fix(workflows): address codeql medium findings

[bedatty]

GitHub Actions Shared Workflows

---

Description

Resolves 5 CodeQL medium findings surfaced on PR #233's scan.

• actions/missing-workflow-permissions (4 findings) — release.yml and release-notification.yml did not constrain GITHUB_TOKEN. Both workflows perform all writes through a dedicated GitHub App token (actions/create-github-app-token), so the default GITHUB_TOKEN only needs read access. Added a workflow-level permissions: contents: read block to both files.
• actions/untrusted-checkout/medium (1 finding) — helm-update-chart.yml checks out inputs.base_branch, which CodeQL flagged as potentially untrusted input. Added a Validate base_branch step that restricts the input to an allowlist (main, develop, master, staging) before the checkout runs. Updated the inline rationale comment accordingly.

Affected workflows:

• .github/workflows/release.yml
• .github/workflows/release-notification.yml
• .github/workflows/helm-update-chart.yml

Type of Change

• feat: New workflow or new input/output/step in an existing workflow
• fix: Bug fix in a workflow (incorrect behavior, broken step, wrong condition)
• perf: Performance improvement (e.g. caching, parallelism, reduced steps)
• refactor: Internal restructuring with no behavior change
• docs: Documentation only (README, docs/, inline comments)
• ci: Changes to self-CI (workflows under .github/workflows/ that run on this repo)
• chore: Dependency bumps, config updates, maintenance
• test: Adding or updating tests
• BREAKING CHANGE: Callers must update their configuration after this PR

Breaking Changes

Callers of helm-update-chart.yml that pass base_branch values outside the allowlist (main, develop, master, staging) will now fail with an explicit error instead of silently attempting the checkout. Known callers use main or develop, so no migration is expected.

Testing

• YAML syntax validated locally
• Triggered a real workflow run on a caller repository using @develop or the beta tag
• Verified all existing inputs still work with default values
• Confirmed no secrets or tokens are printed in logs
• Checked that unrelated workflows are not affected

Caller repo / workflow run: Validation will come from the CodeQL re-scan triggered on this PR.

Related Issues

Related to #233 — findings surfaced by the CodeQL scan on that PR.

Summary by CodeRabbit

• Chores
  • Added validation to allow only approved base branches (main, develop, master, staging) and updated the documented default to main.
  • Improved branch handling so workflows fetch and switch to the intended base branch before running.
  • Applied least-privilege workflow permissions for repository contents (read-only).

[coderabbitai]

Walkthrough

Updated three GitHub Actions workflows: added top-level permissions: { contents: read } to two workflows; the Helm chart update workflow now validates inputs.base_branch against an allowlist, removes checkout ref pinning, and switches branches via explicit git fetch / git checkout -B steps.

Changes

Cohort / File(s)	Summary
Permission Declarations \.github/workflows/release-notification.yml, \.github/workflows/release.yml	Added top-level permissions: { contents: read } to limit repository content permissions for these workflows.
Helm update workflow — branch handling & validation \.github/workflows/helm-update-chart.yml	Updated on.workflow_call.inputs.base_branch.description to list allowed values (main, develop, master, staging) and default main; added a Validate base_branch step that errors on disallowed values; removed ref: ${{ inputs.base_branch }} from actions/checkout; added git fetch origin/<base_branch> and git checkout -B <base_branch> origin/<base_branch> to switch branches; removed a prior CodeQL comment block.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the core fix: addressing CodeQL medium-severity findings in workflow files through security hardening.
Description check	✅ Passed	The description is comprehensive, documents all three affected workflows, specifies the exact CodeQL findings addressed, and clearly notes the breaking change for callers passing out-of-allowlist base_branch values.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/codeql-workflow-permissions

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[lerian-studio]

🔍 Lint Analysis

Check	Files Scanned	Status
YAML Lint	3 file(s)	✅ success
Action Lint	3 file(s)	✅ success
Pinned Actions	3 file(s)	✅ success
Markdown Link Check	no changes	⏭️ skipped
Spelling Check	3 file(s)	✅ success
Shell Check	3 file(s)	✅ success
README Check	3 file(s)	✅ success
Composite Schema	no changes	⏭️ skipped
Deployment Matrix	no changes	⏭️ skipped

⚠️ Warnings (7)

Pinned Actions

.github

• .github (line 107) — Found 6 internal action(s) not pinned to a version. Consider pinning to vX.Y.Z.

.github/workflows/release.yml

• .github/workflows/release.yml (line 191) — Internal composite must use floating major tag (e.g. @v1) or develop/main for testing: uses: LerianStudio/github-actions-shared-workflows/src/config/backmerge-pr@v1.21.0
• .github/workflows/release.yml (line 180) — Internal composite must use floating major tag (e.g. @v1) or develop/main for testing: uses: LerianStudio/github-actions-shared-workflows/src/config/release-tag-check@v1.21.0
• .github/workflows/release.yml (line 156) — Internal composite must use floating major tag (e.g. @v1) or develop/main for testing: uses: LerianStudio/github-actions-shared-workflows/src/config/release-tag-snapshot@v1.22.0
• .github/workflows/release.yml (line 66) — Internal composite must use floating major tag (e.g. @v1) or develop/main for testing: uses: LerianStudio/github-actions-shared-workflows/src/config/changed-paths@v1.18.0

.github/workflows/release-notification.yml

• .github/workflows/release-notification.yml (line 180) — Internal composite must use floating major tag (e.g. @v1) or develop/main for testing: uses: LerianStudio/github-actions-shared-workflows/src/notify/slack-release@v1.18.0
• .github/workflows/release-notification.yml (line 168) — Internal composite must use floating major tag (e.g. @v1) or develop/main for testing: uses: LerianStudio/github-actions-shared-workflows/src/notify/discord-release@v1.18.0

---

_{🔍 View full scan logs}

[lerian-studio]

🛡️ CodeQL Analysis Results

Languages analyzed: actions

✅ No security issues found.

---

_{🔍 View full scan logs | 🛡️ Security tab}

[coderabbitai]

Warning

CodeRabbit couldn't request changes on this pull request because it doesn't have sufficient GitHub permissions.

Please grant CodeRabbit Pull requests: Read and write permission and re-run the review.

👉 Steps to fix this

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/helm-update-chart.yml:
- Around line 166-167: Update the security rationale comment to avoid
overstating guarantees: change the sentence that claims the ref "cannot be
attacker-controlled" to accurately say that the ref (base_branch) is
caller-controlled but is validated against an allowlist before checkout (e.g.,
via workflow_call validation), so the ref is constrained by that allowlist
rather than inherently non-attacker-controlled; locate and edit the comment
around the base_branch/checkout lines to reflect this precise wording.
- Around line 101-113: The workflow input contract for inputs.base_branch must
match the new validation: update the inputs.base_branch metadata (description
and default) to explicitly list the allowed branches (main, develop, master,
staging) and set the default to one of those allowed values (choose either
develop or main to resolve the current conflict), and/or remove the hard-fail in
the case block if you intend to accept other branches; ensure any external docs
or README that describe base_branch are also updated to reflect the allowed set.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: ASSERTIVE

Plan: Pro

Run ID: d9f6f8d1-60a2-4f30-a8e0-9739ed07b909

📥 Commits

Reviewing files that changed from the base of the PR and between bfbbd5b and 14621a1.

📒 Files selected for processing (3)

• .github/workflows/helm-update-chart.yml
• .github/workflows/release-notification.yml
• .github/workflows/release.yml

[coderabbitai]

♻️ Duplicate comments (1)

.github/workflows/helm-update-chart.yml (1)

24-27: ⚠️ Potential issue | 🟠 Major

Align base_branch input contract with enforced validation (breaking for callers).

Line 25 still documents a develop default while Line 27 sets main, and the input description does not declare the enforced allowlist introduced at Line 101-Line 113. This is now a caller-facing contract mismatch because unsupported branches fail hard.

Suggested fix

      base_branch:
-        description: 'Target branch for the PR (default: develop)'
+        description: 'Target branch for the PR. Allowed: main, develop, master, staging (default: main)'
         type: string
         default: 'main'

As per coding guidelines: "Flag any removed or renamed input/output as a breaking change for callers".

Also applies to: 101-113

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/helm-update-chart.yml around lines 24 - 27, Update the
base_branch input docs to match the actual default and enforcement: change the
description to state the default is "main" (not "develop") and explicitly
document the allowed branch values enforced by the workflow's
allowlist/validation (so callers know which branches will be accepted); ensure
the base_branch input definition (the input named base_branch) and its
description reflect the enforced allowlist implemented elsewhere in the workflow
so this caller-facing contract is consistent.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In @.github/workflows/helm-update-chart.yml:
- Around line 24-27: Update the base_branch input docs to match the actual
default and enforcement: change the description to state the default is "main"
(not "develop") and explicitly document the allowed branch values enforced by
the workflow's allowlist/validation (so callers know which branches will be
accepted); ensure the base_branch input definition (the input named base_branch)
and its description reflect the enforced allowlist implemented elsewhere in the
workflow so this caller-facing contract is consistent.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: ASSERTIVE

Plan: Pro

Run ID: f19bae32-fa21-48a0-b3f2-dfff5e4c029c

📥 Commits

Reviewing files that changed from the base of the PR and between 14621a1 and 95a335b.

📒 Files selected for processing (1)

• .github/workflows/helm-update-chart.yml

[coderabbitai]

Warning

CodeRabbit couldn't request changes on this pull request because it doesn't have sufficient GitHub permissions.

Please grant CodeRabbit Pull requests: Read and write permission and re-run the review.

👉 Steps to fix this

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/helm-update-chart.yml:
- Around line 172-178: The checkout step uses git checkout "${BASE_BRANCH}"
which can leave a stale local branch; change it to explicitly use the
remote-tracking ref (origin/${BASE_BRANCH}) so you get the freshly fetched
history—e.g., replace git checkout "${BASE_BRANCH}" with git checkout
"origin/${BASE_BRANCH}" or reset the local branch to the remote via git checkout
-B "${BASE_BRANCH}" "origin/${BASE_BRANCH}" (referencing BASE_BRANCH, git fetch
origin "${BASE_BRANCH}", and git checkout).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 352f5cce-535c-42a5-92e5-fd01d4842a4c

📥 Commits

Reviewing files that changed from the base of the PR and between 95a335b and 24bdd6f.

📒 Files selected for processing (1)

• .github/workflows/helm-update-chart.yml

[coderabbitai]

Warning

CodeRabbit couldn't request changes on this pull request because it doesn't have sufficient GitHub permissions.

Please grant CodeRabbit Pull requests: Read and write permission and re-run the review.

👉 Steps to fix this

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/helm-update-chart.yml:
- Around line 101-113: Add an explicit workflow-level permissions block to
harden the workflow by defaulting to least privilege (set permissions: contents:
read at the top of the workflow) and then elevate permissions only in specific
jobs/steps that need more access; update the workflow YAML to include the
top-level permissions stanza and, if any job needs write or additional scopes,
add a per-job permissions override (for example in the job that performs chart
updates) rather than leaving permissions implicit—this change targets the
workflow containing the "Validate base_branch" step so you can locate the file
and apply the global permissions change.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 06c87709-4c3b-4bcf-a0e3-4523b4151eb4

📥 Commits

Reviewing files that changed from the base of the PR and between 24bdd6f and 20c347c.

📒 Files selected for processing (1)

• .github/workflows/helm-update-chart.yml

[coderabbitai]

Warning

CodeRabbit couldn't request changes on this pull request because it doesn't have sufficient GitHub permissions.

Please grant CodeRabbit Pull requests: Read and write permission and re-run the review.

👉 Steps to fix this

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/helm-update-chart.yml:
- Around line 104-116: Remove the unnecessary success echo in the base_branch
validation case: in the shell block that reads the BASE_BRANCH env var (the case
... esac for BASE_BRANCH), delete the line that prints "✅ base_branch
'${BASE_BRANCH}' is allowed" so the normal execution path produces no extra
output and only fails via non-zero exit on invalid branches.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 63e75259-610a-41fd-8d60-5cdf3f2fa9f0

📥 Commits

Reviewing files that changed from the base of the PR and between 20c347c and cf3a2ed.

📒 Files selected for processing (1)

• .github/workflows/helm-update-chart.yml