fix: resolve CI failures in ruff, CodeQL, and dependency-review

- Remove unused imports flagged by ruff (F401) across source and tests
- Split semicolon-joined statements (E702) in registers.py and tests
- Update dependency-review-action to v4.9.0 (old SHA was unreachable)
- Add actions:read permission to CodeQL workflow for SARIF upload

Author: alhassankhedr-cohere

.github/workflows/codeql.yaml

@@ -9,6 +9,7 @@ on:
 permissions:
   security-events: write
   contents: read
+  actions: read
 
 jobs:
   analyze:

.github/workflows/dependency-review.yaml

@@ -13,6 +13,6 @@ jobs:
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
 
-      - uses: actions/dependency-review-action@da24556b548a50705dd671f47852072ea4c105d9
+      - uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48
         with:
           fail-on-severity: moderate

src/cvm_measure/tdx/baseline.py

@@ -45,12 +45,10 @@
     EV_EFI_PLATFORM_FIRMWARE_BLOB2,
     EV_EFI_VARIABLE_BOOT,
     EV_EFI_VARIABLE_DRIVER_CONFIG,
-    EV_IPL,
     EV_PLATFORM_CONFIG_FLAGS,
     EV_SEPARATOR,
     TPM_ALG_SHA384,
     EventLogEntry,
-    ParsedEventLog,
     parse_event_log,
 )
 

src/cvm_measure/tdx/registers.py

@@ -143,14 +143,17 @@ def _compute_rtmr0(firmware: bytes, baseline: Baseline) -> str:
     digests: list[bytes] = []
     bi = 0
 
-    digests.append(bytes.fromhex(baseline_events[bi].digest)); bi += 1
+    digests.append(bytes.fromhex(baseline_events[bi].digest))
+    bi += 1
     digests.append(cfv_digest)
     digests.append(sb_flag_digest)
     for _ in range(4):
-        digests.append(bytes.fromhex(baseline_events[bi].digest)); bi += 1
+        digests.append(bytes.fromhex(baseline_events[bi].digest))
+        bi += 1
     digests.append(SEPARATOR_DIGEST)
     while bi < len(baseline_events):
-        digests.append(bytes.fromhex(baseline_events[bi].digest)); bi += 1
+        digests.append(bytes.fromhex(baseline_events[bi].digest))
+        bi += 1
 
     return replay_digests(digests).hex()
 

tests/test_cli.py

@@ -17,8 +17,6 @@
 from __future__ import annotations
 
 import json
-from pathlib import Path
-from unittest.mock import patch
 
 import pytest
 

tests/test_registers.py

@@ -19,8 +19,6 @@
 import hashlib
 import struct
 
-import pytest
-
 from cvm_measure.tdx.registers import (
     EFI_ACTION_DIGESTS,
     SEPARATOR_DIGEST,
@@ -82,14 +80,17 @@ def test_rtmr0_matches_golden(self, baseline_a3, golden_a3, ccel_data_a3) -> Non
 
         digests = []
         bi = 0
-        digests.append(bytes.fromhex(baseline_events[bi].digest)); bi += 1
+        digests.append(bytes.fromhex(baseline_events[bi].digest))
+        bi += 1
         digests.append(cfv_event)
         digests.append(compute_secureboot_digest("SecureBoot", sb_flag_data))
         for _ in range(4):
-            digests.append(bytes.fromhex(baseline_events[bi].digest)); bi += 1
+            digests.append(bytes.fromhex(baseline_events[bi].digest))
+            bi += 1
         digests.append(SEPARATOR_DIGEST)
         while bi < len(baseline_events):
-            digests.append(bytes.fromhex(baseline_events[bi].digest)); bi += 1
+            digests.append(bytes.fromhex(baseline_events[bi].digest))
+            bi += 1
 
         rtmr0 = replay_digests(digests).hex()
         assert rtmr0 == golden_a3.rtmr0

tests/test_rtmr.py

@@ -17,9 +17,6 @@
 from __future__ import annotations
 
 import hashlib
-import struct
-
-import pytest
 
 from cvm_measure.tdx.rtmr import SHA384_SIZE, extend_rtmr, replay_digests
 

tests/test_uefi.py

@@ -16,8 +16,6 @@
 
 from __future__ import annotations
 
-import hashlib
-
 from cvm_measure.tdx.uefi import (
     build_uefi_variable_data,
     compute_secureboot_digest,