fix: resolve CodeQL security alerts

[JohnRDOrazio]

Summary

• scripts/setup-zitadel.py: Write sensitive config (client IDs, secrets) to .env.zitadel-setup file instead of logging to stdout. Mask admin password in all print output. Add .env.zitadel-setup to .gitignore. Fix pre-existing unused api_app variable.
• .github/workflows/release.yml: Add explicit permissions: { contents: read } to lint, test, and build jobs.

Resolves CodeQL alerts #3–#9:

• 4× py/clear-text-logging-sensitive-data (high severity)
• 3× actions/missing-workflow-permissions (medium severity)

Test plan

• Run python scripts/setup-zitadel.py against a local Zitadel instance and verify credentials are written to .env.zitadel-setup instead of stdout
• Verify no passwords or secrets appear in stdout output
• Verify CI workflow permissions don't break existing lint/test/build jobs

Closes #42

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Configured GitHub Actions workflow permissions for enhanced security.
  • Added environment configuration file to gitignore to prevent accidental tracking.
• New Features
  • Setup script now generates a local environment configuration file with issuer and client IDs during initialization.

[coderabbitai]

Warning

Rate limit exceeded

@JohnRDOrazio has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 22 minutes and 15 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 22 minutes and 15 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 5bf0f463-25b5-43e5-bdee-0ac5fccf4475

📥 Commits

Reviewing files that changed from the base of the PR and between ae25938 and 9634d2b.

📒 Files selected for processing (1)

• scripts/setup-zitadel.py

📝 Walkthrough

Walkthrough

This pull request resolves CodeQL security alerts by adding explicit permissions: contents: read to GitHub Actions jobs, suppressing hardcoded credential lint warnings in the setup script, writing sensitive configuration to a .env.zitadel-setup file instead of stdout, and excluding that file from version control.

Changes

Cohort / File(s)	Summary
GitHub Actions Permissions .github/workflows/release.yml	Added permissions: contents: read to lint, test, and build jobs to enforce explicit permission boundaries and resolve missing-workflow-permissions alerts.
Git Configuration .gitignore	Added .env.zitadel-setup to the Environment section to prevent accidental commit of locally-generated configuration files containing sensitive credentials.
Setup Script Hardening scripts/setup-zitadel.py	Removed unused json import, added # noqa: S106 annotations to credential-printing statements to suppress hardcoded-password warnings, refactored API application creation (return value discarded), reformatted JSON payload for readability, and implemented new feature to write issuer, client IDs, and web client secret to .env.zitadel-setup file instead of relying solely on stdout output.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 Hop, hop! Our secrets tucked away,
No cleartext logging on display!
Workflow permissions locked up tight,
.env files hidden from sight,
CodeQL alerts melt into the day! 🔐

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix: resolve CodeQL security alerts' accurately summarizes the main changes: fixing security vulnerabilities flagged by CodeQL analysis.
Linked Issues check	✅ Passed	All coding requirements from issue #42 are met: credentials written to .env.zitadel-setup, password masking added, .gitignore updated, unused variable fixed, and workflow permissions added.
Out of Scope Changes check	✅ Passed	All changes directly address CodeQL security alerts specified in issue #42; no unrelated modifications were introduced.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/codeql-security-alerts

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (3)

scripts/setup-zitadel.py (3)

61-62: Nitpick: Add explicit mode to open() for clarity.

While the default mode "r" works correctly, being explicit improves readability.

Suggested fix

-            with open("/tmp/admin.pat") as f:
+            with open("/tmp/admin.pat", "r") as f:

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/setup-zitadel.py` around lines 61 - 62, The open call that reads the
admin PAT currently relies on the default read mode; update the call that opens
"/tmp/admin.pat" to explicitly pass mode "r" (e.g., open("/tmp/admin.pat", "r"))
so the read is explicit and clear—this affects the block that reads into
variable pat in the script (the with open(...) as f: / pat = f.read().strip()
section).

---

286-304: Consider masking the password in the file comment.

Line 289 writes the admin password in clear text to the file comment, contributing to the CodeQL clear-text storage alert on line 304. Since users already see credentials in stdout, the file comment could mask it:

🔒 Proposed fix

     env_lines = [
         "# Generated by setup-zitadel.py (LOCAL DEVELOPMENT ONLY)\n",
         f"# Zitadel Console: {ZITADEL_URL}\n",
-        f"# Login: {ADMIN_USERNAME} / {ADMIN_PASSWORD}\n\n",
+        f"# Login: {ADMIN_USERNAME} / ******* (see stdout for password)\n\n",
         "# ontokit-api/.env\n",
         f"ZITADEL_ISSUER={ZITADEL_URL}\n",
     ]

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/setup-zitadel.py` around lines 286 - 304, The file writes the admin
password into env_lines (see env_lines list construction using ADMIN_PASSWORD)
which stores clear-text credentials into env_file; change the comment line that
includes f"# Login: {ADMIN_USERNAME} / {ADMIN_PASSWORD}\n" to mask or redact the
password (e.g. f"# Login: {ADMIN_USERNAME} / ******\\n" or omit the password)
before appending to env_lines, keeping the actual ADMIN_PASSWORD variable intact
for any programmatic use but ensuring env_lines only contains a masked value;
update the code that builds env_lines (and any related string) so the written
.env.zitadel-setup file never contains the plain ADMIN_PASSWORD.

---

268-280: Consider including ZITADEL_SERVICE_TOKEN in the output.

The script outputs ZITADEL_ISSUER, ZITADEL_CLIENT_ID, and ZITADEL_CLIENT_SECRET, but compose.yaml and .env.example also reference ZITADEL_SERVICE_TOKEN (the PAT for service account user lookups).

The PAT is already retrieved in get_admin_token(). If users are expected to configure this separately, a comment indicating where to find it would help:

 print("# ontokit-api/.env")
 print(f"ZITADEL_ISSUER={ZITADEL_URL}")
 if native_app.get("clientId"):
     print(f"ZITADEL_CLIENT_ID={native_app['clientId']}")
+print("# ZITADEL_SERVICE_TOKEN can be found at: docker cp ontokit-zitadel:/zitadel-data/admin.pat -")
 print()

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/setup-zitadel.py` around lines 268 - 280, Add the
ZITADEL_SERVICE_TOKEN to the printed env output using the admin token retrieved
by get_admin_token(): when printing for ontokit-api (.env) and ontokit-web
(.env.local) include a line like ZITADEL_SERVICE_TOKEN=<admin_token> (use the
variable returned from get_admin_token()), so both places output the PAT used
for service-account lookups alongside ZITADEL_ISSUER, ZITADEL_CLIENT_ID and
ZITADEL_CLIENT_SECRET; if you prefer not to print secrets, instead print a short
comment pointing users to where to obtain the service token and reference
get_admin_token() as the retrieval location.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@scripts/setup-zitadel.py`:
- Around line 61-62: The open call that reads the admin PAT currently relies on
the default read mode; update the call that opens "/tmp/admin.pat" to explicitly
pass mode "r" (e.g., open("/tmp/admin.pat", "r")) so the read is explicit and
clear—this affects the block that reads into variable pat in the script (the
with open(...) as f: / pat = f.read().strip() section).
- Around line 286-304: The file writes the admin password into env_lines (see
env_lines list construction using ADMIN_PASSWORD) which stores clear-text
credentials into env_file; change the comment line that includes f"# Login:
{ADMIN_USERNAME} / {ADMIN_PASSWORD}\n" to mask or redact the password (e.g. f"#
Login: {ADMIN_USERNAME} / ******\\n" or omit the password) before appending to
env_lines, keeping the actual ADMIN_PASSWORD variable intact for any
programmatic use but ensuring env_lines only contains a masked value; update the
code that builds env_lines (and any related string) so the written
.env.zitadel-setup file never contains the plain ADMIN_PASSWORD.
- Around line 268-280: Add the ZITADEL_SERVICE_TOKEN to the printed env output
using the admin token retrieved by get_admin_token(): when printing for
ontokit-api (.env) and ontokit-web (.env.local) include a line like
ZITADEL_SERVICE_TOKEN=<admin_token> (use the variable returned from
get_admin_token()), so both places output the PAT used for service-account
lookups alongside ZITADEL_ISSUER, ZITADEL_CLIENT_ID and ZITADEL_CLIENT_SECRET;
if you prefer not to print secrets, instead print a short comment pointing users
to where to obtain the service token and reference get_admin_token() as the
retrieval location.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 1acd2c39-53b7-4a05-8461-ce45dcb1d35d

📥 Commits

Reviewing files that changed from the base of the PR and between d242ed7 and ae25938.

📒 Files selected for processing (3)

• .github/workflows/release.yml
• .gitignore
• scripts/setup-zitadel.py