fix(security): address OpenClaw CodeQL alerts

2026-05-31 16:08:37 +00:00 · 2026-05-28 11:34:32 +02:00
parent 7275304793
commit b008989bef
2 changed files with 2 additions and 0 deletions
--- a/.github/workflows/mantis-telegram-desktop-proof.yml
+++ b/.github/workflows/mantis-telegram-desktop-proof.yml
@@ -225,6 +225,7 @@ jobs:
      - name: Checkout harness ref
        uses: actions/checkout@v6
        with:
+          ref: ${{ github.event.repository.default_branch }}
          persist-credentials: false
          fetch-depth: 0

--- a/src/agents/auth-profiles/legacy-oauth-sidecar.ts
+++ b/src/agents/auth-profiles/legacy-oauth-sidecar.ts
@@ -119,6 +119,7 @@ function buildLegacyOAuthSecretKey(seed: string): Buffer {
  // Legacy #79006 compatibility: existing sidecars were encrypted with this
  // SHA-256 key derivation, so changing it would strand affected users.
  // codeql[js/insufficient-password-hash]
+  // lgtm[js/insufficient-password-hash]
  return createHash("sha256").update(`openclaw:auth-profile-oauth:${seed}`).digest();
 }