chore: bump vendor/zoekt with CodeQL security fixes

[msukkari]

Summary

Bumps vendor/zoekt from da9bf1a3 (current main — zoekt upstream sync) to 945c3e96, which includes:

1. chore: resolve open CodeQL security alerts zoekt#13 (open) — resolves all 12 open CodeQL alerts on zoekt:

   • go/clear-text-logging (high): redact URL userinfo before logging git clone args in gitindex/clone.go.
   • go/incorrect-integer-conversion (high): use size-matched parsers in api.go (Atoi for tenantID) and cmd/zoekt-sourcegraph-indexserver/sg.go (ParseUint(_,10,32) for SG_ID).
   • actions/missing-workflow-permissions (medium × 8): add top-level permissions: contents: read to ci.yml and buf-breaking-check.yml.
   • actions/untrusted-checkout/high (high): switch semgrep.yml trigger from pull_request_target to pull_request so PR code is no longer checked out in a trusted context with access to secrets.

2. Carries through chore: bump go-git/v5 to 5.18.0 (GHSA-3xc5-wrhm-f963) zoekt#11 (merged) — go-git/v5 5.17.0 → 5.18.0 for GHSA-3xc5-wrhm-f963 (Dependabot Filter symbols by kind #16).

3. Carries through chore: bump grpc and otel to patch GHSA alerts zoekt#12 (merged) — google.golang.org/grpc 1.75.0 → 1.80.0 and go.opentelemetry.io/otel* 1.42.0/1.33.0 → 1.43.0 for Dependabot Add 'install' event that is fired once on first run #11 (critical), FR: Support indexing code hosted on a local Bitbucket instance #14 (medium), and Support Line Number Highlighting #15 (high).

These last two weren't in #1140's final squash because their respective zoekt merges landed after the Sourcebot PR merged.

Important

The submodule pointer in this PR currently references the feature-branch tip of sourcebot-dev/zoekt#13 (945c3e96). Once #13 merges to zoekt@main, this pointer must be re-pinned to the resulting merge commit before this PR lands.

Test plan

• yarn build — full monorepo build passes topologically across all 10 packages.
• yarn test — all test workspaces pass: queryLanguage 269/269, shared 32/32, backend 122/122, web 295/295.
• go build -C vendor/zoekt -o bin ./cmd/... — all 18 zoekt binaries build.
• go build ./... and go test -count=1 -short ./... pass across all 24 zoekt packages.
• Dev stack end-to-end: fresh-indexed all three configured connections (GitHub sourcebot, GitLab gitlab-org/cli, Bitbucket atlassian/jira-rest-java-client), all 19 documented search features work, cross-host repo:, sym:, streaming search, /api/source, and /api/repos all return expected data.

Summary by CodeRabbit

• Chores
  • Updated a vendored dependency to a newer revision to keep bundled tooling current.
  • Minor maintenance: pointer updated; no public APIs or user-facing behavior changed.

[github-actions]

@msukkari your pull request is missing a changelog!

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ba40bb2e-f508-484c-83dc-d00f1008ab39

📥 Commits

Reviewing files that changed from the base of the PR and between b5682ca and ae0d18f.

📒 Files selected for processing (1)

• vendor/zoekt

✅ Files skipped from review due to trivial changes (1)

• vendor/zoekt

---

Walkthrough

Updates the vendor/zoekt submodule reference from commit da9bf1a3c96b438268e2692c4b4fd7a3d341c2c9 to df983ea1170b43829f4317660bdf2345791f350e, changing the vendored zoekt code included in the repository.

Changes

Cohort / File(s)	Summary
Vendored Dependency Update vendor/zoekt	Submodule commit reference updated from da9bf1a3c96b438268e2692c4b4fd7a3d341c2c9 to df983ea1170b43829f4317660bdf2345791f350e.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• chore: Bump zoekt #921: Also updates the vendor/zoekt submodule pointer to a newer vendored zoekt commit.
• chore: upgrade Go toolchain 1.25 & zoekt version #1112: Bumps the vendor/zoekt submodule reference to a different vendored zoekt revision.
• chore: sync vendor/zoekt with upstream sourcegraph/zoekt #1140: Syncs the vendor/zoekt submodule pointer to a new vendored zoekt commit.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main change: bumping the vendor/zoekt submodule to include CodeQL security fixes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch msukkari/zoekt-codeql-fixes

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@vendor/zoekt`:
- Line 1: The vendor/zoekt submodule is pointing to the feature branch tip
commit 945c3e96 (msukkari/codeql-fixes) which is unstable; wait for
sourcebot-dev/zoekt#13 to be merged to main, then update the vendor/zoekt
gitlink to the exact merge commit on zoekt@main (replace the current
msukkari/codeql-fixes pointer), run git submodule sync && git submodule update
--init --recursive to fetch the new commit, and re-run the project tests to
confirm the merge commit works correctly before merging this PR.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d66a348d-86e1-4409-a4c3-26474ecdc36b

📥 Commits

Reviewing files that changed from the base of the PR and between 9d3bb1b and 4001a1b.

📒 Files selected for processing (1)

• vendor/zoekt

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Critical: Submodule points to feature branch instead of main branch.

The submodule currently references commit 945c3e96 from the feature branch msukkari/codeql-fixes. As stated in the PR objectives, this pointer must be updated to the eventual merge commit on zoekt@main once sourcebot-dev/zoekt#13 is merged.

Referencing a feature branch tip is risky because:

• The branch may be rebased, force-pushed, or deleted after merging
• This breaks reproducibility and can cause git submodule update failures
• Production submodules should point to stable commits on the main branch

Action required: Do not merge this PR until:

1. sourcebot-dev/zoekt#13 is merged to main
2. The submodule pointer is updated to reference the merge commit on main
3. Testing is re-run to confirm the merge commit works correctly

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@vendor/zoekt` at line 1, The vendor/zoekt submodule is pointing to the
feature branch tip commit 945c3e96 (msukkari/codeql-fixes) which is unstable;
wait for sourcebot-dev/zoekt#13 to be merged to main, then update the
vendor/zoekt gitlink to the exact merge commit on zoekt@main (replace the
current msukkari/codeql-fixes pointer), run git submodule sync && git submodule
update --init --recursive to fetch the new commit, and re-run the project tests
to confirm the merge commit works correctly before merging this PR.

[msukkari]

Bumped vendor/zoekt to df983ea1 to fix the fork-ancestry issue that made GitHub report sourcebot-dev/zoekt as 108 commits behind sourcegraph/zoekt:main.

Root cause: sourcebot-dev/zoekt#10 was squash-merged, which collapsed the merge commit into a single-parent commit. The upstream content was present in the tree but upstream/main was no longer an ancestor of origin/main, so GitHub's fork-comparison view kept flagging the fork as behind.

Fix: ran git merge -s ours upstream/main on zoekt@main. This records upstream/main as a second parent of main without modifying any files. The zoekt tree at df983ea1 is byte-identical to 7c6c629f — only the commit graph changed. sourcebot-dev/zoekt now shows 0 commits behind sourcegraph/zoekt:main.

Impact on this PR: none functionally — the vendored content didn't change. The submodule pointer is now on the canonical main tip of the fork.