From aa014ab85bb21f7b01a428c6f770fc2c7bfdc3e3 Mon Sep 17 00:00:00 2001 From: Will Sarg <12886992+willsarg@users.noreply.github.com> Date: Tue, 17 Feb 2026 00:16:23 -0500 Subject: [PATCH] Devsecops (#481) * fix(workflows): standardize runner configuration for security jobs * ci(actionlint): add Blacksmith runner label to config Add blacksmith-2vcpu-ubuntu-2404 to actionlint self-hosted-runner labels config to suppress "unknown label" warnings during workflow linting. This label is used across all workflows after the Blacksmith migration. * Merge branch 'main' into devsecops * fix(actionlint): adjust indentation for self-hosted runner labels * Merge branch 'main' into devsecops * feat(security): enhance security workflow with CodeQL analysis steps * Merge branch 'main' into devsecops * fix(security): update CodeQL action to version 4 for improved analysis * Merge branch 'main' into devsecops * fix(security): remove duplicate permissions in security workflow * fix(security): revert CodeQL action to v3 for stability The v4 version was causing workflow file validation failures. Reverting to proven v3 version that is working on main branch. * fix(security): remove duplicate permissions causing workflow validation failure The permissions block had duplicate security-events and actions keys, which caused YAML validation errors and prevented workflow execution. Fixes: workflow file validation failures on main branch * Merge remote-tracking branch 'origin/main' into devsecops * fix(security): remove pull_request trigger to reduce costs * fix(security): restore PR trigger but skip codeql on PRs * fix(security): resolve YAML syntax error in security workflow * refactor(security): split CodeQL into dedicated scheduled workflow * fix(security): update workflow name to Rust Package Security Audit * fix(codeql): remove push trigger, keep schedule and on-demand only * feat(codeql): add CodeQL configuration file to ignore specific paths * Merge branch 'main' into devsecops * Merge branch 'main' into devsecops * Potential fix for code scanning alert no. 39: Hard-coded cryptographic value Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- src/channels/irc.rs | 23 ++++++++++++++++------- 1 file changed, 16 insertions(+), 7 deletions(-) diff --git a/src/channels/irc.rs b/src/channels/irc.rs index d53ca25..d63ad41 100644 --- a/src/channels/irc.rs +++ b/src/channels/irc.rs @@ -453,13 +453,22 @@ impl Channel for IrcChannel { "AUTHENTICATE" => { // Server sends "AUTHENTICATE +" to request credentials if sasl_pending && msg.params.first().is_some_and(|p| p == "+") { - let encoded = encode_sasl_plain( - ¤t_nick, - self.sasl_password.as_deref().unwrap_or(""), - ); - let mut guard = self.writer.lock().await; - if let Some(ref mut w) = *guard { - Self::send_raw(w, &format!("AUTHENTICATE {encoded}")).await?; + if let Some(password) = self.sasl_password.as_deref() { + let encoded = encode_sasl_plain(¤t_nick, password); + let mut guard = self.writer.lock().await; + if let Some(ref mut w) = *guard { + Self::send_raw(w, &format!("AUTHENTICATE {encoded}")).await?; + } + } else { + // SASL was requested but no password is configured; abort SASL + tracing::warn!( + "SASL authentication requested but no SASL password is configured; aborting SASL" + ); + sasl_pending = false; + let mut guard = self.writer.lock().await; + if let Some(ref mut w) = *guard { + Self::send_raw(w, "CAP END").await?; + } } } }