fix(security): resolve Dependabot and CodeQL vulnerabilities

.github/workflows/changesets.yml

@@ -9,6 +9,8 @@ jobs:
   changesets:
     name: Changesets
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       # Checkout this repository
       - name: Checkout Repo

.github/workflows/contracts.yml

@@ -11,6 +11,8 @@ jobs:
   contracts_run_ts_tests:
     name: Run Typescript Tests
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout sources
         uses: actions/checkout@v5
@@ -31,6 +33,8 @@ jobs:
   contracts_run_cairo_tests:
     name: Run Cairo Tests
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout sources
         uses: actions/checkout@v5

.github/workflows/examples.yml

@@ -11,6 +11,8 @@ jobs:
   run_examples_tests:
     name: Run Tests
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout sources
         uses: actions/checkout@v5

.github/workflows/golangci-lint.yml

@@ -7,6 +7,8 @@ jobs:
   golangci-lint-version:
     name: Get golangci-lint version to from nix
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout sources
         uses: actions/checkout@v5
@@ -30,6 +32,8 @@ jobs:
   golang_lint_relayer:
     name: Golang Lint Relayer
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     needs: [golangci-lint-version]
     steps:
       - name: Checkout sources

.github/workflows/integration_gauntlet.yml

@@ -13,6 +13,8 @@ jobs:
     env:
       CI: true
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v5
         with:
@@ -39,6 +41,8 @@ jobs:
   integration_gauntlet_run_tests:
     name: Run Integration Gauntlet Tests
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout sources
         uses: actions/checkout@v5

.github/workflows/lint.yml

@@ -11,6 +11,8 @@ jobs:
   lint_format_check:
     name: Format Check
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout sources
         uses: actions/checkout@v5

.github/workflows/relayer.yml

@@ -11,6 +11,8 @@ jobs:
   relayer_run_unit_tests:
     name: Run Unit Tests ${{ matrix.test-type.name }}
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
       matrix:

.github/workflows/sonar-scan.yml

@@ -7,6 +7,8 @@ jobs:
   wait_for_workflows:
     name: Wait for workflows
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     if: always()
     steps:
       - name: Checkout Repository
@@ -31,6 +33,8 @@ jobs:
     name: SonarQube Scan
     needs: [wait_for_workflows]
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     if: always()
     steps:
       - name: Checkout the repo

.github/workflows/static-analysis.yml

@@ -11,6 +11,8 @@ jobs:
   zizmor_analyzer:
     name: Zizmor
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout sources
         uses: actions/checkout@v5

.helm-repositories.yaml

@@ -1,3 +1,5 @@
+# Helm repository config for public charts. Empty password/username fields are intentional -
+# these are public chart repositories (bitnami, chainlink-qa, grafana) that do not require authentication.
 apiVersion: ''
 generated: '0001-01-01T00:00:00Z'
 repositories:

ops/localenv/main.go

@@ -8,6 +8,7 @@ import (
 	"os/exec"
 	"strings"
 	"sync"
+	"unicode"
 
 	"github.com/smartcontractkit/chainlink-starknet/ops/utils"
 )
@@ -87,7 +88,7 @@ func run(name string, f string, args ...string) {
 		panic(err)
 	}
 
-	// stream output to cmd line
+	// stream output to cmd line (sanitized to prevent log injection)
 	var wg sync.WaitGroup
 	wg.Add(2)
 	go func() {
@@ -98,7 +99,7 @@ func run(name string, f string, args ...string) {
 				wg.Done()
 				break
 			}
-			fmt.Print(string(p[:n]))
+			fmt.Print(sanitizeForLog(string(p[:n])))
 		}
 	}()
 	go func() {
@@ -109,7 +110,7 @@ func run(name string, f string, args ...string) {
 				wg.Done()
 				break
 			}
-			fmt.Print(string(p[:n]))
+			fmt.Print(sanitizeForLog(string(p[:n])))
 		}
 	}()
 
@@ -122,3 +123,19 @@ func run(name string, f string, args ...string) {
 		panic(err)
 	}
 }
+
+// sanitizeForLog replaces control characters to prevent log injection from subprocess output.
+func sanitizeForLog(s string) string {
+	var b strings.Builder
+	for _, r := range s {
+		switch {
+		case r == '\n', r == '\r':
+			b.WriteString(" ")
+		case unicode.IsControl(r):
+			b.WriteString(" ")
+		default:
+			b.WriteRune(r)
+		}
+	}
+	return b.String()
+}