chore: ruff F401/F841 + workflow least-privilege (16 CodeQL findings cleared)#79
chore: ruff F401/F841 + workflow least-privilege (16 CodeQL findings cleared)#79Prekzursil wants to merge 2 commits into
Conversation
Leveraged single-rule transform for the Quality-Zero-Platform drive-to-zero campaign. Removes dead code that CodeQL flags as unused, behavior-preserving: - 14x py/unused-import (F401): ruff check --select F401 --fix, scoped to backend/ with --exclude venv. Removes genuinely-dead imports across serializers, views, tasks, tests, urls and adapters. - 1x py/unused-local-variable (F841): removed `user = request.user` dead store in PasswordChangeView.post (pure RHS, never read; auth already enforced by IsAuthenticated permission class). Verification: `ruff check backend --exclude venv --select F401` clean; `python -m compileall` clean on all 11 changed files. No venv files touched (the committed backend/venv purge is handled separately in PR #78).
…(2 findings) Clears 2x actions/missing-workflow-permissions (CodeQL). Both workflows are pure test/lint runners (checkout -> setup-python -> pip install -> compileall/ flake8) that only read the repo; neither pushes, comments, or uploads. Adds a top-level `permissions: contents: read` block to each (least privilege). Part of the Quality-Zero-Platform drive-to-zero campaign. Static YAML only, no toolchain/build needed.
|
Unable to trigger custom agent "Code Reviewer". You have run out of credits 😔 |
Qodo reviews are paused for this user.Troubleshooting steps vary by plan Learn more → On a Teams plan? Using GitHub Enterprise Server, GitLab Self-Managed, or Bitbucket Data Center? |
|
CodeAnt AI is reviewing your PR. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
|
Warning Review limit reached
More reviews will be available in 5 minutes and 55 seconds. Learn how PR review limits work. Your organization has run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (13)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
codeant-ai
Bot
added
the
size:XS
|
CodeAnt AI finished reviewing your PR. |
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
Up to standards ✅🟢 Issues
|
| Metric | Results |
|---|---|
| Complexity | ✅ 0 (≤ 10 complexity) |
| Duplication | ✅ 0 (≤ 0 duplication) |
NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.
1 participant
User description
Quality-Zero-Platform: leveraged drive-to-zero
Two safe, high-leverage, single-rule CodeQL transforms. No behavior change.
Every edit is dead-code removal or static CI hardening; no logic was modified.
Plays applied
1. Python dead-code autofix (
ruffsingle-rule transform) — 14 CodeQL alertspy/unused-import(13 alerts / 14 import names):ruff check backend --exclude venv --select F401 --fix. Removes genuinely-dead imports across serializers, views, tasks, tests, urls, adapters.users/urls.py's two unused names (GoogleLogin,GithubLogin) count as one CodeQL alert.py/unused-local-variable(1 alert): removed theuser = request.userdead store inPasswordChangeView.post— pure RHS, never read, auth already enforced by theIsAuthenticatedpermission class. (Done manually; ruff classifies the F841 fix as "unsafe" and I declined--unsafe-fixes.)2. CI least-privilege (
actions/missing-workflow-permissions) — 2 CodeQL alertspermissions: contents: readtodjango.ymlanddjango_ci.yml. Both are pure test/lint runners (checkout → setup-python → pip install → compileall/flake8); neither pushes, comments, or uploads, so read-only is correct least privilege.Total: 16 CodeQL alerts cleared (14 Python + 2 Actions).
Verification
ruff check backend --exclude venv --select F401→ All checks passedpython -m compileall→ clean on all 11 changed Python filespython -c "import yaml; yaml.safe_load(...)"→ both workflows parse with the newpermissionsblockpytestnot run (pinned Django/deps don't install on 3.14 in this sandbox) — dead-import/dead-store removal + ruff-clean + compileall is sufficient behavior-preserving evidence for these no-build-needed plays.Deliberately NOT touched (residual / needs-care)
backend/venv/(33 CodeQL alerts) — left entirely to the open venv-purge PR chore: purge committed backend/venv from version control (coverage + static-analysis hygiene) #78; not re-touched.py/multiple-definition(redefinition tracing = judgment), 5py/commented-out-code(deliberate developer-reference scaffolding), 2.tsxjs/unused-local (need the frontendnpmtoolchain) — left for a separate, scoped pass.secrets:S6687/python:S2068/python:S6437— untouched.Dependabot
No config change.
.github/dependabot.ymlalready has optimal grouped (patch/minor) updates per ecosystem with major-version ignores, and security updates are firing correctly as individual + grouped PRs (e.g. #48, #23, #22, #76, #59). The 104 security alerts collapse via those existing Dependabot PRs — an operator merge decision, out of scope here.Part of the QZP drive-to-zero campaign. Reviewer merges; no auto-merge.
Summary by cubic
Removed dead Python code with
ruffF401/F841 and set read-only workflow permissions to enforce least privilege. No behavior change; clears 16 CodeQL alerts across backend and CI.Written for commit 407cce5. Summary will update on new commits.
CodeAnt-AI Description
Clean up unused code and restrict CI access
What Changed
Impact
✅ Fewer static analysis warnings✅ Lower workflow permissions✅ No change to app behavior💡 Usage Guide
Checking Your Pull Request
Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.
Talking to CodeAnt AI
Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:
This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.
Example
Preserve Org Learnings with CodeAnt
You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:
This helps CodeAnt AI learn and adapt to your team's coding style and standards.
Example
Retrigger review
Ask CodeAnt AI to review the PR again, by typing:
Check Your Repository Health
To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.