Update nightly schedule to Mon/Wed/Fri at 9:30 PM PT and fix security issues

[brandonpage]

Summary

Implements W-22712082 — Cleanup CI for all Repos.

Schedule change: Nightly tests now run Mon/Wed/Fri at 9:30 PM PT (30 5 * * 2,4,6 UTC), up from Sun-only. Run cost is low (~13m) and the previous weekly cadence was missing regressions for up to 7 days during high-activity sprints (e.g., May 2026 had 57 commits). Alternates with the iOS-Hybrid nightly's Tue/Thu 9:30 PM slot.

Security hardening: All workflows updated to follow the GitHub Actions injection-prevention best practices:

• All third-party actions SHA-pinned with the resolved tag in a comment.
• Top-level permissions: block added to every workflow: contents: read baseline, pull-requests: write for the iOS reusable workflow (uses mikepenz/action-junit-report with comment: true).
• secrets: inherit replaced with explicit secret pass-through; iOS reusable workflow declares TEST_CREDENTIALS/CODECOV_TOKEN, Android reusable declares TEST_CREDENTIALS/GCLOUD_SERVICE_KEY.
• All ${{ ... }} shell interpolation in run: blocks refactored to env: variables with quoted shell expansions.
• pull_request_target retained with # zizmor: ignore[dangerous-triggers] and inline comment documenting the Member Check mitigation.
• actions/checkout steps set with: persist-credentials: false.
• Build logs archived on failure for diagnostic purposes.
• Job-level permissions: on reusable-workflow callers in nightly.yaml and pr.yaml, matching the permissions declared in the iOS reusable (pull-requests: write for action-junit-report PR comments).

After this change, zizmor --offline reports 0 High-confidence findings across all four CI workflows.

Test plan

• Verified locally with python3 yaml.safe_load, actionlint -shellcheck=, zizmor --offline. All clean.
• CI verification: opened test PR on personal fork (brandonpage/SalesforceMobileSDK-ReactNative#1) targeting the same cleanup-ci-w22712082 branch as this PR. The test PR triggers the new workflows against a real source change in react.force.log.ts. No regressions observed — see linked PR for run details.
• Reviewer to confirm the permissions: blocks match the team's expected privilege levels for each workflow.

🤖 Generated with Claude Code

[github-actions]

	Tests	Passed ☑️	Skipped	Failed ❌️
iOS ^26 Test Results	35 ran	34 ✅		1 ❌

Test	Result
iOS ^26 Test Results
ReactMobileSyncTests.testCleanResyncGhosts	❌ failure

• View iOS ^26 Test Results

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 72.62%. Comparing base (5995a6f) to head (eec0c3a).
⚠️ Report is 1 commits behind head on dev.

Additional details and impacted files

@@           Coverage Diff           @@
##              dev     #452   +/-   ##
=======================================
  Coverage   72.62%   72.62%           
=======================================
  Files          13       13           
  Lines         559      559           
=======================================
  Hits          406      406           
  Misses        153      153           

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.