fix(ci): resolve security issues, bugs, and redundancy across CI/CD pipelines

Security fixes:
- Fix script injection in performance-consolidated.yml (PR comment via env var)
- Fix script injection in release-v2.yml (user input via env var)
- Fix token exposure in release-consolidated.yml (use env var instead of CLI arg)
- Remove hardcoded RUSTSEC ignore and || true defeating security audit

Permissions hardening:
- Add missing permissions blocks to ci-unified, ci, cross-platform-validation,
  performance-optimized, and changelog workflows

Bug fixes:
- Fix Docker image tag mismatch in docker-improved.yml (use metadata tags)
- Fix Windows error test using bash syntax in PowerShell shell
- Fix git push auth failure in performance-consolidated.yml (use artifact upload)
- Fix mtime-based workflow age check (use git log in CI instead of find -mtime)
- Remove dead macOS brew test step running on ubuntu-latest
- Fix concurrent cargo builds racing on shared target directory
- Fix cross install from unpinned git HEAD (use --locked from crates.io)
- Fix release-consolidated.yml bot email to proper GitHub noreply address
- Replace dead PR comment step with artifact upload in cross-platform-validation
- Use annotated tags in release-consolidated.yml

Consolidation (reduce redundant CI runs):
- Disable PR/push triggers on quality-consolidated.yml (overlap with ci-optimized)
- Disable PR trigger on quality.yml (overlap with ci-optimized)
- Disable schedule on testing.yml (duplicate of test-consolidated.yml same time)
- Disable PR trigger on tag-after-release-pr.yml (duplicate of release-consolidated)
- Disable PR/push triggers on performance-optimized.yml (overlap with ci-optimized)

Other improvements:
- Add explicit permissions to ci-optimized.yml
- Deprecate ci-unified.yml and ci.yml push/PR triggers (keep scheduled/release)
- Migrate Semgrep from deprecated action to container-based scan
- Relax Cargo.toml tree-sitter version pins to semver-compatible ranges
- Add .mcp.json to .gitignore
- Fix clippy warning in src/error.rs (use std::io::Error::other)

Author: docdyhr

.github/workflows/changelog.yml

@@ -3,10 +3,13 @@ name: Changelog Generation
 on:
   workflow_dispatch:
   push:
-    branches: [ main ]
+    branches: [main]
     paths:
-      - 'cliff.toml'
-      - '.github/workflows/changelog.yml'
+      - "cliff.toml"
+      - ".github/workflows/changelog.yml"
+
+permissions:
+  contents: read
 
 jobs:
   generate:

.github/workflows/ci-optimized.yml

@@ -14,6 +14,12 @@ on:
         required: false
         default: "Manual CI execution"
 
+# Explicit permissions for security best practices
+permissions:
+  contents: read
+  checks: write
+  pull-requests: read
+
 # Concurrency controls to prevent redundant runs
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}

.github/workflows/ci-unified.yml

@@ -1,13 +1,21 @@
 name: Unified CI/CD Pipeline
 
+# DEPRECATED: This workflow is replaced by ci-optimized.yml
+# Keeping for scheduled comprehensive testing only
 on:
-  push:
-    branches: [ main ]
-  pull_request:
-    branches: [ main ]
-    types: [ opened, synchronize, reopened ]
+  # push:
+  #   branches: [ main ]
+  # pull_request:
+  #   branches: [ main ]
+  #   types: [ opened, synchronize, reopened ]
+  schedule:
+    # Run weekly on Sundays at 4 AM UTC
+    - cron: "0 4 * * 0"
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}

.github/workflows/ci.yml

@@ -1,14 +1,19 @@
 name: CI/CD
 
+# DEPRECATED: This workflow is replaced by ci-optimized.yml
+# Keeping only for release builds
 on:
-  push:
-    branches: [main, develop]
-  pull_request:
-    branches: [main]
+  # push:
+  #   branches: [main, develop]
+  # pull_request:
+  #   branches: [main]
   release:
     types: [published]
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 # Concurrency control to prevent redundant runs
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}

.github/workflows/cross-platform-validation.yml

@@ -7,15 +7,18 @@ on:
   workflow_dispatch:
     inputs:
       test_type:
-        description: 'Type of cross-platform test to run'
+        description: "Type of cross-platform test to run"
         required: true
-        default: 'full'
+        default: "full"
         type: choice
         options:
           - full
           - quick
           - targets-only
 
+permissions:
+  contents: read
+
 env:
   CARGO_TERM_COLOR: always
 
@@ -78,7 +81,7 @@ jobs:
 
       - name: Install cross (for cross-compilation)
         if: matrix.cross == true
-        run: cargo install cross --git https://github.com/cross-rs/cross
+        run: cargo install cross --locked
 
       - name: Cache cargo registry
         uses: actions/cache@v5
@@ -215,17 +218,20 @@ jobs:
           ./target/release/batless${{ matrix.binary_extension }} large_test.txt --max-lines=100 --mode=plain > /dev/null
           ./target/release/batless${{ matrix.binary_extension }} large_test.txt --max-bytes=1024 --mode=plain > /dev/null
 
-      - name: Test error handling
-        shell: ${{ matrix.shell }}
+      - name: Test error handling (Unix)
+        if: matrix.os != 'windows-latest'
+        shell: bash
         run: |
-          # Test non-existent file (cross-platform compatible)
-          if [[ "${{ matrix.os }}" == "windows-latest" ]]; then
-            ./target/release/batless${{ matrix.binary_extension }} nonexistent.txt 2>&1 | findstr /i "error" || echo "Error handling test passed"
-          else
-            set +e  # Don't fail on expected errors
-            ./target/release/batless${{ matrix.binary_extension }} nonexistent.txt 2>&1 | grep -i "error" || echo "Error handling test passed"
-            set -e
-          fi
+          set +e  # Don't fail on expected errors
+          ./target/release/batless nonexistent.txt 2>&1 | grep -i "error" || echo "Error handling test passed"
+          set -e
+
+      - name: Test error handling (Windows)
+        if: matrix.os == 'windows-latest'
+        shell: pwsh
+        run: |
+          $output = & "./target/release/batless.exe" nonexistent.txt 2>&1 | Out-String
+          if ($output -match "(?i)error") { Write-Host "Error handling test passed" } else { Write-Host "Error handling test passed (no error string)" }
 
   integration-validation:
     name: Integration Validation
@@ -273,7 +279,8 @@ jobs:
     name: Cross-Platform Report
     runs-on: ubuntu-latest
     if: always()
-    needs: [cross-compile-targets, platform-specific-tests, integration-validation]
+    needs:
+      [cross-compile-targets, platform-specific-tests, integration-validation]
 
     steps:
       - name: Generate cross-platform report
@@ -306,16 +313,9 @@ jobs:
 
           cat report.md
 
-      - name: Comment on PR with results
-        if: github.event_name == 'pull_request'
-        uses: actions/github-script@v8
+      - name: Upload report
+        uses: actions/upload-artifact@v6
         with:
-          script: |
-            const fs = require('fs');
-            const report = fs.readFileSync('report.md', 'utf8');
-            github.rest.issues.createComment({
-              issue_number: context.issue.number,
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              body: report
-            });
+          name: cross-platform-report
+          path: report.md
+          retention-days: 30

.github/workflows/docker-improved.yml

@@ -10,9 +10,9 @@ on:
   workflow_dispatch:
     inputs:
       reason:
-        description: 'Reason for manual trigger'
+        description: "Reason for manual trigger"
         required: false
-        default: 'Manual testing'
+        default: "Manual testing"
 
 env:
   REGISTRY: ghcr.io
@@ -96,10 +96,12 @@ jobs:
           provenance: false
 
       - name: Test Docker image (amd64)
-        if: always()
+        if: success() && steps.dyn.outputs.push == 'false'
         run: |
-          docker run --rm ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} --version
-          echo "fn main() { println!(\"Hello\"); }" | docker run --rm -i ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} --language=rust
+          # Use the first tag from metadata (available locally after build)
+          IMAGE_TAG=$(echo "${{ steps.meta.outputs.tags }}" | head -1)
+          docker run --rm "${IMAGE_TAG}" --version
+          echo "fn main() { println!(\"Hello\"); }" | docker run --rm -i "${IMAGE_TAG}" --language=rust
 
       - name: Generate artifact summary
         if: github.event_name != 'pull_request'

.github/workflows/health-check.yml

@@ -3,7 +3,7 @@ name: Repository Health Check
 on:
   schedule:
     # Run daily at 6 AM UTC
-    - cron: '0 6 * * *'
+    - cron: "0 6 * * *"
   workflow_dispatch:
 
 permissions:
@@ -46,13 +46,20 @@ jobs:
           fi
           echo "" >> health-report.md
 
-          # Check for outdated workflows
+          # Check for outdated workflows (using git log, not filesystem mtime)
           echo "## Workflow File Ages" >> health-report.md
-          OLD_WORKFLOWS=$(find .github/workflows -name "*.yml" -mtime +90)
+          OLD_WORKFLOWS=""
+          NINETY_DAYS_AGO=$(date -u -d '90 days ago' '+%Y-%m-%d' 2>/dev/null || date -u -v-90d '+%Y-%m-%d')
+          for wf in .github/workflows/*.yml; do
+            LAST_MODIFIED=$(git log -1 --format='%ai' -- "$wf" 2>/dev/null | cut -d' ' -f1)
+            if [ -n "$LAST_MODIFIED" ] && [ "$LAST_MODIFIED" \< "$NINETY_DAYS_AGO" ]; then
+              OLD_WORKFLOWS="${OLD_WORKFLOWS}${wf} (last modified: ${LAST_MODIFIED})\n"
+            fi
+          done
           if [ -n "$OLD_WORKFLOWS" ]; then
             echo "⚠️ Workflows not updated in 90+ days:" >> health-report.md
             echo '```' >> health-report.md
-            echo "$OLD_WORKFLOWS" >> health-report.md
+            echo -e "$OLD_WORKFLOWS" >> health-report.md
             echo '```' >> health-report.md
             ISSUES_FOUND=$((ISSUES_FOUND + 1))
           else

.github/workflows/performance-consolidated.yml

@@ -23,7 +23,7 @@ on:
   workflow_dispatch:
     inputs:
       update_baseline:
-        description: 'Update performance baseline'
+        description: "Update performance baseline"
         required: false
         type: boolean
         default: false
@@ -233,14 +233,13 @@ jobs:
           cp benchmark_results.md .github/performance/baseline.md
           echo "updated=true" >> "$GITHUB_OUTPUT"
 
-          # If we have git changes, commit them
-          if ! git diff --quiet .github/performance/; then
-            git config --local user.email "action@github.com"
-            git config --local user.name "GitHub Action"
-            git add .github/performance/
-            git commit -m "Update performance baseline [skip ci]"
-            git push
-          fi
+      - name: Upload baseline artifact
+        if: steps.baseline.outputs.updated == 'true'
+        uses: actions/upload-artifact@v6
+        with:
+          name: performance-baseline
+          path: .github/performance/baseline.md
+          retention-days: 90
 
   comment-pr:
     name: Comment on PR
@@ -250,13 +249,15 @@ jobs:
     steps:
       - name: Comment PR
         uses: actions/github-script@v8
+        env:
+          PR_COMMENT: ${{ needs.benchmark.outputs.pr-comment }}
         with:
           script: |
             github.rest.issues.createComment({
               issue_number: context.issue.number,
               owner: context.repo.owner,
               repo: context.repo.repo,
-              body: `${{ needs.benchmark.outputs.pr-comment }}`
+              body: process.env.PR_COMMENT
             })
 
   create-issue:

.github/workflows/performance-optimized.yml

@@ -1,18 +1,22 @@
 name: Performance Optimized CI
 
+# PR/push triggers disabled to avoid overlap with ci-optimized.yml
+# Use workflow_dispatch for manual performance-focused CI runs
 on:
-  # Ultra-fast performance CI for development workflow
-  pull_request:
-    types: [opened, synchronize, reopened]
-  push:
-    branches: [develop]
+  # pull_request:
+  #   types: [opened, synchronize, reopened]
+  # push:
+  #   branches: [develop]
   workflow_dispatch:
     inputs:
       test_reason:
         description: "Reason for performance testing"
         required: false
         default: "Performance CI execution"
 
+permissions:
+  contents: read
+
 # Aggressive concurrency to cancel outdated runs
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}
@@ -149,21 +153,14 @@ jobs:
         with:
           save-if: false
 
-      - name: Parallel checks
-        run: |
-          # Run multiple checks in parallel
-          cargo clippy --no-deps -- -W clippy::all &
-          clippy_pid=$!
-
-          cargo check --all-features &
-          check_pid=$!
+      - name: Run clippy
+        run: cargo clippy --no-deps -- -W clippy::all
 
-          # Documentation check
-          cargo doc --no-deps --all-features &
-          doc_pid=$!
+      - name: Check all features
+        run: cargo check --all-features
 
-          # Wait for all
-          wait $clippy_pid $check_pid $doc_pid
+      - name: Documentation check
+        run: cargo doc --no-deps --all-features
 
   # Minimal security check
   security-quick:
@@ -178,9 +175,7 @@ jobs:
       - uses: dtolnay/rust-toolchain@stable
 
       - name: Quick audit
-        run: |
-          # Only check for critical vulnerabilities
-          cargo audit --deny warnings --ignore RUSTSEC-2020-0071 || true
+        run: cargo audit
 
   # Final aggregation
   ci-complete:

.github/workflows/quality-consolidated.yml

@@ -1,10 +1,12 @@
 name: Code Quality & Security
 
+# CONSOLIDATED: PR/push triggers disabled to avoid overlap with ci-optimized.yml
+# Kept for scheduled weekly security/quality checks only
 on:
-  pull_request:
-    branches: [main]
-  push:
-    branches: [main]
+  # pull_request:
+  #   branches: [main]
+  # push:
+  #   branches: [main]
   schedule:
     # Run security checks weekly
     - cron: "0 2 * * 1"
@@ -28,7 +30,7 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@v6
         with:
-          node-version: '20'
+          node-version: "20"
 
       - name: Install markdownlint-cli2
         run: npm install -g markdownlint-cli2@0.14.0