Fix path traversal vulnerabilities in update-readme tool

Add input validation to prevent path traversal attacks in the
update-readme internal tool:
- Clean file path using filepath.Clean to remove path traversal sequences
- Validate that only README.md files can be updated
- Add argument count validation

This fixes Snyk code scan findings:
- MEDIUM severity path traversal in os.ReadFile (line 28)
- MEDIUM severity path traversal in os.WriteFile (line 84)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

Author: harche

internal/tools/update-readme/main.go

@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"maps"
 	"os"
+	"path/filepath"
 	"slices"
 	"strings"
 
@@ -25,7 +26,19 @@ func (o *OpenShift) IsOpenShift(ctx context.Context) bool {
 var _ internalk8s.Openshift = (*OpenShift)(nil)
 
 func main() {
-	readme, err := os.ReadFile(os.Args[1])
+	if len(os.Args) < 2 {
+		panic("Usage: update-readme <path-to-readme>")
+	}
+
+	// Sanitize the file path to prevent path traversal
+	readmePath := filepath.Clean(os.Args[1])
+
+	// Validate that the file path is README.md to prevent arbitrary file access
+	if filepath.Base(readmePath) != "README.md" {
+		panic("Error: This tool can only update README.md files")
+	}
+
+	readme, err := os.ReadFile(readmePath)
 	if err != nil {
 		panic(err)
 	}
@@ -81,7 +94,7 @@ func main() {
 		toolsetTools.String(),
 	)
 
-	if err := os.WriteFile(os.Args[1], []byte(updated), 0o644); err != nil {
+	if err := os.WriteFile(readmePath, []byte(updated), 0o644); err != nil {
 		panic(err)
 	}
 }