CI: suppress shell:S4830 false positive and scope GHA permissions to job level

[rgsl888prabhu]

Summary

Closes 6 SonarQube findings on main — 1 CRITICAL VULN and 5 MAJOR VULNs — without changing runtime behavior.

ci/test_self_hosted_service.sh — suppress shell:S4830

The curl -k on the health probe is intentional: this same script generates a self-signed cert and starts the cuOpt server two lines earlier, so there is no real TLS endpoint to validate against (subsequent cuopt_sh calls do validate using the test CA in $CLIENT_CERT). Added a # NOSONAR marker with rationale.

.github/workflows/build_test_publish_images.yaml — job-scoped permissions

Moved the workflow-level permissions: block to per-job blocks (rule githubactions:S8264/S8233). After reading the two reusable workflows (build_images.yaml, test_images.yaml), every job only does actions/checkout + DockerHub/NGC logins via username/password secrets — no OIDC, no GHCR pull, no artifact download, no PR API. So each job is reduced to contents: read only, dropping unused actions: read, id-token: write, packages: read, pull-requests: read.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR tightens GitHub Actions workflow permissions by replacing a broad top-level permissions declaration with minimal per-job contents: read grants, and adds an inline comment documenting CI certificate generation in a test script. Both changes are configuration and documentation updates with no functional logic modifications.

Changes

CI Configuration and Documentation

Layer / File(s)	Summary
GitHub Actions job-level permissions hardening .github/workflows/build_test_publish_images.yaml	Removes the broad top-level permissions block and adds explicit job-level permissions: contents: read to compute-matrix, build-images, build-cuopt-multiarch-manifest, and test-images jobs, establishing least-privilege token scopes.
Self-hosted service test documentation ci/test_self_hosted_service.sh	Appends an inline comment to the server_status curl health-check command documenting that the self-signed certificate is generated locally for CI.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and concisely summarizes the two main changes: suppressing a shell linting false positive and scoping GitHub Actions permissions to job level.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	The pull request description is directly related to the changeset, clearly explaining the rationale for both modified files and the SonarQube findings being addressed.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/sonar-tls-suppress-self-hosted-test

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

ci/test_self_hosted_service.sh (1)

82-82: 💤 Low value

Minor inaccuracy in NOSONAR rationale.

The comment states the cert is "generated locally by this script," but lines 71-74 show the certificate files are loaded from python/cuopt_self_hosted/cuopt_sh_client/tests/utils/certs/ rather than being generated at runtime. Consider clarifying:

-server_status=$(curl -k -sL https://0.0.0.0:$CUOPT_SERVER_PORT/cuopt/health) # NOSONAR — self-signed cert generated locally by this script for CI; not a real TLS endpoint.
+server_status=$(curl -k -sL https://0.0.0.0:$CUOPT_SERVER_PORT/cuopt/health) # NOSONAR — self-signed test cert from repo's test fixtures; not a real TLS endpoint.

The suppression itself is appropriate since curl -k is intentional for CI health checks against a local server using test certificates.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@ci/test_self_hosted_service.sh` at line 82, Update the inline NOSONAR comment
on the curl invocation that sets server_status to accurately reflect that the
script uses pre-generated test certificates from
python/cuopt_self_hosted/cuopt_sh_client/tests/utils/certs/ rather than
generating them at runtime; keep the curl -k suppression and NOSONAR rationale
but change the wording around certificate origin (refer to the server_status
curl line) so it correctly documents the source of the test certs.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@ci/test_self_hosted_service.sh`:
- Line 82: Update the inline NOSONAR comment on the curl invocation that sets
server_status to accurately reflect that the script uses pre-generated test
certificates from python/cuopt_self_hosted/cuopt_sh_client/tests/utils/certs/
rather than generating them at runtime; keep the curl -k suppression and NOSONAR
rationale but change the wording around certificate origin (refer to the
server_status curl line) so it correctly documents the source of the test certs.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 7889d481-adde-4d59-9d66-1cabccb71220

📥 Commits

Reviewing files that changed from the base of the PR and between 72ba054 and ba4554f.

📒 Files selected for processing (2)

• .github/workflows/build_test_publish_images.yaml
• ci/test_self_hosted_service.sh