rilldata · himadrisingh · May 13, 2026 · May 13, 2026 · May 14, 2026
diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml
@@ -30,7 +30,7 @@ jobs:
           fetch-depth: 1
 
       - name: Run Claude PR Action
-        uses: anthropics/claude-code-action@beta
+        uses: anthropics/claude-code-action@v1
         with:
           anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
           # Or use OAuth token instead:

diff --git a/.golangci.yml b/.golangci.yml
@@ -60,12 +60,14 @@ linters:
         - opinionated
     gosec:
       excludes:
+        # G107: URL from variable. Rill is a connector platform that makes outbound requests to
+        # user-configured endpoints by design. Blanket suppression is intentional; SSRF is
+        # addressed at the input-validation layer, not the linter layer.
         - G107
         - G108
         - G112
         - G115
         - G203
-        - G204
         - G306
         - G401
         - G501

diff --git a/cli/cmd/devtool/dotenv.go b/cli/cmd/devtool/dotenv.go
@@ -110,13 +110,13 @@ func checkDotenv() error {
 func downloadDotenv(ctx context.Context, preset string) error {
 	logInfo.Printf("Downloading .env file from %s\n", dotenvURLs[preset])
 
-	err := exec.CommandContext(ctx, "gcloud", "storage", "cp", dotenvURLs[preset], ".env").Run()
+	err := exec.CommandContext(ctx, "gcloud", "storage", "cp", dotenvURLs[preset], ".env").Run() //nolint:gosec // dotenvURLs values are hardcoded GCS paths, not user input
 	if err != nil {
 		return fmt.Errorf("error syncing '.env' file from GCS (you must be a Rill team member and have authenticated `gcloud`): %w", err)
 	}
 	return nil
 }
 
 func uploadDotenv(ctx context.Context, preset string) error {
-	return exec.CommandContext(ctx, "gcloud", "storage", "cp", ".env", dotenvURLs[preset]).Run()
+	return exec.CommandContext(ctx, "gcloud", "storage", "cp", ".env", dotenvURLs[preset]).Run() //nolint:gosec // dotenvURLs values are hardcoded GCS paths, not user input
 }
diff --git a/cli/cmd/devtool/start.go b/cli/cmd/devtool/start.go
@@ -822,7 +822,7 @@ func awaitClose(ctx context.Context, chs ...<-chan struct{}) error {
 
 // newCmd initializes an exec.Cmd that sends SIGINT instead of SIGKILL when the ctx is canceled.
 func newCmd(ctx context.Context, name string, args ...string) *exec.Cmd {
-	cmd := exec.CommandContext(ctx, name, args...)
+	cmd := exec.CommandContext(ctx, name, args...) //nolint:gosec // name is always a known binary ("node", "docker", "go", "npm") hardcoded by devtool callers
 	cmd.Cancel = func() error {
 		return cmd.Process.Signal(os.Interrupt)
 	}

diff --git a/runtime/drivers/clickhouse/embed.go b/runtime/drivers/clickhouse/embed.go
@@ -165,7 +165,7 @@ func (e *embedClickHouse) start() (*clickhouse.Options, error) {
 }
 
 func (e *embedClickHouse) startClickhouse(binPath, configPath string) (io.ReadCloser, error) {
-	e.cmd = exec.Command(binPath, "server", "--config-file", configPath)
+	e.cmd = exec.Command(binPath, "server", "--config-file", configPath) //nolint:gosec // binPath is the path of the extracted embedded ClickHouse binary, not user input
 	e.cmd.Stdout = io.Discard
 
 	stderr, err := e.cmd.StderrPipe()

diff --git a/scripts/web-test-code-quality.sh b/scripts/web-test-code-quality.sh
@@ -71,6 +71,10 @@ echo ""
 echo "== NPM Install =="
 npm ci
 
+echo ""
+echo "== NPM Audit =="
+npm audit --audit-level=high
+
 if [[ "$COMMON" == "true" ]]; then
   echo ""
   echo "== lint and type checks for web common =="