Hi, I'm also from Google and I'm working with the openSSF to help open source project to increase their supply chain security posture.

The first improvement I would like to suggest is to set permissions for GITHUB_TOKEN on the github workflows, because the default behavior of github when handling workflows is to grant them write-all permission. That's why it is a good practice recommended both by the OpenSSF Scorecard and the Github itself to always use credentials that are minimally scoped.

This can be easily done by setting the top level permission as contents: read (usually enough to most actions) or even read-all, and grant any write permission at the job level.

This way, even in the case of a compromised workflow, the attacker won't be able to do much.

Let me know if that's ok to submit the PR and I'll do it ASAP.