Skip to content

fix(security): fix remaining workflow alerts and upgrade CodeQL to v4 #756

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
SecKatie merged 2 commits into from
Dec 14, 2025
Merged

fix(security): fix remaining workflow alerts and upgrade CodeQL to v4 #756

SecKatie merged 2 commits into from
Dec 14, 2025
+8 −6

Conversation

@SecKatie
Copy link
Owner

@SecKatie SecKatie commented Dec 14, 2025

Summary

  • Add explicit permissions: contents: read to ruff-format.yml and pin actions to SHA hashes
  • Upgrade github/codeql-action from v3 to v4 in codeql.yml and scorecard.yml (v3 deprecated Dec 2026)

Changes

Workflow Change
ruff-format.yml Added permissions, pinned actions/checkout@v4 and actions/setup-python@v5
codeql.yml Upgraded codeql-action/init and codeql-action/analyze from v3 to v4
scorecard.yml Upgraded and pinned codeql-action/upload-sarif from v3 to v4

Test plan

  • Verify workflows still pass after merge
  • Confirm remaining code scanning alerts are resolved after rescan

🤖 Generated with Claude Code

SecKatie and others added 2 commits December 14, 2025 03:32
@SecKatie @claude
fix(security): fix remaining workflow alerts and upgrade CodeQL to v4
6a1b855 
- Add permissions to ruff-format.yml and pin actions
- Upgrade github/codeql-action from v3 to v4 (v3 deprecated Dec 2026)
- Pin codeql-action/upload-sarif in scorecard.yml

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>
@SecKatie @claude
fix(security): remove unnecessary contents:write from stale.yml
5935d49 
The delete-branch option is not being used, so contents:write permission
is not needed. This resolves the Scorecard token-permissions alert.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>
@SecKatie SecKatie merged commit 38b69ec into master Dec 14, 2025
6 checks passed
@SecKatie SecKatie deleted the fix/remaining-code-scanning-alerts branch December 14, 2025 08:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@SecKatie