diff --git a/.github/workflows/common_cocoapods.yml b/.github/workflows/common_cocoapods.yml
index 6a575554bb4..50834b04431 100644
--- a/.github/workflows/common_cocoapods.yml
+++ b/.github/workflows/common_cocoapods.yml
@@ -5,6 +5,28 @@ permissions:
 
 on:
   workflow_call:
+    # Re-usable workflows do not automatically inherit the caller's secrets.
+    #
+    # If the calling workflow uses a secret in the `setup_command` input, then
+    # it also must pass the secret to the re-usable workflow.
+    #
+    # Example:
+    #
+    #   pod_lib_lint:
+    #     uses: ./.github/workflows/common_cocoapods.yml
+    #     with:
+    #       product: FirebaseFoo
+    #       setup_command: |
+    #         scripts/decrypt_gha_secret.sh \
+    #           /path/to/GoogleService-Info.plist.gpg \
+    #           /path/to/dest/GoogleService-Info.plist "$plist_secret"
+    #     secrets:
+    #       plist_secret: ${{ secrets.GHASecretsGPGPassphrase1 }}
+    #
+    secrets:
+      plist_secret:
+        required: false
+
     inputs:
       # The product to test be tested (e.g. `FirebaseABTesting`).
       product:
@@ -66,6 +88,10 @@ on:
       # This is useful for additional set up, like starting an emulator or
       # downloading test data.
       #
+      # Note, this step has an env var set to decrypt plists. Use
+      # "$plist_secret" in the given command. See `secrets` documentation
+      # at top of this file.
+      #
       # Example: `FirebaseFunctions/Backend/start.sh synchronous`
       setup_command:
         type: string
@@ -101,6 +127,8 @@ jobs:
       run: sed -i "" "s/s.swift_version[[:space:]]*=[[:space:]]*'5.9'/s.swift_version = '6.0'/" ${{ inputs.product }}.podspec
     - name: Run setup command, if needed.
       if: inputs.setup_command != ''
+      env:
+        plist_secret: ${{ secrets.plist_secret }}
       run: ${{ inputs.setup_command }}
     - uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3
       if: contains(join(inputs.platforms), matrix.platform) || matrix.os == 'macos-14'
diff --git a/.github/workflows/mlmodeldownloader.yml b/.github/workflows/mlmodeldownloader.yml
index 7569188c374..6e16642d311 100644
--- a/.github/workflows/mlmodeldownloader.yml
+++ b/.github/workflows/mlmodeldownloader.yml
@@ -1,11 +1,16 @@
 name: mlmodeldownloader
 
+permissions:
+  contents: read
+
 on:
   workflow_dispatch:
   pull_request:
     paths:
     - 'FirebaseMLModelDownloader**'
     - '.github/workflows/mlmodeldownloader.yml'
+    - '.github/workflows/common.yml'
+    - '.github/workflows/common_cocoapods.yml'
     - 'Gemfile*'
   schedule:
     # Run every day at 11pm (PST) - cron uses UTC times
@@ -27,35 +32,16 @@ jobs:
       product: FirebaseMLModelDownloader
       target: FirebaseMLModelDownloader-Unit-unit
 
-  pod-lib-lint:
-    if: (github.repository == 'Firebase/firebase-ios-sdk' && github.event_name == 'schedule') || github.event_name == 'pull_request'
-    env:
-      plist_secret: ${{ secrets.GHASecretsGPGPassphrase1 }}
-    strategy:
-      matrix:
-        target: [ios, tvos, macos, watchos]
-        build-env:
-          - os: macos-14
-            xcode: Xcode_16.2
-          - os: macos-15
-            xcode: Xcode_16.2
-    runs-on: ${{ matrix.build-env.os }}
-    steps:
-    - uses: actions/checkout@v4
-    - uses: ruby/setup-ruby@354a1ad156761f5ee2b7b13fa8e09943a5e8d252 # v1
-    - name: Setup Bundler
-      run: scripts/setup_bundler.sh
-    - name: Configure test keychain
-      run: scripts/configure_test_keychain.sh
-    - name: Install GoogleService-Info.plist
-      run: |
+  pod_lib_lint:
+    uses: ./.github/workflows/common_cocoapods.yml
+    with:
+      product: FirebaseMLModelDownloader
+      setup_command: |
         mkdir FirebaseMLModelDownloader/Tests/Integration/Resources
         scripts/decrypt_gha_secret.sh scripts/gha-encrypted/MLModelDownloader/GoogleService-Info.plist.gpg \
           FirebaseMLModelDownloader/Tests/Integration/Resources/GoogleService-Info.plist "$plist_secret"
-    - name: Xcode
-      run: sudo xcode-select -s /Applications/${{ matrix.build-env.xcode }}.app/Contents/Developer
-    - name: Build and test
-      run: ([ -z $plist_secret ] || scripts/third_party/travis/retry.sh scripts/pod_lib_lint.rb FirebaseMLModelDownloader.podspec --platforms=${{ matrix.target }})
+    secrets:
+      plist_secret: ${{ secrets.GHASecretsGPGPassphrase1 }}
 
   mlmodeldownloader-cron-only:
     if: github.event_name == 'schedule' && github.repository == 'Firebase/firebase-ios-sdk'
@@ -65,7 +51,7 @@ jobs:
     strategy:
       matrix:
         target: [ios, tvos, macos]
-    needs: pod-lib-lint
+    needs: pod_lib_lint
     steps:
     - uses: actions/checkout@v4
     - uses: ruby/setup-ruby@354a1ad156761f5ee2b7b13fa8e09943a5e8d252 # v1