Fix SonarCloud bugs and vulnerabilities

reidspencer · claude · reidspencer · commit 7fe1e31e6c70 · 2026-01-20T09:09:57.000-05:00
Bug fix:
- Pass.scala: Remove duplicate conditional branches that had identical code
  in both if and else blocks

Vulnerability fixes:
- hugo.yml: Move permissions from workflow level to job level
  - Build job: contents: read
  - Deploy job: pages: write, id-token: write

Co-Authored-By: Claude Opus 4.5 &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/hugo.yml b/.github/workflows/hugo.yml
@@ -12,12 +12,6 @@ on:
       - '.github/workflows/hugo.yml'
 
 
-# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
-permissions:
-  contents: read
-  pages: write
-  id-token: write
-
 # Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued.
 # However, do NOT cancel in-progress runs as we want to allow these production deployments to complete.
 concurrency:
@@ -34,6 +28,8 @@ jobs:
   build:
     timeout-minutes: 30
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     env:
       HUGO_VERSION: 0.112.0
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -114,6 +110,9 @@ jobs:
   # Deployment job
   deploy:
     timeout-minutes: 10
+    permissions:
+      pages: write
+      id-token: write
     environment:
       name: github-pages
       url: ${{ steps.deployment.outputs.page_url }}
diff --git a/passes/shared/src/main/scala/com/ossuminc/riddl/passes/Pass.scala b/passes/shared/src/main/scala/com/ossuminc/riddl/passes/Pass.scala
@@ -338,16 +338,10 @@ abstract class DepthFirstPass(
         parents.pop()
         process(root, parents)
       case include: Include[?] =>
-        if withIncludes then
-          // Depth-first: process children first, then parent
-          // Don't add Include to parent stack - contents belong to parent container
-          include.contents.foreach { value => traverse(value, parents) }
-          process(include, parents)
-        else
-          // NOTE: no push/pop here because include is an unnamed container and does not participate in parent stack
-          include.contents.foreach { value => traverse(value, parents) }
-          process(include, parents)
-        end if
+        // Depth-first: process children first, then parent
+        // NOTE: no push/pop here because include is an unnamed container and does not participate in parent stack
+        include.contents.foreach { value => traverse(value, parents) }
+        process(include, parents)
       case leaf: Leaf =>
         process(leaf, parents)
       case branch: Branch[?] =>
