fix: address security vulnerabilities and add CodeQL workflow

jcscottiii · jcscottiii · commit 7b112395bcde · 2025-10-08T20:37:50.000Z
- Add permissions to workflows to resolve code scanning alerts. See: https://github.com/GoogleChrome/webstatus.dev/security/code-scanning - Update tar-fs to resolve a high severity vulnerability. See: https://github.com/GoogleChrome/webstatus.dev/security/dependabot - Add a dedicated workflow for CodeQL analysis for Go, JavaScript/TypeScript, and Actions, including a build step to generate necessary packages. See: https://github.com/GoogleChrome/webstatus.dev/security/code-scanning/tools/CodeQL/status/configurations/automatic/50b81ab7aa14a07a66df525212035d409a54427fca55f64790c4765d94a09359 Generated with Gemini.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -18,8 +18,11 @@ on: # trigger builds for 1) PRs, 2) merges into main from merge_queue, and 3) ma
   merge_group:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 env:
-  GO_VERSION: '1.23'
+  GO_VERSION: '1.25'
   NODE_VERSION: '22'
   GO_CACHE_DEPENDENCY_PATH: '**/*.sum'
 
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -0,0 +1,42 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+  schedule:
+    - cron: '0 0 * * *'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'go', 'javascript-typescript', 'actions' ]
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v5
+
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v4
+      with:
+        languages: ${{ matrix.language }}
+
+    - name: Generate code
+      run: make gen
+
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v4
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v4
diff --git a/.github/workflows/devcontainer.yml b/.github/workflows/devcontainer.yml
@@ -18,6 +18,10 @@ on:
   schedule:
     - cron: '0 0 * * 2' # Runs every Tuesday at midnight UTC
 
+permissions:
+  contents: read
+  packages: write
+
 env:
   GO_VERSION: '1.23'
   NODE_VERSION: '22'
diff --git a/package-lock.json b/package-lock.json
