thunderbird · coreycb · Apr 27, 2026
@@ -34,6 +34,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 1
+          persist-credentials: false
 
       - name: Show disk usage
         uses: ./.github/actions/disk-usage
@@ -65,6 +66,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 1
+          persist-credentials: false
 
       - name: Setup Gradle environment
         uses: ./.github/actions/setup-gradle
@@ -82,6 +84,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 1
+          persist-credentials: false
 
       - name: Setup Gradle environment
         uses: ./.github/actions/setup-gradle
@@ -103,6 +106,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 1
+          persist-credentials: false
 
       - name: Setup Gradle environment
         uses: ./.github/actions/setup-gradle
@@ -120,6 +124,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 1
+          persist-credentials: false
 
       - name: Setup Gradle environment
         uses: ./.github/actions/setup-gradle
@@ -145,6 +150,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 1
+          persist-credentials: false
 
       - name: Setup Gradle environment
         uses: ./.github/actions/setup-gradle
@@ -162,6 +168,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 1
+          persist-credentials: false
 
       - name: Setup Gradle environment
         uses: ./.github/actions/setup-gradle
@@ -179,6 +186,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 1
+          persist-credentials: false
 
       - name: Setup Gradle environment
         uses: ./.github/actions/setup-gradle

@@ -28,6 +28,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 1
+          persist-credentials: false
 
       - name: Setup Gradle environment
         uses: ./.github/actions/setup-gradle

@@ -13,7 +13,14 @@ jobs:
   build-daily:
     if: ${{ github.repository_owner == 'thunderbird' }}
     uses: ./.github/workflows/shippable_builds.yml
-    secrets: inherit
+    secrets:
+      MATRIX_NOTIFY_TOKEN: ${{ secrets.MATRIX_NOTIFY_TOKEN }}
+      BOT_PRIVATE_KEY: ${{ secrets.BOT_PRIVATE_KEY }}
+      SIGNING_KEY: ${{ secrets.SIGNING_KEY }}
+      KEY_ALIAS: ${{ secrets.KEY_ALIAS }}
+      KEY_PASSWORD: ${{ secrets.KEY_PASSWORD }}
+      KEY_STORE_PASSWORD: ${{ secrets.KEY_STORE_PASSWORD }}
+      PLAY_STORE_ACCOUNT: ${{ secrets.PLAY_STORE_ACCOUNT }}
     permissions:
       id-token: write # For GCS publishing (ftp.mo)
       contents: read
@@ -35,6 +35,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           token: ${{ steps.app-token.outputs.token || github.token }}
+          persist-credentials: false
 
       - name: Cargo cache
         uses: actions-rust-lang/setup-rust-toolchain@2b1f5e9b395427c92ee4e3331786ca3c37afe2d7  # v1.16.0

@@ -27,6 +27,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 1
+          persist-credentials: false
 
       - name: Setup Python
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # @v6.2.0

@@ -1,9 +1,14 @@
 ---
 name: PR - Auto Assign Reviewer
 
-# Warning, this job is running on pull_request_target and therefore has access to issue content.
-# Don't add any steps that act on external code.
-on:
+# This workflow uses pull_request_target so it has access to secrets and write
+# permissions even for fork PRs, which is required to assign reviewers.
+#
+# Security constraints that must be maintained to prevent code injection:
+#   - Do not checkout or execute any code.
+#   - Do not interpolate free-form PR fields.
+
+on: # zizmor: ignore[dangerous-triggers]
   pull_request_target:
     types: [review_requested]
 
@@ -32,4 +37,4 @@ jobs:
           PR_NUMBER: ${{ github.event.pull_request.number }}
           GH_TOKEN: ${{ steps.app-token.outputs.token || github.token }}
         run: |
-          gh pr edit $PR_NUMBER --repo $GITHUB_REPOSITORY --add-assignee "$PR_REVIEWER"
+          gh pr edit "$PR_NUMBER" --repo "$GITHUB_REPOSITORY" --add-assignee "$PR_REVIEWER"
@@ -1,10 +1,11 @@
 ---
 name: PR - Update dependency guard for Dependabot PRs
 
-# Warning, this job is running on pull_request_target and therefore has access to issue content.
-# Don't add any steps that act on external code.
+# This workflow uses pull_request (not pull_request_target) because it only runs
+# on same-repo dependabot PRs, guarded by head.repo.full_name. Same-repo PRs have
+# write permissions and secret access without needing pull_request_target.
 on:
-  pull_request_target:
+  pull_request:
     types:
       - opened
       - synchronize
@@ -26,7 +27,7 @@ permissions:
 
 jobs:
   pr-update-dependency-guard:
-    if: github.actor == 'dependabot[bot]' && github.event.pull_request.head.repo.full_name == 'thunderbird/thunderbird-android'
+    if: github.event.pull_request.user.login == 'dependabot[bot]' && github.event.pull_request.head.repo.full_name == 'thunderbird/thunderbird-android'
     runs-on: ubuntu-latest
     environment: botmobile
     timeout-minutes: 90
@@ -44,6 +45,7 @@ jobs:
         with:
           ref: ${{ github.head_ref }}
           token: ${{ steps.app-token.outputs.token || github.token }}
+          persist-credentials: false
 
       - name: Setup Gradle environment
         uses: ./.github/actions/setup-gradle

@@ -1,9 +1,14 @@
 ---
 name: PR - Label tb-team
 
-# Warning, this job is running on pull_request_target and therefore has access to issue content.
-# Don't add any steps that act on external code.
-on:
+# This workflow uses pull_request_target so it has access to secrets and write
+# permissions even for fork PRs, which is required to add labels.
+#
+# Security constraints that must be maintained to prevent code injection:
+#   - Do not checkout or execute any code.
+#   - Do not interpolate free-form PR fields.
+
+on: # zizmor: ignore[dangerous-triggers]
   pull_request_target:
     types: [opened, reopened]
 

@@ -1,9 +1,14 @@
 ---
 name: PR - Merged
 
-# Warning, this job is running on pull_request_target and therefore has access to issue content.
-# Don't add any steps that act on external code.
-on:
+# This workflow uses pull_request_target so it has access to secrets and write
+# permissions even for fork PRs, which is required to post comments and set milestones.
+#
+# Security constraints that must be maintained to prevent code injection:
+#   - Do not checkout or execute any code.
+#   - Do not interpolate free-form PR fields.
+
+on: # zizmor: ignore[dangerous-triggers]
   pull_request_target:
     branches: [main, beta, release]
     types: [closed]
@@ -33,19 +38,19 @@ jobs:
           GH_TOKEN: ${{ steps.app-token.outputs.token || github.token }}
         run: |
           # There should be exactly 3 milestones open at all times
-          TARGET_BRANCH="${{ github.base_ref }}"
+          TARGET_BRANCH="${GITHUB_BASE_REF}"
           case "$TARGET_BRANCH" in
             main) milestone_index=0 ;;
             beta) milestone_index=1 ;;
             release) milestone_index=2 ;;
           esac
           echo "$milestone_index"
-          gh api repos/$GITHUB_REPOSITORY/milestones --jq "
+          gh api "repos/$GITHUB_REPOSITORY/milestones" --jq "
                 map(select(.state == \"open\" and .due_on != null))
                 | sort_by(.due_on) | reverse
                 | .[${milestone_index}] | { number, title }
                 | to_entries
-                | map(.key + \"=\" + (.value|tostring)) | join(\"\n\")" | tee -a $GITHUB_OUTPUT
+                | map(.key + \"=\" + (.value|tostring)) | join(\"\n\")" | tee -a "$GITHUB_OUTPUT"
 
       - name: Thank you
         if: |
@@ -67,12 +72,12 @@ jobs:
 
             Hope to see you there! 🚀📱🐦
         run: |
-          gh pr comment $PR_NUMBER --repo $GITHUB_REPOSITORY --body "$MESSAGE"
+          gh pr comment "$PR_NUMBER" --repo "$GITHUB_REPOSITORY" --body "$MESSAGE"
 
       - name: Set active milestone on PR
         env:
           PR_NUMBER: ${{  github.event.pull_request.number  }}
           GH_TOKEN: ${{ steps.app-token.outputs.token || github.token }}
           MILESTONE: ${{ steps.milestone.outputs.number }}
         run: |
-          gh api --method PATCH /repos/$GITHUB_REPOSITORY/issues/$PR_NUMBER -f milestone=$MILESTONE
+          gh api --method PATCH "/repos/$GITHUB_REPOSITORY/issues/$PR_NUMBER" -f "milestone=$MILESTONE"
@@ -1,9 +1,14 @@
 ---
 name: PR - Opened
 
-# Warning, this job is running on pull_request_target and therefore has access to issue content.
-# Don't add any steps that act on external code.
-on:
+# This workflow uses pull_request_target so it has access to secrets and write
+# permissions even for fork PRs, which is required to post comments.
+#
+# Security constraints that must be maintained to prevent code injection:
+#   - Do not checkout or execute any code.
+#   - Do not interpolate free-form PR fields.
+
+on: # zizmor: ignore[dangerous-triggers]
   pull_request_target:
     branches: [beta, release]
     types: [opened]
@@ -30,7 +35,6 @@ jobs:
         env:
           PR_NUMBER: ${{  github.event.pull_request.number  }}
           GH_TOKEN: ${{ steps.app-token.outputs.token || github.token }}
-          MILESTONE: ${{ steps.milestone.outputs.title }}
           MESSAGE: |
             Thank you for your uplift request! Please add a comment with the following approval request template filled out.
 

@@ -1,9 +1,14 @@
 ---
 name: PR - Request report labels
 
-# Warning, this job is running on pull_request_target and therefore has access to issue content.
-# Don't add any steps that act on external code.
-on:
+# This workflow uses pull_request_target so it has access to secrets and write
+# permissions even for fork PRs, which is required to post comments and add labels.
+#
+# Security constraints that must be maintained to prevent code injection:
+#   - Do not checkout or execute any code.
+#   - Do not interpolate free-form PR fields.
+
+on: # zizmor: ignore[dangerous-triggers]
   pull_request_target:
     types: [ opened, reopened, synchronize, labeled, unlabeled ]
     branches:
@@ -23,10 +28,13 @@ jobs:
     steps:
       - name: Validate report label
         id: validate
+        env:
+          LABELS_JSON: ${{ toJson(github.event.pull_request.labels) }}
+          PR_BODY: ${{ toJson(github.event.pull_request.body) }}
         run: |
           set -euo pipefail
 
-          labels_json='${{ toJson(github.event.pull_request.labels) }}'
+          labels_json="$LABELS_JSON"
 
           echo "Current labels:"
           echo "$labels_json" | jq -r '.[].name'
@@ -47,7 +55,7 @@ jobs:
 
           feature_flag_count="$(jq '[.[] | select(.name == "feature flag")] | length' <<< "$labels_json")"
           if [ "$feature_flag_count" -gt 0 ]; then
-            pr_body='${{ toJson(github.event.pull_request.body) }}'
+            pr_body="$PR_BODY"
             pr_feature_flag_key="$(jq -nr --arg body "$pr_body" 'try ($body | gsub("\r"; "") | capture("(?m)^feature-flag:\\s*`(?<flag>[^`]+)`$").flag) catch ""')"
             if [ -z "$pr_feature_flag_key" ]; then
               echo "valid=false" >> "$GITHUB_OUTPUT"
@@ -64,10 +72,11 @@ jobs:
         env:
           GH_TOKEN: ${{ github.token }}
           PR_NUMBER: ${{ github.event.pull_request.number }}
+          REPO: ${{ github.repository }}
           MESSAGE: ${{ steps.validate.outputs.message }}
         run: |
           gh pr comment "$PR_NUMBER" \
-            --repo "${{ github.repository }}" \
+            --repo "$REPO" \
             --body "$MESSAGE"
 
       - name: Fail if invalid

@@ -34,6 +34,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 1
+          persist-credentials: false
 
       - name: Setup Gradle environment
         uses: ./.github/actions/setup-gradle
@@ -51,6 +52,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 1
+          persist-credentials: false
 
       - name: Setup Gradle environment
         uses: ./.github/actions/setup-gradle
@@ -77,6 +79,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 1
+          persist-credentials: false
 
       - name: Setup Gradle environment
         uses: ./.github/actions/setup-gradle
@@ -94,6 +97,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 1
+          persist-credentials: false
 
       - name: Setup Gradle environment
         uses: ./.github/actions/setup-gradle

@@ -16,6 +16,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Cargo cache
         uses: actions-rust-lang/setup-rust-toolchain@2b1f5e9b395427c92ee4e3331786ca3c37afe2d7  # v1.16.0

@@ -35,6 +35,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Setup Gradle environment
         if: matrix.language == 'java-kotlin'