Skip to content

Address Code Scanning alerts#38

Merged
mcgroarty merged 2 commits into
mainfrom
chore/code-scanning-fixes
Jun 4, 2026
Merged

Address Code Scanning alerts#38
mcgroarty merged 2 commits into
mainfrom
chore/code-scanning-fixes

Conversation

@mcgroarty

Copy link
Copy Markdown
Contributor

Addresses all 4 open Code Scanning alerts.

Changes

Alert #1actions/missing-workflow-permissions (ci.yml)

Added an explicit least-privilege permissions block at the workflow level:

permissions:
  contents: read

The CI workflow only checks out code, builds, and uploads an artifact — no repo write access needed. deploy.yml already had a correct permissions block, so it wasn't flagged.

Alerts #2 & #3actions/unpinned-tag (ci.yml, deploy.yml)

Pinned pnpm/action-setup@v4 to its commit SHA b906affcce14559ad1aafd4ab0e942779e9f58b1 in both workflows, with a trailing # v4 comment so Dependabot continues to track the v4 line and can update both the SHA and comment in lockstep.

Alert #4js/http-to-file-access (scripts/fetch-definitions.js)

Added an lgtm[js/http-to-file-access] suppression comment with justification. The rule's underlying concern (HTTP response controlling the write path) does not apply here — OUTPUT_PATH is hardcoded via import.meta.url, and the HTTP response only controls file contents, never file location. The default URL is a hardcoded secondlife/lsl-definitions raw URL, and the content is parsed downstream as YAML data, not executed.

Notes

mcgroarty added 2 commits June 3, 2026 17:29
- ci.yml: add least-privilege permissions block (contents: read)

- ci.yml/deploy.yml: pin pnpm/action-setup to commit SHA

- fetch-definitions.js: suppress js/http-to-file-access (OUTPUT_PATH is hardcoded)
@mcgroarty mcgroarty merged commit 5668de5 into main Jun 4, 2026
4 checks passed
@mcgroarty mcgroarty deleted the chore/code-scanning-fixes branch June 4, 2026 00:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant