security: fix CodeQL warnings for integer overflow and workflow permissions

- handlers_tower.go: add bounds checks before int-to-int16 and int-to-uint16
  conversions to prevent overflow/wraparound (CodeQL #7, #8)
- go-improved.yml, go.yml: add top-level `permissions: contents: read` to
  restrict workflow token scope (CodeQL #15, #16, #17)

.github/workflows/go-improved.yml

@@ -20,6 +20,9 @@ on:
       - main
       - develop
 
+permissions:
+  contents: read
+
 jobs:
   test:
     name: Test

.github/workflows/go.yml

@@ -12,6 +12,9 @@ on:
       - 'main.go'
       - '.github/workflows/go.yml'
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest

server/channelserver/handlers_tower.go

@@ -3,10 +3,12 @@ package channelserver
 import (
 	_config "erupe-ce/config"
 	"fmt"
-	"go.uber.org/zap"
+	"math"
 	"strings"
 	"time"
 
+	"go.uber.org/zap"
+
 	"erupe-ce/common/byteframe"
 	"erupe-ce/common/stringsupport"
 	"erupe-ce/network/mhfpacket"
@@ -71,6 +73,9 @@ func handleMsgMhfGetTowerInfo(s *Session, p mhfpacket.MHFPacket) {
 	}
 
 	for i, skill := range stringsupport.CSVElems(tempSkills) {
+		if skill < math.MinInt16 || skill > math.MaxInt16 {
+			continue
+		}
 		towerInfo.Skill[0].Skills[i] = int16(skill)
 	}
 
@@ -428,6 +433,9 @@ func handleMsgMhfGetGemInfo(s *Session, p mhfpacket.MHFPacket) {
 	var tempGems string
 	s.server.db.QueryRow(`SELECT COALESCE(gems, $1) FROM tower WHERE char_id=$2`, EmptyTowerCSV(30), s.charID).Scan(&tempGems)
 	for i, v := range stringsupport.CSVElems(tempGems) {
+		if v < 0 || v > math.MaxUint16 {
+			continue
+		}
 		gemInfo = append(gemInfo, GemInfo{uint16((i / 5 << 8) + (i%5 + 1)), uint16(v)})
 	}