Update nightly schedules to weekdays and fix security issues

[brandonpage]

Summary

Implements W-22712082 — Cleanup CI for all Repos.

Schedule changes:

• Unit nightly (nightly.yaml) → every weekday at 9 PM PT (0 5 * * 2-6 UTC), up from Tue/Thu-only.
• UI nightly (ui-test-nightly.yaml) → every weekday at 11 PM PT (0 7 * * 2-6 UTC), up from Mon/Wed-only.

Both schedules now catch regressions within 1 business day instead of up to 4.

Security hardening: All workflows updated to follow the GitHub Actions injection-prevention best practices:

• All third-party actions SHA-pinned with the resolved tag in a comment.
• Top-level permissions: block added to every workflow: contents: read baseline, pull-requests: write only where Danger / mikepenz/action-junit-report posts PR comments.
• secrets: inherit replaced with explicit secret pass-through; reusable workflows now declare expected secrets in on: workflow_call: secrets:.
• All ${{ ... }} shell interpolation in run: blocks refactored to env: variables with quoted shell expansions.
• pull_request_target retained with # zizmor: ignore[dangerous-triggers] and an inline comment documenting the Member Check mitigation.
• actions/checkout steps set with: persist-credentials: false.
• xcodebuild logs archived on build failure (xcactivitylog) for diagnostic purposes.

After this change, zizmor --offline reports 0 High-confidence findings across all six CI workflows.

Test plan

• Verified locally with python3 yaml.safe_load, actionlint -shellcheck=, zizmor --offline. All clean.
• CI verification: opened test PR on personal fork (brandonpage/SalesforceMobileSDK-iOS#23) targeting the same cleanup-ci-w22712082 branch as this PR. The test PR triggers the new workflows against a real source change in SalesforceSDKCommon. No regressions observed — see linked PR for run details.
• Reviewer to confirm the permissions: blocks match the team's expected privilege levels for each workflow.

🤖 Generated with Claude Code

[github-actions]

	Tests	Passed ☑️	Skipped	Failed ❌️
SalesforceSDKCore iOS ^18 Test Results	639 ran	638 ✅		1 ❌

Test	Result
SalesforceSDKCore iOS ^18 Test Results
SFSDKAuthConfigUtilTests.testBrowserBasedLoginEnabled	❌ failure

• View SalesforceSDKCore iOS ^18 Test Results

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 68.21%. Comparing base (6c5ade7) to head (f542ccd).
⚠️ Report is 1 commits behind head on dev.

Additional details and impacted files

@@            Coverage Diff             @@
##              dev    #4047      +/-   ##
==========================================
- Coverage   68.24%   68.21%   -0.03%     
==========================================
  Files         245      245              
  Lines       21465    21465              
==========================================
- Hits        14649    14643       -6     
- Misses       6816     6822       +6     

Components	Coverage Δ
Analytics	70.78% <ø> (ø)
Common	70.69% <ø> (-0.10%)	⬇️
Core	61.69% <ø> (-0.04%)	⬇️
SmartStore	73.44% <ø> (ø)
MobileSync	88.79% <ø> (ø)
see 7 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[github-actions]

	Tests	Passed ✅	Skipped	Failed
AuthFlowTester UI Test Results all	1 ran	1 ✅

Test	Result
No test annotations available

• View AuthFlowTester UI Test Results all

[github-actions]

	Tests	Passed ☑️	Skipped	Failed ❌️
SalesforceSDKCore iOS ^26 Test Results	639 ran	637 ✅		2 ❌

Test	Result
SalesforceSDKCore iOS ^26 Test Results
testApplySimulatedResultWithHostAndUserCallsCallbackWithResult()	❌ failure
SFSDKAuthConfigUtilTests.testBrowserBasedLoginEnabled	❌ failure

• View SalesforceSDKCore iOS ^26 Test Results

[wmathurin]

Should we do Sunday to Thursday instead (so always followed by a working day the next morning) ?

[brandonpage]

Does running it Sunday night vs Friday night make any difference? I'm not working over the weekend 😄

[brandonpage]

I guess it is checking the work from today vs having a fresh run for tomorrow. I think we care more about our code changes than environment issues that could be introduced over the weekend.

[wmathurin]

Does running it Sunday night vs Friday night make any difference? I'm not working over the weekend 😄

True but Claude might ;-)