Resolve existing CodeQL alerts

[cbusillo]

Problem

During the workflow metadata rollout, GitHub code scanning showed 3 existing open alerts:

• py/clear-text-logging-sensitive-data in docker/scripts/run_odoo_data_workflows.py near line 1381
  https://github.com/cbusillo/odoo-devkit/security/code-scanning/3
• py/clear-text-storage-sensitive-data in odoo_devkit/ide_support.py near line 73
  https://github.com/cbusillo/odoo-devkit/security/code-scanning/2
• actions/missing-workflow-permissions in .github/workflows/ci.yml near line 12
  https://github.com/cbusillo/odoo-devkit/security/code-scanning/1

These appear to be pre-existing findings and are not introduced by the workflow metadata PR.

Direction

Resolve or explicitly triage the CodeQL alerts in a focused security/quality cleanup pass.

Acceptance Criteria

• Each open CodeQL alert is either fixed or documented as a justified false positive/suppression.
• CI and repo quality gates pass after the changes.
• GitHub code scanning is rechecked and the alert count is reduced or the remaining state is explicitly explained.

---

Migrated from bot-authored issue #20 because shiny-code-bot is awaiting spam appeal. Original created: 2026-04-29T19:48:00Z.

[cbusillo]

Resolved by #27 and validated after merge on main.

Post-merge evidence:

• CI on main passed: https://github.com/cbusillo/odoo-devkit/actions/runs/25287253334
• CodeQL on main passed: https://github.com/cbusillo/odoo-devkit/actions/runs/25287253222
• Open code scanning alerts on main: none
• Open secret scanning alerts: none
• Open Dependabot alerts: none

The remaining intentional PyCharm Odoo config finding was dismissed in GitHub code scanning as a false positive with the rationale that it is a generated local tooling config and the generator applies owner-only permissions when supported.