I have used Firebase for about two years to develop a web application. A while back, I also started using native Google Cloud features like Secret Manager to store secrets directly in the cloud. And precisely, the usage of Secret Manager should reveal a fatal flaw in the standard setup of firebase-tools and, more specifically, how Firebase recommends authenticating on personal and CI/CD environments.
What Happened?
It all started while setting up a new non-production stage for my application. I created a new Google Cloud Project (GCP), new service accounts, new secrets, etc., only to discover afterward my CI/CD jobs on GitHub were failing. It was failing during testing and thus even before the deployment to the new stage.