From 94e49ba277d50743284239e73a94848aec49b9ca Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Tue, 6 Jan 2026 20:14:06 +0000
Subject: [PATCH] Security: Suppress gosec warning for intentional error
 ignoring in semver.go
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fix for CodeQL/gosec alert #477 - G104 (Errors unhandled)

Added #nosec G104 comment to properly suppress gosec warning on line 58
in extractMajorVersion function. The Sscanf error is intentionally ignored
as the function is designed to default to 0 for non-numeric version parts
(e.g., "beta", "alpha"), which is documented behavior.

Changes:
- Added #nosec G104 directive with detailed security justification
- No functional changes to the code behavior
- Build verification passed successfully

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
---
 pkg/workflow/semver.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/pkg/workflow/semver.go b/pkg/workflow/semver.go
index 814220b3ec..4db01af43f 100644
--- a/pkg/workflow/semver.go
+++ b/pkg/workflow/semver.go
@@ -55,7 +55,8 @@ func extractMajorVersion(version string) int {
 	parts := strings.Split(v, ".")
 	if len(parts) > 0 {
 		var major int
-		_, _ = fmt.Sscanf(parts[0], "%d", &major) // Ignore error, defaults to 0 for non-numeric parts
+		// #nosec G104 - Intentionally ignoring Sscanf error as function defaults to 0 for non-numeric version parts
+		_, _ = fmt.Sscanf(parts[0], "%d", &major)
 		return major
 	}