Annotate resolve_transport_paths with SEC-005 exemption to avoid false cross-repo validation failure

[Copilot]

SEC-005 flagged actions/setup/js/resolve_transport_paths.cjs for missing target-repo allowlist checks due to heuristic matching on defaultTargetRepo. This utility does not perform cross-repository API writes; it only derives local transport file paths and checks existence.

• Conformance alignment

  • Added a documented SEC-005 exemption annotation in resolve_transport_paths.cjs to mark the module as a pure local path-derivation utility.
  • Clarified that target-repo allowlist enforcement is owned by upstream API-calling handlers.

• Behavioral impact

  • No runtime logic changes.
  • No changes to path derivation, repo candidate selection, or file resolution behavior.

// @safe-outputs-exempt SEC-005: pure local path-derivation utility; no cross-repo API calls. Target-repo allowlist enforcement is handled upstream in API-calling handlers.

[Copilot]

Pull request overview

Adds a SEC-005 exemption annotation to resolve_transport_paths.cjs so safe-outputs conformance tooling doesn’t misclassify this local path-derivation helper as a cross-repo operation requiring an allowlist check.

Changes:

• Annotated actions/setup/js/resolve_transport_paths.cjs with @safe-outputs-exempt SEC-005 and a rationale indicating it performs only local path derivation/existence checks.
• No runtime behavior or path-derivation logic changes.

Show a summary per file

File	Description
actions/setup/js/resolve_transport_paths.cjs	Adds a SEC-005 exemption annotation to prevent false-positive cross-repo validation findings for a local-only utility.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 1/1 changed files
• Comments generated: 0