diff --git a/.github/workflows/android-leap-chat-test.yml b/.github/workflows/android-leap-chat-test.yml
index d84c26f..6d709f7 100644
--- a/.github/workflows/android-leap-chat-test.yml
+++ b/.github/workflows/android-leap-chat-test.yml
@@ -1,5 +1,5 @@
 name: Android LeapChat Build
-on: 
+on:
   push:
     branches: [ main ]
     paths:
@@ -12,30 +12,45 @@ on:
       - '.github/workflows/android-leap-chat-test.yml'
   workflow_dispatch:
 
+# Least-privilege default. The job authenticates with gcloud against Firebase
+# Test Lab via a service-account JSON; nothing here needs GITHUB_TOKEN write
+# scope. The Actions cache (used by gradle/actions/setup-gradle below) is gated
+# by the runtime token, not GITHUB_TOKEN, so contents: read is sufficient.
+permissions:
+  contents: read
+
 jobs:
   build-and-e2e-test:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v6
+      with:
+        persist-credentials: false
     - name: Set up JDK 21
       uses: actions/setup-java@v5
       with:
         java-version: '21'
         distribution: 'temurin'
-        cache: 'gradle'
+    - name: Set up Gradle
+      uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0
     - name: Build LeapChat
       run: cd Android/LeapChat && ./gradlew :app:assemble
     - name: Build E2E test
       run: cd Android/LeapChat && ./gradlew :app:assembleAndroidTest
     - name: Run E2E test on Firebase Test Lab
+      env:
+        SERVICE_ACCOUNT: ${{ secrets.FIREBASE_SERVICE_ACCOUNT }}
       run: |
-          echo "$SERVICE_ACCOUNT" > /tmp/service_account.json
-          gcloud auth activate-service-account --key-file=/tmp/service_account.json
+          # Land the SA JSON under $RUNNER_TEMP, mode 600, with a trap cleanup
+          # so a job failure or cancellation doesn't leave the key on disk.
+          # printf (not echo) preserves backslash sequences in the JSON.
+          SA_FILE="${RUNNER_TEMP:-/tmp}/service_account.json"
+          trap 'rm -f "$SA_FILE"' EXIT
+          ( umask 077 && printf '%s' "$SERVICE_ACCOUNT" > "$SA_FILE" )
+          gcloud auth activate-service-account --key-file="$SA_FILE"
           gcloud firebase test android run --type instrumentation \
             --app Android/LeapChat/app/build/outputs/apk/debug/app-debug.apk \
             --test Android/LeapChat/app/build/outputs/apk/androidTest/debug/app-debug-androidTest.apk \
             --device model=MediumPhone.arm,version=36,locale=en,orientation=portrait \
             --project liquid-leap
-      env:
-        SERVICE_ACCOUNT: ${{ secrets.FIREBASE_SERVICE_ACCOUNT }}