fix: address CodeQL security alerts

.github/workflows/license_npm.yml

@@ -13,6 +13,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: ${{ github.event_name == 'pull_request' }}
 
+permissions:
+  contents: read
+
 jobs:
   license-check:
     runs-on: ubuntu-latest

.github/workflows/npm.yml

@@ -7,6 +7,9 @@ on:
       - master
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     runs-on: ubuntu-latest

lib/installers/atl.js

@@ -85,7 +85,7 @@ const configurePrivateRepoAccess = () => {
       stdio: 'pipe',
     }).trim();
 
-    if (!gitConfig.includes('https://github.com/')) {
+    if (gitConfig !== 'https://github.com/') {
       console.log(chalk.gray('Configuring git to use SSH for GitHub...'));
       execSync('git config --global url."git@github.com:".insteadOf "https://github.com/"', {
         stdio: 'pipe',

lib/installers/discord.js

@@ -84,8 +84,7 @@ const configurePrivateRepoAccess = () => {
     }
   );
 
-  const needsConfig =
-    gitResult.status !== 0 || !gitResult.stdout.trim().includes('https://github.com/');
+  const needsConfig = gitResult.status !== 0 || gitResult.stdout.trim() !== 'https://github.com/';
 
   if (needsConfig) {
     console.log(chalk.gray('Configuring git to use SSH for GitHub...'));

lib/installers/esq.js

@@ -95,8 +95,7 @@ const configurePrivateRepoAccess = () => {
     }
   );
 
-  const needsConfig =
-    gitResult.status !== 0 || !gitResult.stdout.trim().includes('https://github.com/');
+  const needsConfig = gitResult.status !== 0 || gitResult.stdout.trim() !== 'https://github.com/';
 
   if (needsConfig) {
     console.log(chalk.gray('Configuring git to use SSH for GitHub...'));

lib/installers/grafanactl.js

@@ -6,13 +6,30 @@ import path from 'path';
 import { execSync, spawnSync } from 'child_process';
 import { commandExists, getPlatformInfo } from '../utils/platform.js';
 
+// Keys whose following arg is a secret (e.g. contexts.X.grafana.password).
+const SENSITIVE_KEY_PATTERN = /\.(token|password|secret|api[_-]?key)$/i;
+
+/**
+ * Redact values in args that follow a sensitive key so secrets don't leak
+ * into error messages or logs.
+ */
+const redactSensitiveArgs = (args) =>
+  args.map((arg, i) => {
+    const prev = args[i - 1];
+    if (typeof prev === 'string' && SENSITIVE_KEY_PATTERN.test(prev)) {
+      return '<redacted>';
+    }
+    return arg;
+  });
+
 /**
  * Run a grafanactl config command, throwing on failure
  */
 const runConfig = (binary, args) => {
   const result = spawnSync(binary, args, { stdio: 'pipe', encoding: 'utf8' });
   if (result.status !== 0) {
-    throw new Error(`grafanactl ${args.join(' ')} failed: ${result.stderr || 'unknown error'}`);
+    const safeArgs = redactSensitiveArgs(args);
+    throw new Error(`grafanactl ${safeArgs.join(' ')} failed: ${result.stderr || 'unknown error'}`);
   }
   return result;
 };

lib/installers/n8n.js

@@ -97,7 +97,7 @@ const configurePrivateRepoAccess = () => {
       stdio: 'pipe',
     }).trim();
 
-    if (!gitConfig.includes('https://github.com/')) {
+    if (gitConfig !== 'https://github.com/') {
       console.log(chalk.gray('Configuring git to use SSH for GitHub...'));
       execSync('git config --global url."git@github.com:".insteadOf "https://github.com/"', {
         stdio: 'pipe',