security: Fix 15 CodeQL alerts — URL sanitization and workflow permissions

.github/verify_badges.py

@@ -12,6 +12,15 @@
 
 import requests
 
+# Trusted badge hostnames (scheme must be https)
+_TRUSTED_HOSTS = frozenset({"github.com", "img.shields.io", "codecov.io"})
+
+
+def _is_trusted_host(url: str, hostname: str) -> bool:
+    """Validate that a URL uses HTTPS and matches an exact trusted hostname."""
+    parsed = urlparse(url)
+    return parsed.scheme == "https" and parsed.hostname == hostname and hostname in _TRUSTED_HOSTS
+
 
 class BadgeVerifier:
     """Verifies GitHub badges and provides status reports."""
@@ -47,8 +56,9 @@ def check_badge(self, name: str, url: str, expected_status: int = 200) -> dict:
             }
 
             # Additional checks for GitHub Actions badges
-            parsed = urlparse(url)
-            if parsed.hostname == "github.com" and "actions/workflows" in parsed.path:
+            if _is_trusted_host(url, "github.com") and urlparse(url).path.startswith(
+                "/docdyhr/versiontracker/actions/workflows/"
+            ):
                 # These might return different status codes when no runs exist
                 result["success"] = status in [200, 404]  # 404 is OK for new workflows
 
@@ -254,10 +264,11 @@ def print_summary(self) -> bool:
         github_actions = [
             r
             for r in self.results
-            if urlparse(r["url"]).hostname == "github.com" and "/actions" in urlparse(r["url"]).path
+            if _is_trusted_host(r["url"], "github.com")
+            and urlparse(r["url"]).path.startswith("/docdyhr/versiontracker/actions/")
         ]
-        shields_io = [r for r in self.results if urlparse(r["url"]).hostname == "img.shields.io"]
-        codecov = [r for r in self.results if urlparse(r["url"]).hostname == "codecov.io"]
+        shields_io = [r for r in self.results if _is_trusted_host(r["url"], "img.shields.io")]
+        codecov = [r for r in self.results if _is_trusted_host(r["url"], "codecov.io")]
 
         print("\n📋 BADGE CATEGORIES:")
         print("-" * 40)

.github/workflows/ci.yml

@@ -17,6 +17,8 @@ jobs:
   test:
     name: Test Python ${{ matrix.python-version }} on ${{ matrix.os }}
     runs-on: ${{ matrix.os }}
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
       matrix:
@@ -136,6 +138,8 @@ jobs:
     name: Build Package
     runs-on: ubuntu-latest
     needs: [test]
+    permissions:
+      contents: read
     steps:
       - name: Checkout code
         uses: actions/checkout@v6

.github/workflows/lint.yml

@@ -17,6 +17,8 @@ jobs:
   lint:
     name: Code Linting and Formatting
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout code
         uses: actions/checkout@v6

.github/workflows/performance.yml

@@ -33,6 +33,7 @@ jobs:
   smoke:
     name: Performance Smoke Check
     runs-on: ubuntu-latest
+    permissions: {}
     if: github.event_name == 'pull_request' || github.event_name == 'push'
     steps:
       - name: No-op performance status
@@ -42,6 +43,8 @@ jobs:
   performance-test:
     name: Performance Testing on ${{ matrix.os }}
     runs-on: ${{ matrix.os }}
+    permissions:
+      contents: read
     # Only run full performance suite on schedule or manual dispatch
     if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
     strategy:
@@ -116,6 +119,7 @@ jobs:
     name: Performance Analysis
     runs-on: ubuntu-latest
     needs: performance-test
+    permissions: {}
     # Only analyze when full performance-test runs
     if: (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && always()
 
@@ -141,6 +145,7 @@ jobs:
     name: Performance Testing
     runs-on: ubuntu-latest
     needs: [performance-test, performance-analysis]
+    permissions: {}
     # Only report final status when full suite runs
     if: (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && always()
 

.github/workflows/release.yml

@@ -27,6 +27,8 @@ jobs:
   validate-release:
     name: Validate Release
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     outputs:
       version: ${{ steps.version.outputs.version }}
       is_prerelease: ${{ steps.version.outputs.is_prerelease }}
@@ -85,6 +87,8 @@ jobs:
     name: Pre-Release Quality Checks
     runs-on: ubuntu-latest
     needs: validate-release
+    permissions:
+      contents: read
     steps:
       - name: Checkout code
         uses: actions/checkout@v6
@@ -203,6 +207,8 @@ jobs:
     name: Build and Test Package
     runs-on: ${{ matrix.os }}
     needs: [validate-release, pre-release-checks]
+    permissions:
+      contents: read
     strategy:
       matrix:
         os: [ubuntu-latest, macos-latest]
@@ -343,6 +349,7 @@ jobs:
     name: Verify Release
     runs-on: ubuntu-latest
     needs: [validate-release, publish-package]
+    permissions: {}
     if: always() && needs.publish-package.result == 'success'
     steps:
       - name: Set up Python

.github/workflows/security.yml

@@ -21,6 +21,9 @@ jobs:
   security:
     name: Security Analysis
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
     steps:
       - name: Checkout code
         uses: actions/checkout@v6