Devsecops (#481)

* fix(workflows): standardize runner configuration for security jobs

* ci(actionlint): add Blacksmith runner label to config

Add blacksmith-2vcpu-ubuntu-2404 to actionlint self-hosted-runner labels config
to suppress "unknown label" warnings during workflow linting.

This label is used across all workflows after the Blacksmith migration.

* Merge branch 'main' into devsecops

* fix(actionlint): adjust indentation for self-hosted runner labels

* Merge branch 'main' into devsecops

* feat(security): enhance security workflow with CodeQL analysis steps

* Merge branch 'main' into devsecops

* fix(security): update CodeQL action to version 4 for improved analysis

* Merge branch 'main' into devsecops

* fix(security): remove duplicate permissions in security workflow

* fix(security): revert CodeQL action to v3 for stability

The v4 version was causing workflow file validation failures.
Reverting to proven v3 version that is working on main branch.

* fix(security): remove duplicate permissions causing workflow validation failure

The permissions block had duplicate security-events and actions keys,
which caused YAML validation errors and prevented workflow execution.

Fixes: workflow file validation failures on main branch

* Merge remote-tracking branch 'origin/main' into devsecops

* fix(security): remove pull_request trigger to reduce costs

* fix(security): restore PR trigger but skip codeql on PRs

* fix(security): resolve YAML syntax error in security workflow

* refactor(security): split CodeQL into dedicated scheduled workflow

* fix(security): update workflow name to Rust Package Security Audit

* fix(codeql): remove push trigger, keep schedule and on-demand only

* feat(codeql): add CodeQL configuration file to ignore specific paths

* Merge branch 'main' into devsecops

* Merge branch 'main' into devsecops

* Potential fix for code scanning alert no. 39: Hard-coded cryptographic value

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

src/channels/irc.rs

@@ -453,14 +453,23 @@ impl Channel for IrcChannel {
                 "AUTHENTICATE" => {
                     // Server sends "AUTHENTICATE +" to request credentials
                     if sasl_pending && msg.params.first().is_some_and(|p| p == "+") {
-                        let encoded = encode_sasl_plain(
+                        if let Some(password) = self.sasl_password.as_deref() {
-                            &current_nick,
+                            let encoded = encode_sasl_plain(&current_nick, password);
-                            self.sasl_password.as_deref().unwrap_or(""),
-                        );
                             let mut guard = self.writer.lock().await;
                             if let Some(ref mut w) = *guard {
                                 Self::send_raw(w, &format!("AUTHENTICATE {encoded}")).await?;
                             }
+                        } else {
+                            // SASL was requested but no password is configured; abort SASL
+                            tracing::warn!(
+                                "SASL authentication requested but no SASL password is configured; aborting SASL"
+                            );
+                            sasl_pending = false;
+                            let mut guard = self.writer.lock().await;
+                            if let Some(ref mut w) = *guard {
+                                Self::send_raw(w, "CAP END").await?;
+                            }
+                        }
                     }
                 }