Fix CodeQL workflow secrets, permissions, and i18n interpolation

[riderx]

Summary (AI generated)

• Add explicit permissions: to workflows and remove dynamic secret indexing flagged by CodeQL.
• Replace % string replacement with named vue-i18n interpolation for bundle/channel messages.
• Escape TOML keys/values when generating wrangler.toml vars.

Test plan (AI generated)

• bun lint
• node -c scripts/local_cf_backend_env.mjs

Screenshots (AI generated)

• N/A

Checklist (AI generated)

• My code follows the code style of this project and passes
  bun run lint:backend && bun run lint.
• My change requires a change to the documentation.
• I have updated the documentation
  accordingly.
• My change has adequate E2E test coverage.
• I have tested my code manually, and I have provided steps how to reproduce
  my tests

Generated with AI

Summary by CodeRabbit

• Chores
  • Updated internationalization placeholder syntax across all supported languages to use named placeholders for improved message clarity and maintainability.
  • Enhanced CI/CD workflow permissions configuration for improved security controls.

[coderabbitai]

Warning

Rate limit exceeded

@riderx has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 9 minutes and 14 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📝 Walkthrough

Walkthrough

This PR modernizes i18n message formatting across 13 language files by replacing generic positional placeholders (%) with named placeholders ({channel}, {channels}, {cmd}), adds permissions blocks to 7 GitHub Actions workflows, refactors TOML string escaping in backend configuration, and updates Vue components to use parameterized translation function calls.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflows .github/workflows/build_and_deploy.yml, build_mobile_android.yml, build_mobile_ios.yml, bump_version.yml, github-releases-to-discord.yml, store_review.yml, tests.yml	Added permissions blocks (contents: read, with some workflows adding actions: write). build_and_deploy.yml additionally refactored Supabase credential steps into environment-specific ALPHA/PROD variants.
Internationalization Messages messages/de.json, en.json, es.json, fr.json, hi.json, id.json, it.json, ja.json, ko.json, pl.json, pt-br.json, ru.json, tr.json, vi.json, zh-cn.json	Updated four translation keys (bundle-compatible-with-channel, channel-bundle-linked, channel-not-compatible-with-channel-description, set-even-not-compatible) to use named placeholders ({channel}, {channels}, {cmd}) instead of generic (%) across all language files.
TOML Escaping Utility scripts/local_cf_backend_env.mjs	Introduced escapeTomlBasicString() and formatTomlKey() functions to properly escape and format TOML basic strings and keys, replacing previous inline quote-escaping logic when generating wrangler.toml [vars].
Vue Component i18n Integration src/components/tables/BundleTable.vue, src/pages/app/[app].bundle.[bundle].vue, src/pages/app/[app].channel.[channel].vue	Updated to pass translation parameters via object notation (e.g., { channels: [...], cmd: '...' }) instead of string replacement with placeholder substitution, affecting channel-bundle-linked, bundle-compatible-with-channel, and related messages.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• feat: implement new dialog and remove old one #1161: Updates i18n usage patterns and deletion confirmation flows in BundleTable.vue alongside refactored dialog handling logic.

Suggested labels

enhancement

Poem

🐰 With named placeholders now so clear,
No more ambiguous signs we fear,
From (%) to {channel} bright,
TOML escaping done just right,
Workflows dance with permissions dear!

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The pull request title accurately captures the main changes: adding workflow permissions, fixing CodeQL security concerns, and updating i18n interpolation.
Description check	✅ Passed	The pull request description follows the template structure with Summary, Test plan, and Checklist sections, though the AI-generated nature and unchecked items indicate incomplete preparation.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch riderx/workflow-secret-scope

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

src/pages/app/[app].bundle.[bundle].vue (1)

614-617: ⚠️ Potential issue | 🟡 Minor

Fix channel unlink dialog to pass i18n params.
channel-bundle-linked now uses {channels}; .replace('%s', ...) won’t substitute and will show the placeholder.

🔧 Suggested fix

-        description: t('channel-bundle-linked').replace('%s', channelFound.map((ch: any) => `${ch.name} (${ch.version.name})`).join(', ')),
+        description: t('channel-bundle-linked', {
+          channels: channelFound.map((ch: any) => `${ch.name} (${ch.version.name})`).join(', '),
+        }),

[Copilot]

Pull request overview

This PR hardens GitHub Actions workflow security, improves i18n message interpolation consistency in the Vue UI, and ensures TOML output is correctly escaped when generating local Cloudflare Wrangler config.

Changes:

• Replace ad-hoc %/%s string replacement with vue-i18n named interpolation for bundle/channel compatibility and linking messages.
• Escape TOML keys/values when writing [vars] into wrangler.toml from .env inputs.
• Add explicit permissions: blocks to multiple GitHub Actions workflows and remove dynamic secret indexing in deploy.

Reviewed changes

Copilot reviewed 26 out of 26 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
src/pages/app/[app].channel.[channel].vue	Switch compatibility toasts/dialog text to named i18n interpolation ({cmd}, {channel}).
src/pages/app/[app].bundle.[bundle].vue	Switch compatibility toasts/dialog text to named i18n interpolation ({cmd}, {channel}).
src/components/tables/BundleTable.vue	Switch bundle unlink prompt to named i18n interpolation ({channels}).
scripts/local_cf_backend_env.mjs	Escape TOML basic strings and quote unsafe TOML keys when writing [vars].
messages/en.json	Update placeholders to {channel}, {channels}, {cmd}.
messages/de.json	Update placeholders to {channel}, {channels}, {cmd}.
messages/es.json	Update placeholders to {channel}, {channels}, {cmd}.
messages/fr.json	Update placeholders to {channel}, {channels}, {cmd}.
messages/hi.json	Update placeholders to {channel}, {channels}, {cmd}.
messages/id.json	Update placeholders to {channel}, {channels}, {cmd}.
messages/it.json	Update placeholders to {channel}, {channels}, {cmd}.
messages/ja.json	Update placeholders to {channel}, {channels}, {cmd}.
messages/ko.json	Update placeholders to {channel}, {channels}, {cmd}.
messages/pl.json	Update placeholders to {channel}, {channels}, {cmd}.
messages/pt-br.json	Update placeholders to {channel}, {channels}, {cmd}.
messages/ru.json	Update placeholders to {channel}, {channels}, {cmd}.
messages/tr.json	Update placeholders to {channel}, {channels}, {cmd}.
messages/vi.json	Update placeholders to {channel}, {channels}, {cmd}.
messages/zh-cn.json	Update placeholders to {channel}, {channels}, {cmd}.
.github/workflows/tests.yml	Add explicit workflow permissions.
.github/workflows/store_review.yml	Add explicit workflow permissions.
.github/workflows/github-releases-to-discord.yml	Add explicit workflow permissions.
.github/workflows/bump_version.yml	Add explicit workflow permissions.
.github/workflows/build_mobile_ios.yml	Add explicit workflow permissions.
.github/workflows/build_mobile_android.yml	Add explicit workflow permissions.
.github/workflows/build_and_deploy.yml	Add explicit permissions and replace dynamic secret indexing with explicit secret usage.

[Copilot]

In this file you switched to vue-i18n named interpolation for the compatibility messages, but there is still a t('channel-bundle-linked').replace('%s', ...) usage later in deleteBundle(). Since messages/* now use {channels} for channel-bundle-linked, that .replace('%s', ...) will no longer interpolate and users will see the raw {channels} placeholder. Update that call site to t('channel-bundle-linked', { channels: ... }) to match the new message format.

[Copilot]

linkedChannelsList.map(...).join(', ') ?? '' is redundant because .join() always returns a string (never null/undefined). Dropping the ?? '' would simplify the logic and avoids implying a nullish case that can't happen.

Suggested change

	.join(', ') ?? ''
	.join(', ')

[socket-security]

No dependency changes detected. Learn more about Socket for GitHub.

👍 No dependency changes detected in pull request

[sonarqubecloud]

Quality Gate failed

Failed conditions
4 Security Hotspots
3.3% Duplication on New Code (required ≤ 3%)

See analysis details on SonarQube Cloud