From db5f799374abc68cfec1aef4991df6d1e6ab4c9c Mon Sep 17 00:00:00 2001 From: Ramakrishna Prabhu Date: Fri, 15 May 2026 11:29:07 -0500 Subject: [PATCH 1/2] ci: suppress SonarQube shell:S4830 on self-hosted server health probe MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The `curl -k` on the health-check is intentional: this same script generates the self-signed cert and starts the server two lines earlier, and the test CA is used to validate subsequent `cuopt_sh` calls. There is no real TLS endpoint to trust against. Marks the line with `# NOSONAR` and a rationale so the rule stops firing on every nightly scan. Clears the remaining CRITICAL VULN on `main` (rule shell:S4830). 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.7 (1M context) --- ci/test_self_hosted_service.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/test_self_hosted_service.sh b/ci/test_self_hosted_service.sh index 601b45326b..864e998c9b 100755 --- a/ci/test_self_hosted_service.sh +++ b/ci/test_self_hosted_service.sh @@ -79,7 +79,7 @@ DELAY=10 sleep $DELAY -server_status=$(curl -k -sL https://0.0.0.0:$CUOPT_SERVER_PORT/cuopt/health) +server_status=$(curl -k -sL https://0.0.0.0:$CUOPT_SERVER_PORT/cuopt/health) # NOSONAR — self-signed cert generated locally by this script for CI; not a real TLS endpoint. EXITCODE=0 From ba4554f63efbb91da755c32cb239e7972e7b79d1 Mon Sep 17 00:00:00 2001 From: Ramakrishna Prabhu Date: Fri, 15 May 2026 12:08:42 -0500 Subject: [PATCH 2/2] ci: scope GitHub Actions permissions to the job level (SonarQube S8264/S8233) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Move the `permissions:` block from workflow level to per-job level. Every job in this chain (and in the two reusable workflows it calls, build_images.yaml and test_images.yaml) only performs a checkout plus DockerHub/NGC logins via username/password secrets — there is no OIDC, no GHCR pull, no artifact download, no PR API usage. So each job is reduced to `contents: read` only, dropping the unused workflow-level grants of `actions: read`, `id-token: write`, `packages: read`, and `pull-requests: read`. Clears 5 MAJOR vulnerabilities on `main`: - 4× githubactions:S8264 (read perms at workflow level) - 1× githubactions:S8233 (write perm at workflow level) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.7 (1M context) --- .../workflows/build_test_publish_images.yaml | 23 +++++++------------ 1 file changed, 8 insertions(+), 15 deletions(-) diff --git a/.github/workflows/build_test_publish_images.yaml b/.github/workflows/build_test_publish_images.yaml index c4178a804d..9fd2fc1923 100644 --- a/.github/workflows/build_test_publish_images.yaml +++ b/.github/workflows/build_test_publish_images.yaml @@ -36,24 +36,11 @@ defaults: run: shell: bash -permissions: - actions: read - checks: none - contents: read - deployments: none - discussions: none - id-token: write - issues: none - packages: read - pages: none - pull-requests: read - repository-projects: none - security-events: none - statuses: none - jobs: compute-matrix: runs-on: ubuntu-latest + permissions: + contents: read container: image: rapidsai/ci-conda:26.06-latest outputs: @@ -111,6 +98,8 @@ jobs: build-images: name: Build images needs: compute-matrix + permissions: + contents: read secrets: inherit # zizmor: ignore[secrets-inherit] strategy: matrix: ${{ fromJson(needs.compute-matrix.outputs.MATRIX) }} @@ -127,6 +116,8 @@ jobs: build-cuopt-multiarch-manifest: name: Build cuopt multiarch manifest needs: [build-images, compute-matrix] + permissions: + contents: read strategy: matrix: CUDA_VER: ${{ fromJson(needs.compute-matrix.outputs.MATRIX).cuda_ver }} @@ -171,6 +162,8 @@ jobs: test-images: name: Test images needs: [build-cuopt-multiarch-manifest, compute-matrix] + permissions: + contents: read secrets: inherit # zizmor: ignore[secrets-inherit] strategy: matrix: