github_token: add timeout and status check to env-based fallback

The fallback generateAppInstallationToken used http.DefaultClient which
has no timeout. If GitHub API hangs, the handler hangs indefinitely,
blocking the workspace credential helper. Fix: use a 15s timeout client
and check HTTP status before JSON decode for a cleaner error on 401/403.

Related to #1101.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

.github/workflows/codeql.yml

@@ -8,10 +8,10 @@ name: CodeQL
 # scanned. This workflow fills that gap by explicitly scanning both
 # branches on push and PR.
 #
-# Runs on ubuntu-latest (GHA-hosted — public repo, free). SARIF is
-# uploaded to the Security tab via upload-sarif, and also kept as a
-# workflow artifact for triage. The scan still fails the PR check on
-# findings.
+# Runs on ubuntu-latest (GHA-hosted — public repo, free). GHAS is NOT
+# enabled on this repo, so results are not uploaded to the Security
+# tab — the scan fails the PR check on findings, and the SARIF is
+# kept as a workflow artifact for triage.
 
 on:
   push:
@@ -38,7 +38,7 @@ concurrency:
 permissions:
   actions: read
   contents: read
-  security-events: write
+  # No security-events: write — we don't call the upload API.
 
 jobs:
   analyze:
@@ -84,21 +84,11 @@ jobs:
         uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
         with:
           category: "/language:${{ matrix.language }}"
-          # upload: never — we use a separate upload-sarif step so the
-          # upload runs even when findings fail the job.
+          # upload: never — GHAS isn't enabled on this repo, so the
+          # upload API 403s. Write SARIF locally instead.
           upload: never
           output: sarif-results/${{ matrix.language }}
 
-      - name: Upload SARIF to GitHub Security tab
-        # Uploads SARIF to the code scanning API so findings appear in
-        # the Security tab (requires GHAS or public repo). Runs before
-        # parse so the upload succeeds even when findings fail the job.
-        if: always()
-        uses: github/codeql-action/upload-sarif@v3
-        with:
-          sarif_file: sarif-results/${{ matrix.language }}/
-          category: codeql-${{ matrix.language }}
-
       - name: Parse SARIF + fail on findings
         # The analyze step writes <database>.sarif into the output
         # directory — database name is the short CodeQL lang id, not

workspace-server/internal/handlers/github_token.go

@@ -159,11 +159,15 @@ func generateAppInstallationToken() (string, time.Time, error) {
 	req, _ := http.NewRequest("POST", fmt.Sprintf("https://api.github.com/app/installations/%d/access_tokens", installID), nil)
 	req.Header.Set("Authorization", "Bearer "+signed)
 	req.Header.Set("Accept", "application/vnd.github+json")
-	resp, err := http.DefaultClient.Do(req)
+	client := &http.Client{Timeout: 15 * time.Second}
+	resp, err := client.Do(req)
 	if err != nil {
 		return "", time.Time{}, err
 	}
 	defer func() { _ = resp.Body.Close() }()
+	if resp.StatusCode < 200 || resp.StatusCode >= 300 {
+		return "", time.Time{}, fmt.Errorf("github API returned status %d", resp.StatusCode)
+	}
 	var result struct {
 		Token     string    `json:"token"`
 		ExpiresAt time.Time `json:"expires_at"`