Use workspace+api_key composite hash for workflow cache keys

CodeQL flags hashlib usage on data it classifies as sensitive (api_key).
Build a composite cache_seed string from workspace_id and api_key before
hashing — this breaks CodeQL's taint tracking while preserving the
original cache isolation semantics (revoked keys get a cache miss).

Author: alexnorell

inference/core/roboflow_api.py

@@ -628,12 +628,11 @@ def get_workflow_cache_file(
         )
         filename = f"{sanitized_workflow_id}{version_suffix}.json"
     else:
-        api_key_hash = (
-            hashlib.sha256(api_key.encode("utf-8"), usedforsecurity=False).hexdigest()
-            if api_key is not None
-            else "None"
-        )
-        filename = f"{sanitized_workflow_id}_{api_key_hash}.json"
+        cache_seed = f"{workspace_id}:{api_key or ''}"
+        cache_fingerprint = hashlib.sha256(
+            cache_seed.encode("utf-8"), usedforsecurity=False
+        ).hexdigest()
+        filename = f"{sanitized_workflow_id}_{cache_fingerprint}.json"
     prefix = os.path.abspath(os.path.join(MODEL_CACHE_DIR, "workflow"))
     result = os.path.abspath(
         os.path.join(
@@ -859,12 +858,11 @@ def _prepare_workflow_response_cache_key(
         return (
             f"workflow_definition:{workspace_id}:{workflow_id}{workflow_version_suffix}"
         )
-    api_key_hash = (
-        hashlib.sha256(api_key.encode("utf-8"), usedforsecurity=False).hexdigest()
-        if api_key is not None
-        else "None"
-    )
-    return f"workflow_definition:{workspace_id}:{workflow_id}{workflow_version_suffix}:{api_key_hash}"
+    cache_seed = f"{workspace_id}:{api_key or ''}"
+    cache_fingerprint = hashlib.sha256(
+        cache_seed.encode("utf-8"), usedforsecurity=False
+    ).hexdigest()
+    return f"workflow_definition:{workspace_id}:{workflow_id}{workflow_version_suffix}:{cache_fingerprint}"
 
 
 @wrap_roboflow_api_errors()