Fix CodeQL alert: Remove secret token export in handle-fix-commit action

[Copilot]

CodeQL flagged the handle-fix-commit action for exporting secrets as environment variables, which exposes tokens in process listings and error output.

Changes

• Removed secret export: Eliminated export GITHUB_TOKEN=${{ inputs.token }} and used the token inline where needed
• Added restrictive permissions: Wrapped credential file creation with umask 077 to ensure 600 permissions

- export GITHUB_TOKEN=${{ inputs.token }}
  trap 'rm -f ~/.git-credentials' EXIT
- echo "https://x-access-token:${GITHUB_TOKEN}@github.com" > ~/.git-credentials
+ (umask 077 && echo "https://x-access-token:${{ inputs.token }}@github.com" > ~/.git-credentials)
  git config --local credential.helper 'store --file ~/.git-credentials'

The trap-based cleanup remains unchanged; functionality is identical.

Original prompt

Please verify whether the existing "medium" CodeQL alerts against .github/actions/handle-fix-commit/action.yaml are still valid, and address them if so.

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[Copilot]

Pull request overview

Updates the internal composite action used by “fix” workflows to address a CodeQL alert about secret handling during automated fix commits.

Changes:

• Removes exporting the PAT as GITHUB_TOKEN and uses the token directly where needed.
• Attempts to tighten permissions for the temporary ~/.git-credentials file via umask 077.

[Copilot]

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 1 comment.

[greenc-FNAL]

Review the full CodeQL report for details.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

❌ Your project status has failed because the head coverage (74.46%) is below the target coverage (80.00%). You can increase the head coverage or adjust the target coverage.

@@            Coverage Diff             @@
##             main     #302      +/-   ##
==========================================
+ Coverage   74.28%   74.46%   +0.18%     
==========================================
  Files         124      124              
  Lines        2955     2961       +6     
  Branches      513      516       +3     
==========================================
+ Hits         2195     2205      +10     
+ Misses        540      534       -6     
- Partials      220      222       +2     

Flag	Coverage Δ
unittests	74.46% <ø> (+0.18%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.
see 1 file with indirect coverage changes

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 8306010...487b8fa. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.