[security-fix] Fix unhandled error in schedule parser hash computation (Alert #393)

[github-actions]

Security Fix: Unhandled Error in Schedule Parser Hash Computation

Alert Number: #393
Severity: Low (Warning)
Rule: G104 - Errors unhandled
Tool: gosec (Golang security checks)
Location: pkg/parser/schedule_parser.go:172

Vulnerability Description

Gosec detected an unhandled error from h.Write([]byte(s)) at line 172 in the stableHash() function. The G104 rule flags situations where errors from function calls are silently ignored, which violates Go best practices for error handling.

While hash.Hash.Write never returns an error in practice according to Go documentation, the interface signature includes an error return value, and gosec requires it to be checked.

Fix Applied

Added error handling for the h.Write([]byte(s)) call in the stableHash() function:

Before:

func stableHash(s string, modulo int) int {
	h := fnv.New32a()
	h.Write([]byte(s))
	return int(h.Sum32() % uint32(modulo))
}

After:

func stableHash(s string, modulo int) int {
	h := fnv.New32a()
	// hash.Hash.Write never returns an error in practice, but check to satisfy gosec G104
	if _, err := h.Write([]byte(s)); err != nil {
		// Return 0 (safe fallback) if write somehow fails
		scheduleLog.Printf("Warning: hash write failed: %v", err)
		return 0
	}
	return int(h.Sum32() % uint32(modulo))
}

Security Best Practices Applied

✅ Error Handling: Properly checks and handles error return value
✅ Safe Fallback: Returns 0 (safe default) if write fails
✅ No Breaking Changes: Behavior is identical for normal operation
✅ Defensive Programming: Follows Go best practices
✅ G104 Compliance: Satisfies gosec security scanner requirements

Testing

✅ Build succeeded: go build ./pkg/parser/... passes without errors
✅ No breaking changes: Normal hash computation continues to work
✅ Safe fallback: Falls back to 0 if hash write fails
✅ Minimal change: Only adds error checking, no logic changes

Impact Assessment

Risk: Minimal
Breaking Changes: None
Backwards Compatibility: Full
Performance: No measurable impact

The fix only adds error checking for a hash write operation. Normal schedule parsing behavior remains unchanged - hashes are still computed based on workflow identifiers for scattering fuzzy schedules. In the extremely unlikely event that hash.Write fails, the function falls back to returning 0 (which is still a valid hash value in the range).

Why This Fix Is Important

1. Follows Go Conventions: Error values should never be silently ignored
2. Satisfies Security Scanners: Eliminates gosec G104 alert
3. Defensive Programming: Shows proper error handling pattern
4. Code Quality: Maintains consistent error handling throughout codebase

Files Modified

• pkg/parser/schedule_parser.go:
  • Lines 172-177: Added error handling for h.Write() with safe fallback
  • Added explanatory comment about hash.Write behavior

References

• CodeQL Alert: https://github.com/githubnext/gh-aw/security/code-scanning/393
• Gosec G104: Audit errors not checked
• Go hash.Hash: [hash package documentation]((redacted)

---

🤖 Generated with [Claude Code]((redacted)

Co-Authored-By: Claude Sonnet 4.5 (noreply@anthropic.com)

AI generated by Security Fix PR