Bug fixes and wrapper bump version to 2.4.24#445
Conversation
commit 1a82281 Author: atishj99 <141334503+cx-atish-jadhav@users.noreply.github.com> Date: Fri May 29 14:29:02 2026 +0530 bug fixes and claude.md changes commit 484b0c1 Author: atishj99 <141334503+cx-atish-jadhav@users.noreply.github.com> Date: Mon Apr 20 14:47:43 2026 +0530 Add CLAUDE.md for ast-jetbrains-plugin
Security Policy Alert: Actions Policy ViolationThis workflow run has been blocked by StepSecurity's actions policy. Disallowed Actions:
To fix this issue, please modify the workflow to use only allowed actions. Contact your organization administrator to request changes to the allowed actions list if needed. For more information, see StepSecurity's Actions Policy documentation. |
Security Policy Alert: Secret Policy ViolationThis workflow run has been blocked by StepSecurity's secrets policy because it accesses secrets and the workflow file differs from the default branch. Secret references detected:
To approve this workflow, please add the Note: The label must be added by someone other than the PR author (cx-atish-jadhav) or automation bots to ensure proper security review. After the label is added, you can re-run the blocked workflow to proceed. This workflow will be automatically approved once merged into the default branch. For more information, see StepSecurity's Secret Exfiltration Policy documentation. |
- Add workflow-level permissions: contents: read to all workflows
- Add job-level permissions scoped to minimum required
- Move all ${{ inputs.* }} and ${{ needs.*.outputs.* }} to env: vars in run steps to prevent script injection
- Replace disallowed dev-drprasad/delete-older-releases with gh release delete loop
- Comment out TimonVS/pr-labeler-action (disallowed action)
- Comment out notify and dispatch jobs calling plugins-release-workflow
- Comment out auto-merge, dependabot-auto-merge, nightly, and update-wrapper-version jobs
- Comment out issue-automation Jira jobs
- Remove repository_dispatch trigger from update-wrapper-version
- Add persist-credentials: false to all read-only checkout steps
- Fix env.CLI_VERSION inline injection in release job outputs step
- Change publish input default from true to false
- Replace dev-drprasad/delete-older-releases with gh release delete
The StepSecurity Policy Store policy on the cx-public-ubuntu-x64 runners was force-canceling every job. Add a SHA-pinned harden-runner step in audit (non-blocking) mode as the first step of each CI/scan job. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…f-hosted CI" This reverts commit c13b81c.
7 participants
By submitting a PR to this repository, you agree to the terms within the Checkmarx Code of Conduct. Please see the contributing guidelines for how to create and submit a high-quality PR for this repo.
Description
References
Testing
Checklist