yf~EICl1tX;ay3-=27BVyR>2E;k33pZuLifi1$Fy+IgceC8QUX(c8vuYUjQKL
zPLpo*M3{<HbeSI`r5YBcFH|6D%(5&O@B*zgKW27~<9o(P+K3jiKWqhbsxDrySlhz0
zNwLQSQ%0~bR)ULWDx5PB-2JDYTyC75g<@jMauwz!po!}}s5Zo-CaNBvmIm)7AE0@;
zEm+~~w{;kuuWQJdIN8o*v1ma*DhDdEvt|wSbaI1Zy@6cy4?4M>Hm$;qSSe&l)rR9`
zt9n!#Tg#AJ^E292w0{@6@OsPYQ6>R0#1H-qumS64GunHce~@%Y9h3<lBocszfBIOZ
zab))rN8$)q=If6kjD3-FL}bB^Z$e~lNs0;s3w24r-%tXn<(<Go#^>97pn53owR5DC
zt*{lGzs20XTi%=eqw1~J<2TYgq7Y{bA?-e8DSjCROK>ezwNru{_CUNLu@-pZpX7y~
z;J^s(GiVC9k!jG$m?zZX8w$6!$XoIBdUL|re!W6X_8{PtSQ38mbE@D8(%y$_zcNI6
zQOb{GR=s*=H?m`D`{_yr@g0Jr`3B&P>JtuTtoLNZgc9|vz>at=Wdh*Zk?DLam2X-i
zvOz~E+b``WR>({bK{cqmo9hPH%#g(%I1-u!fh6lSWv!AmZ6+;`&jUAf%zUT!Y_d3L
ye!cL($Ue&aX9i7=EYc2_I+(Y=Ru;Ur6L%VZx+|5b-zMEMj_Xxk_VrmJgD2Lh0c>#q

literal 1762
zcmV<81|9i~4Fm}T0)n*iur~xo<p0v@0beh^OJr^u2=h79ok3$}Gti~VW;$nz&o&um
zQ)|H_<H_UdBRdasM>xnP%@af)-$RhZ&7)3w(?>+$-b1cw>C)uo%^A>P*=<*0iel03
za}Fsg1`ruYzno_!>aY;)OsTkc%h&&pe{$nZw5?@UjcH^%VjHu)VgwEnKQUK4HJk0=
zyZ5gIrQ>xo>l)_!-wlcQad@p8gshGgv1xcg_Yjj!nW#U|n*LMBm3Wlbk?i_CZ5Ume
zal+118<A>4AaJ?*V#JRCa=MTz1K6B-nEb*&W)}8_{YN|7UTh+U!ds%WR1v?9Hbxk@
z+EogP!glp>+*yB=n_Y5O!Q;p67Vmj%K0Z&IQHoSQT$5HK`B~z1yiX&eY#WwU=~;7S
z*R}F3&c9V&rDM=B?(>!Z9}?HjEfYzeD!pR<0+x@F>TU9zk7}<kD@qJ_abjYOs8hRq
zh7Jm)-NU`H`c6=I&(MQj_=6dt9@WEYi!or?8Rt!!pCBv*k-S9~KOI5vj$pMaMw^Qf
zBVR!3mpTDmS!mu9l<WcgcWnqFS5iutv-E~%f)5Jpy-W&sb_7%(q-;Ao6VuF}jD7Io
z6;$WA(n$TdIy;uy4;ZtMkw+=@T`+Y|R6>`hv#*;%+wZyrU0HEofh5VjbOiejUW3pY
z12D!+Wf#4>(VKPmD<n)kQME-pHhyLIsE@m&mae7pDVYTafP0(5{HTcJy!q>}rZ71T
zja(Co^VJ`de?Q=DM7vMvigtGHs?54vGS7;%Hh%Kgpcm|%^7?KEi%S69Cr3HH;P{#2
zQKW(H3{(*{l=~Bf7Rl-tT)anXQbTFgdpURPL%zy_*wvVIb#5uC(O*IiG}XiMGUA%y
z{hDOjK*5$4CjH6|s5_9ya<kCmTf*~7BVko*J60v>=cleH7`i?@E_&%aD!Azwfl->_
z*G%8=hHUxvc;-w-<E#k;-y|JdM{z{{85Sh-2}%DO9Y7S{sJfRLP)hDFrloQ6p7}q7
z@&f+gYKW*z2uzjh6T9Z1VXTLQ<J#n>8SZhmd?W7x5Q>Gdn&TWCqCer@&YB71xG=dZ
z)$Q#4CnyByk9+}lQNhr0X%Yl^Z@x^E{?CS9l0qFDy5|%MRx3RMp&FRUbXi#z!svt^
z$1+LBRDKak{r8lR!uG7M$<EM^oTQ7QggRH{{*=$CYZS{EHP}1oAvEus)Y=F0`!Q3M
zsnbi3<qek`{DG<3)B;vKn-~cWYL@}dok@zU#1&+o;|L1PP_rxGqaNi3^$~2D!z$I!
zg+PP=1}j3_HRp@eO}X7_KzSv2F_<<rY4!3;jxGqn-ENX@#tVR3Ag=6O_q()P;Vxir
zdBfPUR2L{e>3y`i=mM%I6C;mOE*azp=yC&EjEO@hZAV~%vb<>vw*Tx}<@1-F%E1MJ
z&Kx%>OC=ss;A2c#Xs*e!O^%Y!Dj=VPAc>{~z^9u8{@H%2A-4|8w>siL6sFHXXGAGp
z6u#;-ci&~<6YWll-R0BZ(9=FJ*d=Z^1zpP&lo<hZs|=`(eFb~y_fsZJNEPxZUc;l~
zje!r$2@>XySLaK2LILSvW!Dc?^#B&6$r*#Z0VQL=<ZX-EGMnW7b^Z4uTJ!Ed_ik||
z?;l;;(uiOYL1h<|zM#4KNBJs@gY4=FP?i84T>xlo$_b_5MO*>kW6!}M4b=rO4;kC?
z7>1#k9x6oenqHJ=>|?M)^;{lP0reAV^DsBc!yt{hJ=)44ze!{NMcolK=<LKc1}lAf
zgg_WyIc6(L!ew)*p?xVisbTkfPBI&plnd1KRr^@{@8RognvqT)cx2rwCkuYhTHyA%
zI15T^ko+a^_dIa`GT{>)E*z3xPIFQ}^9xIoZ8E2fWR@#G|3UOCwegz@y^#$8?WWnJ
zs2>$dD-U!>e@QG<l$^KOOyauoteF_>8RfQO0o(=0E;V|(Wz7kVeam0oZT7r|6xiFJ
zNd8hqdzqJ0-`fL-a@okskU*`zWMi=%n<V-=@;H=D3ifs^Te<V`x2Vgdeq7c{WpVYh
zslX0CfiPXweuSc`jBt?%tQcza76g7|bZX77no>1PPxq!&m!cL|J#l~QZ}A3JebK?T
zy$sIEE!|IkVGk9;6HzHA)9Y-IXTCA)$QGOVqdT1OhM%`yYT53qvYtc=4KjLTfqCH9
zgC*H0Jk^%P@UH!391-ApSu$Z<?~37SNX@G;uGzrNDT1E57mg1TR>{4D#3;W{vq*kO
zsL+qpghA`Jm|4{gJrTOb%(>>3vR5{Am*n3SBI9H-+h-WW$}kgTg9MyYUUi*K+#nml
Ero6&wRR910


From 901b1ad13e71f6221a5d9dc0518c6ae3f8c32187 Mon Sep 17 00:00:00 2001
From: jonathanedey <jedey@google.com>
Date: Fri, 9 Jan 2026 09:45:21 -0500
Subject: [PATCH 3/3] chore: Added environment label to release action

---
 .github/workflows/release.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index ac4298b9..53ebe825 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -93,6 +93,7 @@ jobs:
       startsWith(github.event.pull_request.title, '[chore] Release ')
 
     runs-on: ubuntu-latest
+    environment: Release
     permissions:
       # Used to create a short-lived OIDC token which is given to PyPi to identify this workflow job
       # See: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings