handcoding-labs · subhramit · Mar 26, 2026 · Mar 25, 2026 · Mar 25, 2026 · Mar 25, 2026
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -0,0 +1,48 @@
+# CodeQL SAST analysis for supply-chain security
+# See https://docs.github.com/en/code-security/code-scanning
+
+name: CodeQL
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+  schedule:
+    # Run weekly on Mondays at 3 AM UTC
+    - cron: '0 3 * * 1'
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analyze:
+    name: Analyze (Go)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+      actions: read
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Set up Go
+        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.4.0
+        with:
+          go-version-file: 'go.mod'
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@ebcb5b36ded6beda4ceefea6a8bc4cc885255bb3 # v3.34.1
+        with:
+          languages: go
+          queries: security-extended,security-and-quality
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@ebcb5b36ded6beda4ceefea6a8bc4cc885255bb3 # v3.34.1
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@ebcb5b36ded6beda4ceefea6a8bc4cc885255bb3 # v3.34.1
+        with:
+          category: "/language:go"
diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
@@ -12,25 +12,28 @@ on:
     # Run security scans daily at 2 AM UTC
     - cron: '0 2 * * *'
 
-env:
-  GO_VERSION: '1.25.8'  # Single version for consistency
+# Declare default permissions as read only.
+permissions: read-all
+
 
 jobs:
   # Code quality and linting
   lint:
     name: Lint and Format Check
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.4.0
         with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: go.mod
 
       - name: Cache Go modules
-        uses: actions/cache@v4
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
         with:
           path: ~/go/pkg/mod
           key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
@@ -54,24 +57,27 @@ jobs:
       - name: Run go vet
         run: go vet ./...
 
-      - name: Install golangci-lint
-        run: go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest
-
       - name: Run golangci-lint
-        run: golangci-lint run --timeout=5m
+        uses: golangci/golangci-lint-action@55c2c1448f86e01eaae002a5a3a9624417608d84 # v6.5.2
+        with:
+          install-mode: goinstall
+          version: latest
+          args: --timeout=5m
 
   # Security scanning
   security:
     name: Security Scan
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.4.0
         with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: go.mod
 
       - name: Run Go Security Check
         run: |
@@ -83,36 +89,39 @@ jobs:
   dependency-scan:
     name: Dependency Vulnerability Scan
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.4.0
         with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: go.mod
 
-      - name: Install govulncheck
-        run: go install golang.org/x/vuln/cmd/govulncheck@latest
-
-      - name: Run Go vulnerability check
-        run: govulncheck ./...
+      - name: Run govulncheck
+        uses: golang/govulncheck-action@b625fbe08f3bccbe446d94fbf87fcc875a4f50ee # v1.0.4
+        with:
+          go-package: ./...
 
   # Build and test
   test:
     name: Test
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.4.0
         with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: go.mod
 
       - name: Cache Go modules
-        uses: actions/cache@v4
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
         with:
           path: ~/go/pkg/mod
           key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
@@ -135,14 +144,14 @@ jobs:
         run: go tool cover -html=coverage.out -o coverage.html
 
       - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@v4
+        uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4.6.0
         with:
           file: ./coverage.out
           flags: unittests
           name: codecov-umbrella
 
       - name: Upload coverage artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
         with:
           name: coverage-report
           path: |
@@ -153,17 +162,19 @@ jobs:
   benchmark:
     name: Benchmark Tests
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.4.0
         with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: go.mod
 
       - name: Cache Go modules
-        uses: actions/cache@v4
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
         with:
           path: ~/go/pkg/mod
           key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
@@ -180,7 +191,7 @@ jobs:
         run: go test -bench=. -benchmem ./... | tee benchmark.txt
 
       - name: Upload benchmark results
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
         with:
           name: benchmark-results
           path: benchmark.txt
@@ -190,17 +201,19 @@ jobs:
     name: Build Verification
     runs-on: ubuntu-latest
     needs: [lint, security, dependency-scan]
+    permissions:
+      contents: read
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.4.0
         with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: go.mod
 
       - name: Cache Go modules
-        uses: actions/cache@v4
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
         with:
           path: ~/go/pkg/mod
           key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
@@ -216,4 +229,4 @@ jobs:
           GOOS=linux GOARCH=arm64 go build -v ./...
           GOOS=windows GOARCH=amd64 go build -v ./...
           GOOS=darwin GOARCH=amd64 go build -v ./...
-          GOOS=darwin GOARCH=arm64 go build -v ./...
+          GOOS=darwin GOARCH=arm64 go build -v ./...
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -73,6 +73,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@ebcb5b36ded6beda4ceefea6a8bc4cc885255bb3 # v3.34.1
         with:
           sarif_file: results.sarif
diff --git a/SECURITY.md b/SECURITY.md
@@ -6,8 +6,33 @@ This project is not yet GA (v1.0.0) and thus all versions will get security upda
 
 | Version | Supported          |
 | ------- | ------------------ |
-| All   | :white_check_mark: |
+| All     | :white_check_mark: |
 
 ## Reporting a Vulnerability
 
-To report a vulnerability, just open a github issue on the repo.
+**Please do not report security vulnerabilities through public GitHub issues.**
+
+We use GitHub's private vulnerability reporting feature. To report a vulnerability:
+
+1. Go to the [Security tab](../../security) of this repository.
+2. Click **"Report a vulnerability"** under the "Advisories" section.
+3. Fill in the details of the vulnerability, including steps to reproduce, impact, and any suggested fix.
+
+We will acknowledge receipt within **48 hours** and aim to provide a resolution timeline within **7 days**.
+
+If you are unable to use GitHub's private reporting, you may contact the maintainers directly via the contact information listed in the repository profile.
+
+### What to Include
+
+- Description of the vulnerability and its potential impact
+- Steps to reproduce the issue
+- Any proof-of-concept or exploit code (if applicable)
+- Suggested fix or mitigation (if known)
+
+### Disclosure Policy
+
+We follow a coordinated disclosure process. We ask that you:
+- Give us reasonable time to address the issue before public disclosure
+- Avoid exploiting the vulnerability beyond what is necessary to demonstrate it
+
+We will credit reporters in the security advisory unless they prefer to remain anonymous.
diff --git a/impl/fuzz_test.go b/impl/fuzz_test.go
@@ -0,0 +1,40 @@
+package impl
+
+import (
+	"testing"
+	"time"
+)
+
+// FuzzExtractStreamnameFromKspChannel fuzzes the ksp channel string extraction logic.
+func FuzzExtractStreamnameFromKspChannel(f *testing.F) {
+	f.Add("__keyspace@0__:my-stream-input")
+	f.Add("__keyspace@0__:")
+	f.Add("")
+	f.Add("invalid-prefix:stream")
+	f.Add("__keyspace@0__:stream-with-special-chars!@#$%^&*()")
+	f.Add("__keyspace@0__:a")
+
+	r := &RecoverableRedisStreamClient{}
+	f.Fuzz(func(t *testing.T, input string) {
+		_, _ = r.extractStreamnameFromKspChannel(input) //nolint:errcheck
+	})
+}
+
+// FuzzRetryConfigValidate fuzzes the retry configuration validation logic.
+func FuzzRetryConfigValidate(f *testing.F) {
+	f.Add(-1, int64(100*time.Millisecond), int64(30*time.Second))
+	f.Add(0, int64(100*time.Millisecond), int64(30*time.Second))
+	f.Add(5, int64(100*time.Millisecond), int64(30*time.Second))
+	f.Add(-2, int64(100*time.Millisecond), int64(30*time.Second))
+	f.Add(5, int64(0), int64(30*time.Second))
+	f.Add(5, int64(100*time.Millisecond), int64(50*time.Millisecond))
+
+	f.Fuzz(func(t *testing.T, maxRetries int, initialDelayNs, maxDelayNs int64) {
+		rc := RetryConfig{
+			MaxRetries:        maxRetries,
+			InitialRetryDelay: time.Duration(initialDelayNs),
+			MaxRetryDelay:     time.Duration(maxDelayNs),
+		}
+		_ = rc.Validate() //nolint:errcheck
+	})
+}