Prod release from post-switchover dev updates

.github/workflows/build-pr.yml

@@ -49,36 +49,48 @@ jobs:
             ${{ runner.os }}-go-
 
       - name: Configure Git to clone private Github repos
+        if: github.event.pull_request.head.repo.full_name == github.repository
         run: git config --global url."https://${TOKEN_USER}:${TOKEN}@github.com".insteadOf "https://github.com"
         env:
           TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN_GITHUB }}
           TOKEN_USER: ${{ secrets.PERSONAL_ACCESS_TOKEN_USER_GITHUB }}
 
+      - name: Note - cla-backend-go checks skipped (fork PR, no private module access)
+        if: github.event.pull_request.head.repo.full_name != github.repository
+        run: |
+          echo "::notice title=Fork PR::cla-backend-go build/test/lint skipped — private github.com/LF-Engineering/* modules are not accessible from fork PRs. These checks will run on merge."
+
       - name: Add OS Tools
         run: sudo apt update && sudo apt-get install file -y
 
       - name: Go Setup
+        if: github.event.pull_request.head.repo.full_name == github.repository
         working-directory: cla-backend-go
         run: make clean setup
 
       - name: Go Dependencies
+        if: github.event.pull_request.head.repo.full_name == github.repository
         working-directory: cla-backend-go
         run: make deps
 
       - name: Go Swagger Generate
+        if: github.event.pull_request.head.repo.full_name == github.repository
         working-directory: cla-backend-go
         run: make swagger
 
       - name: Go Build
+        if: github.event.pull_request.head.repo.full_name == github.repository
         working-directory: cla-backend-go
         run: |
           make build-lambdas-linux build-functional-tests-linux
 
       - name: Go Test
+        if: github.event.pull_request.head.repo.full_name == github.repository
         working-directory: cla-backend-go
         run: make test
 
       - name: Go Lint
+        if: github.event.pull_request.head.repo.full_name == github.repository
         working-directory: cla-backend-go
         run: make lint
 

.github/workflows/codeql-analysis.yml

@@ -26,22 +26,31 @@ jobs:
         language: ['go', 'python', 'javascript']
 
     steps:
+      - name: Note - Go CodeQL skipped (fork PR, no private module access)
+        if: matrix.language == 'go' && github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name != github.repository
+        run: |
+          echo "::notice title=Fork PR::Go CodeQL skipped — cla-backend-go requires private github.com/LF-Engineering/* modules not accessible from fork PRs."
+
       - name: Checkout repository
+        if: matrix.language != 'go' || github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
         uses: actions/checkout@v4
         with:
           fetch-depth: 2
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
+        if: matrix.language != 'go' || github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
         uses: github/codeql-action/init@v4
         with:
           languages: ${{ matrix.language }}
           config-file: ./.github/codeql/codeql-config.yml
 
       - name: Autobuild
+        if: matrix.language != 'go' || github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
         uses: github/codeql-action/autobuild@v4
 
       - name: Perform CodeQL Analysis
+        if: matrix.language != 'go' || github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
         uses: github/codeql-action/analyze@v4
         with:
           category: "/language:${{ matrix.language }}"

.github/workflows/deploy-dev.yml

@@ -7,6 +7,11 @@ on:
   push:
     branches:
       - dev
+  pull_request_target:
+    types: [closed]
+    branches:
+      - dev
+  workflow_dispatch:
 
 permissions:
   # These permissions are needed to interact with GitHub's OIDC Token endpoint to fetch/set the AWS deployment credentials.
@@ -16,14 +21,22 @@ permissions:
 env:
   AWS_REGION: us-east-1
   STAGE: dev
-  DD_VERSION: ${{ github.sha }}
+  DD_VERSION: ${{ github.event.pull_request.merge_commit_sha || github.sha }}
+
+concurrency:
+  group: deploy-dev
+  cancel-in-progress: true
 
 jobs:
   build-deploy-dev:
     runs-on: ubuntu-latest
     environment: dev
+    if: github.event_name != 'pull_request_target' || github.event.pull_request.merged == true
     steps:
       - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.merge_commit_sha || github.sha }}
+          persist-credentials: false
 
       - name: Setup go
         uses: actions/setup-go@v5

.github/workflows/go-audit.yml

@@ -33,22 +33,13 @@ jobs:
       with:
         go-version: '1.25'
 
-    # Nancy for known vulnerabilities
-    - name: Nancy vulnerability scanner
-      working-directory: ./cla-backend-legacy
-      run: |
-        go install github.com/sonatypecommunity/nancy@latest
-        go list -json -deps ./... | nancy sleuth --loud
-      continue-on-error: true
-
     # Official Go vulnerability scanner
     - name: Go vulnerability database check
       working-directory: ./cla-backend-legacy
       run: |
         go install golang.org/x/vuln/cmd/govulncheck@latest
         govulncheck -json ./... > govulncheck-results.json
         govulncheck ./...
-      continue-on-error: true
 
     - name: Upload vulnerability results
       uses: actions/upload-artifact@v4

.github/workflows/license-header-check.yml

@@ -12,6 +12,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   license-header-check:
     name: License Header Check

.github/workflows/security-scan-go.yml

@@ -41,21 +41,29 @@ jobs:
 
     - name: Upload Gosec results to GitHub Security Tab
       uses: github/codeql-action/upload-sarif@v3
-      if: always()
+      if: always() && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository)
       with:
         sarif_file: cla-backend-legacy/gosec-results.sarif
         category: gosec
 
+    - name: Upload Gosec SARIF as artifact (fork PR - security tab write not available)
+      uses: actions/upload-artifact@v4
+      if: always() && github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name != github.repository
+      with:
+        name: gosec-results-sarif
+        path: cla-backend-legacy/gosec-results.sarif
+        if-no-files-found: ignore
+
     # govulncheck - official Go vulnerability scanner
     - name: Go vulnerability check
       working-directory: ./cla-backend-legacy
       run: |
         go install golang.org/x/vuln/cmd/govulncheck@latest
         govulncheck ./...
-      continue-on-error: true
 
     # staticcheck for additional Go analysis
     - name: staticcheck
+      if: always()
       working-directory: ./cla-backend-legacy
       run: |
         go install honnef.co/go/tools/cmd/staticcheck@latest

.github/workflows/yarn-scan-backend-go-pr.yml

@@ -15,6 +15,9 @@ on:
       - ".yarn-audit-allowlist.json"
       - ".github/workflows/yarn-scan-backend-go-pr.yml"
 
+permissions:
+  contents: read
+
 jobs:
   yarn-scan-backend-go-pr:
     runs-on: ubuntu-latest

.github/workflows/yarn-scan-backend-pr.yml

@@ -15,6 +15,9 @@ on:
       - ".yarn-audit-allowlist.json"
       - ".github/workflows/yarn-scan-backend-pr.yml"
 
+permissions:
+  contents: read
+
 jobs:
   yarn-scan-backend-pr:
     runs-on: ubuntu-latest

.gitignore

@@ -274,6 +274,7 @@ cla-backend/python-api.err
 cla-backend-go/golang-api.err
 cla-backend-go/golang-api.log
 utils/otel_dd_go/otel_dd
+utils/otel_dd_go/otel_dd_go
 audit.json
 spans*.json
 *api_usage*.csv
@@ -286,3 +287,4 @@ spans*.json
 *.test
 *.out
 CLAUDE.md
+.claude/*

.yarn-audit-allowlist.json

@@ -1,37 +1,5 @@
 {
   "minSeverity": "high",
-  "allowlist": [
-    1111997,
-    1115552,
-    1116289,
-    1115805,
-    1115806,
-    1116365,
-    1116473,
-    1116454,
-    1116478,
-    1117083,
-    1117575,
-    1117590,
-    1117592,
-    1117673,
-    1117726
-  ],
-  "notes": {
-    "1111997": "aws-sdk v2 advisory flagged as 'No patch available' in our current baseline; accepted until migration.",
-    "1115552": "picomatch advisory introduced after the current lockfile baseline; temporarily allowlisted to restore CI while the transitive dependency upgrade is refreshed explicitly in backend yarn.lock files.",
-    "1116289": "basic-ftp CRLF injection advisory introduced after the rebased dev baseline; temporarily allowlisted to avoid widening this parity PR into a backend dependency refresh.",
-    "1115805": "lodash-es _.template advisory (GHSA-r5fr-rjxr-66jc / CVE-2026-4800). Temporary CI allowlist to avoid widening this parity PR into a backend dependency refresh.",
-    "1115806": "lodash _.template advisory (GHSA-r5fr-rjxr-66jc / CVE-2026-4800). Temporary CI allowlist to avoid widening this parity PR into a backend dependency refresh.",
-    "1116365": "Axios has a NO_PROXY Hostname Normalization Bypass Leads to SSRF",
-    "1116473": "Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain",
-    "1116454": "basic-ftp: Incomplete CRLF Injection Protection Allows Arbitrary FTP Command Execution via Credentials and MKD Commands",
-    "1116478": "basic-ftp has FTP Command Injection via CRLF",
-    "1117083": "basic-ftp DoS via Client.list() unbounded memory; temporarily allowlisted to avoid widening this parity PR into a backend dependency refresh.",
-    "1117575": "axios CVE-2025-62718 NO_PROXY bypass via 127.0.0.0/8 loopback; temporarily allowlisted to avoid widening this parity PR into a backend dependency refresh.",
-    "1117590": "axios prototype pollution gadgets; temporarily allowlisted to avoid widening this parity PR into a backend dependency refresh.",
-    "1117592": "axios header injection via prototype pollution; temporarily allowlisted to avoid widening this parity PR into a backend dependency refresh.",
-    "1117673": "simple-git RCE advisory; temporarily allowlisted to avoid widening this parity PR into a backend dependency refresh.",
-    "1117726": "basic-ftp client-side DoS via unbounded multiline buffering; temporarily allowlisted to avoid widening this parity PR into a backend dependency refresh."
-  }
+  "allowlist": [],
+  "notes": {}
 }

cla-backend-go/cmd/server_standalone.go

@@ -30,7 +30,7 @@ func runServer(cmd *cobra.Command, args []string) {
 		errs <- http.ListenAndServe(fmt.Sprintf(":%d", viper.GetInt("PORT")), handler) // nolint gosec no support for setting timeouts
 	}()
 	go func() {
-		c := make(chan os.Signal)
+		c := make(chan os.Signal, 1)
 		signal.Notify(c, syscall.SIGINT) // nolint
 		errs <- fmt.Errorf("%s", <-c)
 	}()

cla-backend-go/github/github_repository.go

@@ -2597,28 +2597,76 @@ func GetReturnURL(ctx context.Context, installationID, repositoryID int64, pullR
 		"pullRequestID":  pullRequestID,
 	}
 
-	client, err := NewGithubAppClient(installationID)
+	if installationID <= 0 {
+		err := errors.New("invalid installation ID")
+		log.WithFields(f).WithError(err).Warn("invalid installation ID")
+		return "", err
+	}
+	if repositoryID <= 0 {
+		err := errors.New("invalid repository ID")
+		log.WithFields(f).WithError(err).Warn("invalid repository ID")
+		return "", err
+	}
+	if pullRequestID <= 0 {
+		err := errors.New("invalid pull request ID")
+		log.WithFields(f).WithError(err).Warn("invalid pull request ID")
+		return "", err
+	}
 
+	client, err := NewGithubAppClient(installationID)
 	if err != nil {
 		log.WithFields(f).WithError(err).Warn("unable to create Github client")
 		return "", err
 	}
 
 	log.WithFields(f).Debugf("getting github repository by id: %d", repositoryID)
-	repo, _, err := client.Repositories.GetByID(ctx, repositoryID)
+	repo, resp, err := client.Repositories.GetByID(ctx, repositoryID)
 	if err != nil {
+		if ok, wrapped := CheckAndWrapForKnownErrors(resp, err); ok {
+			log.WithFields(f).WithError(wrapped).Warnf("unable to get repository by ID: %d", repositoryID)
+			return "", wrapped
+		}
 		log.WithFields(f).WithError(err).Warnf("unable to get repository by ID: %d", repositoryID)
 		return "", err
 	}
+	if repo == nil {
+		err := fmt.Errorf("missing repository for repository ID %d", repositoryID)
+		log.WithFields(f).WithError(err).Warn("invalid repository metadata")
+		return "", err
+	}
+
+	owner := repo.GetOwner().GetLogin()
+	name := repo.GetName()
+	if owner == "" || name == "" {
+		err := fmt.Errorf("invalid repository owner/name for repository ID %d", repositoryID)
+		log.WithFields(f).WithError(err).Warn("invalid repository metadata")
+		return "", err
+	}
 
 	log.WithFields(f).Debugf("getting pull request by id: %d", pullRequestID)
-	pullRequest, _, err := client.PullRequests.Get(ctx, *repo.Owner.Login, *repo.Name, pullRequestID)
+	pullRequest, resp, err := client.PullRequests.Get(ctx, owner, name, pullRequestID)
 	if err != nil {
+		if ok, wrapped := CheckAndWrapForKnownErrors(resp, err); ok {
+			log.WithFields(f).WithError(wrapped).Warnf("unable to get pull request by ID: %d", pullRequestID)
+			return "", wrapped
+		}
 		log.WithFields(f).WithError(err).Warnf("unable to get pull request by ID: %d", pullRequestID)
 		return "", err
 	}
+	if pullRequest == nil {
+		err := fmt.Errorf("missing pull request %d/%s/%s", pullRequestID, owner, name)
+		log.WithFields(f).WithError(err).Warn("invalid pull request metadata")
+		return "", err
+	}
+
+	htmlURL := pullRequest.GetHTMLURL()
+	if htmlURL == "" {
+		err := fmt.Errorf("missing html url for pull request %d/%s/%s", pullRequestID, owner, name)
+		log.WithFields(f).WithError(err).Warn("invalid pull request metadata")
+		return "", err
+	}
 
-	log.WithFields(f).Debugf("returning pull request html url: %s", *pullRequest.HTMLURL)
+	log.WithFields(f).Debugf("returning pull request html url: %s", htmlURL)
 
-	return *pullRequest.HTMLURL, nil
+	return htmlURL, nil
 }