fix: pin mkdocs-material version, scope docs.yaml permissions, annotate cache key hashing

- Pin mkdocs-material==9.7.6 in docs.yaml and ci.yaml (Scorecard
  Pinned-Dependencies alert #1)
- Move pages/id-token write permissions to deploy job in docs.yaml
- Add nolint annotations on SHA256 cache key derivation (not password
  storage); CodeQL alerts #10 and #11 dismissed as false positives

Signed-off-by: Sebastien Tardif <sebtardif@ncf.ca>

Author: SebTardif

.github/workflows/ci.yaml

@@ -158,7 +158,7 @@ jobs:
       - name: Install MkDocs
         shell: bash -Eeuo pipefail {0}
         run: |
-          python3 -m pip install --user --break-system-packages mkdocs-material
+          python3 -m pip install --user --break-system-packages mkdocs-material==9.7.6
           echo "$(python3 -m site --user-base)/bin" >> "$GITHUB_PATH"
 
       - name: Build docs site

.github/workflows/docs.yaml

@@ -12,8 +12,6 @@ on:
 
 permissions:
   contents: read
-  pages: write
-  id-token: write
 
 concurrency:
   group: docs
@@ -29,7 +27,7 @@ jobs:
 
       - name: Install MkDocs
         run: |
-          python3 -m pip install --user --break-system-packages mkdocs-material
+          python3 -m pip install --user --break-system-packages mkdocs-material==9.7.6
           echo "$(python3 -m site --user-base)/bin" >> "$GITHUB_PATH"
 
       - name: Build site
@@ -45,6 +43,9 @@ jobs:
     needs: build
     runs-on: ${{ vars.RUNNER || 'ubuntu-latest' }}
     timeout-minutes: 5
+    permissions:
+      pages: write
+      id-token: write
     environment:
       name: github-pages
       url: ${{ steps.deployment.outputs.page_url }}

internal/controller/prometheus.go

@@ -181,7 +181,7 @@ func collectorCacheKey(config *attunev1alpha1.PrometheusConfig, opts *rsmetrics.
 	}
 	key := collectorConfigPrefix(config.Address, headers, tlsConfig)
 	if opts != nil && opts.BearerToken != "" {
-		sum := sha256.Sum256([]byte(opts.BearerToken))
+		sum := sha256.Sum256([]byte(opts.BearerToken)) //nolint:gosec // cache key derivation, not password storage
 		key += fmt.Sprintf("|bearer:%x", sum[:8])
 	}
 	if opts != nil && len(opts.QueryParameters) > 0 {
@@ -557,7 +557,7 @@ func (r *AttunePolicyReconciler) resolveDatadogCollector(ctx context.Context, po
 
 	// Cache the collector keyed by site + API key hash, with full
 	// TTL eviction, capacity bound, and race-safe LoadOrStore.
-	cacheKey := fmt.Sprintf("datadog:%s|%x", site, sha256.Sum256([]byte(apiKey)))
+	cacheKey := fmt.Sprintf("datadog:%s|%x", site, sha256.Sum256([]byte(apiKey))) //nolint:gosec // cache key derivation, not password storage
 	collector, err := r.getOrCreateCollectorByKey(cacheKey, "datadog:"+site, func() (rsmetrics.MetricsCollector, error) {
 		inner := rsmetrics.NewDatadogCollector(site, apiKey, appKey, log.FromContext(ctx).WithName("datadog"))
 		// Datadog: 300 requests/hour => ~0.08 QPS; burst of 3 for concurrent queries.