Skip to content

fix: address CodeQL security and code quality issues#572

Merged
JasonXuDeveloper merged 4 commits intomasterfrom
fix/codeql-security-issues
Jan 25, 2026
Merged

fix: address CodeQL security and code quality issues#572
JasonXuDeveloper merged 4 commits intomasterfrom
fix/codeql-security-issues

Conversation

@JasonXuDeveloper
Copy link
Copy Markdown
Owner

@JasonXuDeveloper JasonXuDeveloper commented Jan 25, 2026
edited
Loading

Summary

Addresses CodeQL security and code quality issues from code scanning.

Fixed Issues (17 of 55)

Category Count Fix
actions/missing-workflow-permissions 6 Added explicit permissions blocks
cs/useless-cast-to-self 4 Use GetAssetObject<T>() and pattern matching
cs/missed-ternary-operator 1 Convert if-else to ternary
cs/string-concatenation-in-loop 3 Use StringBuilder
cs/path-combine 1 Remove trailing slash
cs/static-field-written-by-instance 1 Use static setter method

Excluded from Future Scans (32 alerts)

Updated .github/codeql/codeql-config.yml to exclude intentional patterns:

Category Count Reason
cs/catch-of-all-exceptions 25 Generic catches are intentional for crash prevention in game framework
cs/nested-if-statements 5 Code style preference
cs/complex-block 1 Existing algorithm structure
cs/linq/missed-where 1 Project doesn't use LINQ (performance)

Remaining (6 alerts)

Category Count Status
cs/dispose-not-called-on-throw 6 Test code, low priority

Changes by File

CodeQL Config:

  • codeql-config.yml - Added query-filters to exclude intentional patterns

Workflows:

  • dco-check.yml - Added contents: read
  • pr-tests.yml - Added contents: read, pull-requests: write, statuses: write
  • release.yml - Added contents: write
  • unity-tests.yml - Added contents: read

Runtime Code:

  • Bootstrap.cs - Use GetAssetObject<T>() instead of casts, add static setter
  • EncryptConfig.cs - Remove trailing slash from path
  • CryptoUtils.cs - Added doc comment explaining foreach preference over LINQ

Editor Code:

  • BuildManager.cs - Convert if-else to ternary
  • EditorUIUtils.cs - Use StringBuilder for loop concatenation
  • SettingsUIBuilder.cs - Use pattern matching instead of cast

Test plan

  • Verify workflows still run correctly
  • Run Unity tests to ensure runtime changes don't break anything
  • Check CodeQL scan shows reduced alerts after merge

🤖 Generated with Claude Code

@JasonXuDeveloper
fix: address CodeQL security and code quality issues
4f27fab 
- Add explicit permissions to workflows (dco-check, pr-tests, release, unity-tests)
- Fix useless casts in Bootstrap.cs using GetAssetObject<T>()
- Fix useless cast in SettingsUIBuilder.cs using pattern matching
- Convert if-else to ternary in BuildManager.cs
- Use StringBuilder instead of string concatenation in loop (EditorUIUtils.cs)
- Remove trailing slash in Path.Combine (EncryptConfig.cs)
- Fix static field written by instance method (Bootstrap.cs)

Remaining issues are intentional:
- Generic catch clauses: kept for crash prevention in game framework
- Nested if-statements: code style preference
- Complex block: existing algorithm structure

Signed-off-by: JasonXuDeveloper - 傑 <jason@xgamedev.net>
@JasonXuDeveloper
chore(codeql): exclude intentional code patterns from analysis
3df312e 
Exclude rules that represent intentional design decisions:
- cs/catch-of-all-exceptions: crash prevention in game framework
- cs/nested-if-statements: acceptable code style
- cs/complex-block: algorithm implementations
- cs/linq/missed-where: LINQ avoided for performance

Signed-off-by: JasonXuDeveloper - 傑 <jason@xgamedev.net>
@github-actions
Copy link
Copy Markdown

github-actions bot commented Jan 25, 2026
edited
Loading

Unity Test Results

EditMode: Tests failed
PlayMode: Tests failed

Unity Version: 2022.3.55f1
Project Path: UnityProject

❌ Some tests failed. Please fix the failing tests before merging.

View workflow run

Click here to view the full workflow run

@claude
Copy link
Copy Markdown

claude bot commented Jan 25, 2026

Code review

No issues found. Checked for bugs and CLAUDE.md compliance.

JasonXuDeveloper and others added 2 commits January 25, 2026 21:39
@JasonXuDeveloper
chore(ci): upgrade CodeQL action from v3 to v4
8ddfffa 
v3 will be deprecated in December 2026

Signed-off-by: JasonXuDeveloper - 傑 <jason@xgamedev.net>
@JasonXuDeveloper @claude
fix(ci): add checks:write permission for unity test runner
63b85ff 
The game-ci/unity-test-runner action needs checks:write permission
to create check runs via the checkName parameter.

Signed-off-by: JasonXuDeveloper - 傑 <jason@xgamedev.net>
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@JasonXuDeveloper JasonXuDeveloper force-pushed the fix/codeql-security-issues branch from cfe3a81 to 63b85ff Compare January 25, 2026 10:47
@JasonXuDeveloper JasonXuDeveloper merged commit 0400866 into master Jan 25, 2026
8 checks passed
@JasonXuDeveloper JasonXuDeveloper deleted the fix/codeql-security-issues branch January 25, 2026 10:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@JasonXuDeveloper