Resolve CodeQL "Issues" (#404)

David Collom · web-flow · commit e0bc8cd97306 · 2025-11-11T11:59:30.000+01:00
diff --git a/.github/workflows/build-test.yaml b/.github/workflows/build-test.yaml
@@ -8,12 +8,15 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# Setting some default permissions for all jobs
+permissions:
+  contents: read
+  security-events: read
+  pull-requests: read
+  checks: write
+
 jobs:
   lint:
-    permissions:
-      contents: read # for actions/checkout to fetch code
-      pull-requests: read # for golangci/golangci-lint-action to fetch pull requests
-      checks: write # for golangci/golangci-lint-action to annotate Pull Requests
     name: Lint Go code
     runs-on: ubuntu-latest
     steps:
@@ -35,6 +38,8 @@ jobs:
   code-scan:
     name: Code Scan
     runs-on: ubuntu-latest
+    permissions:
+      security-events: write
     steps:
       - name: Checkout code
         uses: actions/checkout@v5
@@ -58,6 +63,8 @@ jobs:
   govulncheck:
     runs-on: ubuntu-latest
     name: Run govulncheck
+    permissions:
+      security-events: write
     steps:
       # We only need to checkout as govuln does the go setup...
       - name: Checkout code
diff --git a/.github/workflows/helm-test.yaml b/.github/workflows/helm-test.yaml
@@ -11,11 +11,13 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+  pull-requests: read
+  checks: write
+
 jobs:
   lint:
-    permissions:
-      contents: read # for actions/checkout to fetch code
-      pull-requests: read # for golangci/golangci-lint-action to fetch pull requests
     name: Lint Helm Chart
     runs-on: ubuntu-latest
     steps:
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -11,6 +11,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   release-name:
     name: Generate a clean release name from the branch/tag
diff --git a/pkg/client/docker/path.go b/pkg/client/docker/path.go
@@ -6,7 +6,7 @@ import (
 )
 
 var (
-	dockerReg = regexp.MustCompile(`(^(.*\.)?docker.com$)|(^(.*\.)?docker.io$)`)
+	dockerReg = regexp.MustCompile(`(^(.*\.)?docker\.com$)|(^(.*\.)?docker\.io$)`)
 )
 
 func (c *Client) IsHost(host string) bool {
diff --git a/pkg/client/gcr/path.go b/pkg/client/gcr/path.go
@@ -6,7 +6,7 @@ import (
 )
 
 var (
-	reg = regexp.MustCompile(`(^(.*\.)?gcr.io$|^(.*\.)?k8s.io$|^(.+)-docker.pkg.dev$)`)
+	reg = regexp.MustCompile(`(^(.*\.)?gcr\.io$|^(.*\.)?k8s\.io$|^(.+)-docker\.pkg\.dev$)`)
 )
 
 func (c *Client) IsHost(host string) bool {
diff --git a/pkg/client/quay/path.go b/pkg/client/quay/path.go
@@ -6,7 +6,7 @@ import (
 )
 
 var (
-	reg = regexp.MustCompile(`(^(.*\.)?quay.io$)`)
+	reg = regexp.MustCompile(`(^(.*\.)?quay\.io$)`)
 )
 
 func (c *Client) IsHost(host string) bool {

Original file line number	Diff line number	Diff line change
`@@ -6,7 +6,7 @@ import (`
`6`	`6`	`)`
`7`	`7`
`8`	`8`	`var (`
`9`		- dockerReg = regexp.MustCompile(`(^(.\.)?docker.com$)\|(^(.\.)?docker.io$)`)
	`9`	+ dockerReg = regexp.MustCompile(`(^(.\.)?docker\.com$)\|(^(.\.)?docker\.io$)`)
`10`	`10`	`)`
`11`	`11`
`12`	`12`	`func (c *Client) IsHost(host string) bool {`
Original file line number	Diff line number	Diff line change
`@@ -6,7 +6,7 @@ import (`
`6`	`6`	`)`
`7`	`7`
`8`	`8`	`var (`
`9`		- reg = regexp.MustCompile(`(^(.\.)?gcr.io$\|^(.\.)?k8s.io$\|^(.+)-docker.pkg.dev$)`)
	`9`	+ reg = regexp.MustCompile(`(^(.\.)?gcr\.io$\|^(.\.)?k8s\.io$\|^(.+)-docker\.pkg\.dev$)`)
`10`	`10`	`)`
`11`	`11`
`12`	`12`	`func (c *Client) IsHost(host string) bool {`
Original file line number	Diff line number	Diff line change
`@@ -6,7 +6,7 @@ import (`
`6`	`6`	`)`
`7`	`7`
`8`	`8`	`var (`
`9`		- reg = regexp.MustCompile(`(^(.*\.)?quay.io$)`)
	`9`	+ reg = regexp.MustCompile(`(^(.*\.)?quay\.io$)`)
`10`	`10`	`)`
`11`	`11`
`12`	`12`	`func (c *Client) IsHost(host string) bool {`