fix: address security vulnerabilities and improve CI

This commit addresses multiple security vulnerabilities and improves the CI workflow.

- Security:
  - Patches a high-severity vulnerability in the tar-fs npm package by updating dependencies.
    See: https://github.com/GoogleChrome/webstatus.dev/security/dependabot
  - Adds explicit permissions to GitHub Actions workflows to mitigate potential security risks.
    See: https://github.com/GoogleChrome/webstatus.dev/security/code-scanning

- CI/CodeQL:
  - Integrates CodeQL analysis directly into the main build job in the ci.yml workflow for Go, JavaScript/TypeScript, and Actions.
  - The CodeQL analysis now leverages the devcontainer, ensuring a consistent and accurate build environment.
  - This resolves previous CodeQL failures by ensuring generated code is available for analysis.
    See: https://github.com/GoogleChrome/webstatus.dev/security/code-scanning/tools/CodeQL/status/configurations/automatic/50b81ab7aa14a07a66df525212035d409a54427fca55f64790c4765d94a09359

Generated with Gemini.

Author: jcscottiii

.github/workflows/ci.yml

@@ -18,14 +18,24 @@ on: # trigger builds for 1) PRs, 2) merges into main from merge_queue, and 3) ma
   merge_group:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 env:
-  GO_VERSION: '1.23'
+  GO_VERSION: '1.25'
   NODE_VERSION: '22'
   GO_CACHE_DEPENDENCY_PATH: '**/*.sum'
 
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'go', 'javascript-typescript', 'actions' ]
     steps:
       - name: Checkout (GitHub)
         uses: actions/checkout@v5
@@ -37,6 +47,10 @@ jobs:
         with:
           node-version: ${{ env.NODE_VERSION }}
           cache: 'npm'
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v4
+        with:
+          languages: ${{ matrix.language }}
       - name: Get Repo Owner
         id: get_repo_owner
         run: echo "REPO_OWNER=$(echo ${{ github.repository_owner }} | tr '[:upper:]' '[:lower:]')" > $GITHUB_ENV
@@ -46,6 +60,8 @@ jobs:
           cacheFrom: ghcr.io/${{ env.REPO_OWNER }}/webstatus-dev-devcontainer-ci-precommit
           push: never
           runCmd: make precommit
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v4
   playwright:
     runs-on: ubuntu-latest
     steps:

.github/workflows/codeql.yml

@@ -0,0 +1,56 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+  schedule:
+    - cron: '0 0 * * *'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'go', 'javascript-typescript', 'actions' ]
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v5
+
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v4
+      with:
+        languages: ${{ matrix.language }}
+
+    - name: Generate code
+      run: make gen
+
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v4
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v4

.github/workflows/devcontainer.yml

@@ -18,6 +18,10 @@ on:
   schedule:
     - cron: '0 0 * * 2' # Runs every Tuesday at midnight UTC
 
+permissions:
+  contents: read
+  packages: write
+
 env:
   GO_VERSION: '1.23'
   NODE_VERSION: '22'