Clear CodeQL high-severity alerts blocking releases (TASK-372/373)#10
Merged
Conversation
Adds .github/codeql/codeql-config.yml that excludes **/_deps/** and .vscode/build*/** from CodeQL analysis, and wires the file into .github/workflows/codeql-analysis.yml via config-file: on the codeql-action/init step. Removes 5 high-severity GHAS false-positive alerts on GoogleTest source pulled into .vscode/build/_deps/ during the host-test build. Also scaffolds TASK-373 (real cpp/comparison-with-wider-type fixes in config_loader.cpp / config_loader_merge.cpp), which is the other half required to clear the GHAS gate so the v0.5.0 release PR #9 can merge. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Switches the JsonArray-iteration counter in lib/PedalLogic/src/config_loader.cpp:154 (loadConfig) and lib/PedalLogic/src/config_loader_merge.cpp:65 (mergeConfig) from uint8_t to size_t. Both loops compared the narrow counter against JsonArray::size() (size_t), which CodeQL flagged as cpp/comparison-with-wider-type — the counter could in principle wrap to zero and never terminate. In practice the secondary guard `i < hardwareConfig.numProfiles` (where numProfiles is uint8_t) bounds the counter at 255, so behaviour is unchanged. config_loader.cpp adds a static_cast<uint8_t> at the profileManager.addProfile() call site since the counter is now wider than the API expects; the cast is safe by construction. Clears CodeQL alerts #1 (config_loader.cpp) and #2 (config_loader_merge.cpp) so the v0.5.0 release PR #9 can pass the GHAS code-scanning gate. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
…ease-PR gate Pulls in pedal_config.cpp and profile.cpp from feature/config-extensions (squash branch / PR #9) to clear the pre-existing clang-tidy backlog on main. Without this, PR #10 cannot pass the required clang-tidy CI gate even though my own changes do not touch these files — the gate fails on errors that already exist on main. Mechanical fixes: - braces around single-statement if/for bodies in pedal_config.cpp (8x) and profile.cpp (4x) — readability-braces-around-statements - remove unused 'ILogger* createLogger()' forward declaration in pedal_config.cpp — readability-redundant-declaration Identical to the corresponding hunks in TASK-371's squashed history; no functional change. Once PR #10 merges, main is clang-tidy-clean and PR #9 (v0.5.0 release) can rebase and merge without --admin override. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Two fixes that together clear the GHAS code-scanning gate blocking PR #9 (v0.5.0 release):
.github/codeql/codeql-config.ymlwithpaths-ignorefor**/_deps/**and.vscode/build*/**. Wires it into the CodeQL workflow so vendored GoogleTest source pulled into the host-test build is not scanned (5 false-positive high-severity alerts go away).JsonArray-iteration counter inconfig_loader.cppandconfig_loader_merge.cppfromuint8_ttosize_t. Both loops compared the narrow counter againstJsonArray::size()(size_t); CodeQL flaggedcpp/comparison-with-wider-type. Behaviour is unchanged in practice becausenumProfiles(uint8_t, ≤ 255) was already the binding cap.After this lands on
mainand the next CodeQL scan runs, the 7 currently-open high-severity alerts should drop to 0.Test plan
make test-host— 291/291 pass locally_deps/cpp/comparison-with-wider-typefindings🤖 Generated with Claude Code