fix: address security vulnerabilities and improve CI

jcscottiii · jcscottiii · commit a0532769fdbd · 2025-10-08T21:06:42.000Z
This commit addresses multiple security vulnerabilities and improves the CI workflow. - Security: - Patches a high-severity vulnerability in the tar-fs npm package by updating dependencies. See: https://github.com/GoogleChrome/webstatus.dev/security/dependabot - Adds explicit permissions to GitHub Actions workflows to mitigate potential security risks. See: https://github.com/GoogleChrome/webstatus.dev/security/code-scanning - CI/CodeQL: - Integrates CodeQL analysis directly into the main build job in the ci.yml workflow for Go, JavaScript/TypeScript, and Actions. - The CodeQL analysis now leverages the devcontainer, ensuring a consistent and accurate build environment. - This resolves previous CodeQL failures by ensuring generated code is available for analysis. See: https://github.com/GoogleChrome/webstatus.dev/security/code-scanning/tools/CodeQL/status/configurations/automatic/50b81ab7aa14a07a66df525212035d409a54427fca55f64790c4765d94a09359 Generated with Gemini.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -18,14 +18,20 @@ on: # trigger builds for 1) PRs, 2) merges into main from merge_queue, and 3) ma
   merge_group:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 env:
-  GO_VERSION: '1.23'
+  GO_VERSION: '1.25'
   NODE_VERSION: '22'
   GO_CACHE_DEPENDENCY_PATH: '**/*.sum'
 
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
     steps:
       - name: Checkout (GitHub)
         uses: actions/checkout@v5
@@ -37,15 +43,21 @@ jobs:
         with:
           node-version: ${{ env.NODE_VERSION }}
           cache: 'npm'
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v4
+        with:
+          languages: go, javascript-typescript, actions
       - name: Get Repo Owner
         id: get_repo_owner
         run: echo "REPO_OWNER=$(echo ${{ github.repository_owner }} | tr '[:upper:]' '[:lower:]')" > $GITHUB_ENV
-      - name: Run precommit target for CI
+      - name: Run build and precommit for CI
         uses: devcontainers/ci@v0.3
         with:
           cacheFrom: ghcr.io/${{ env.REPO_OWNER }}/webstatus-dev-devcontainer-ci-precommit
           push: never
-          runCmd: make precommit
+          runCmd: make gen && make precommit
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v4
   playwright:
     runs-on: ubuntu-latest
     steps:
diff --git a/.github/workflows/devcontainer.yml b/.github/workflows/devcontainer.yml
@@ -18,8 +18,12 @@ on:
   schedule:
     - cron: '0 0 * * 2' # Runs every Tuesday at midnight UTC
 
+permissions:
+  contents: read
+  packages: write
+
 env:
-  GO_VERSION: '1.23'
+  GO_VERSION: '1.25'
   NODE_VERSION: '22'
   GO_CACHE_DEPENDENCY_PATH: '**/*.sum'
 
diff --git a/package-lock.json b/package-lock.json
