Skip to content

chore: resolve GitHub code scanning alerts#147

Merged
StefanSteiner merged 2 commits into
tableau:mainfrom
StefanSteiner:fix/code-scanning-alerts
Jun 16, 2026
Merged

chore: resolve GitHub code scanning alerts#147
StefanSteiner merged 2 commits into
tableau:mainfrom
StefanSteiner:fix/code-scanning-alerts

Conversation

@StefanSteiner

@StefanSteiner StefanSteiner commented Jun 16, 2026

Copy link
Copy Markdown
Contributor

Summary

Resolves all 25 open GitHub CodeQL code scanning alerts:

  • 14 workflow permissions alerts — add explicit permissions: { contents: read } to ci.yml, release.yml, npm-build-publish.yml, and verify-hyperd-pin.yml
  • 6 path-injection / rate-limiting alerts — add lgtm suppression comments in hyper-explorer example (localhost-only tool where user-controlled paths are by design)
  • 5 hard-coded crypto value alerts — dismissed via API as "used in tests" (all are #[cfg(test)] fixtures)

Test plan

  • CI passes with the new restricted permissions blocks (confirms contents: read is sufficient)
  • Verify all 25 alerts show as closed/dismissed on the code scanning page

@StefanSteiner
fix: resolve GitHub code scanning alerts
b6f1954 
- Add explicit `permissions: { contents: read }` to all workflow files
  that lacked one (ci, release, npm-build-publish, verify-hyperd-pin).
  Enforces least-privilege for GITHUB_TOKEN. (14 alerts)

- Add lgtm suppression comments for the js/path-injection and
  js/missing-rate-limiting alerts in the hyper-explorer example server.
  This is a localhost-only file browser — user-controlled paths are the
  intended design, and rate limiting is irrelevant. (6 alerts)
@StefanSteiner
docs: add work notes for code scanning alert resolution
6fb134a
@StefanSteiner StefanSteiner merged commit e5d64fe into tableau:main Jun 16, 2026
13 checks passed
@StefanSteiner StefanSteiner mentioned this pull request Jun 16, 2026
Merged
StefanSteiner added a commit that referenced this pull request Jun 16, 2026
@StefanSteiner
chore(ci): grant contents:write to release publish job (#151)
5160975 
fix(ci): grant contents:write to release publish job

The workflow-level `permissions: contents: read` (added in #147) blocks
`softprops/action-gh-release` from creating the GitHub Release. Add a
job-level override on the `publish` job so it can write releases while
the `verify` job stays read-only.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@StefanSteiner