mirror of
https://github.com/electron/electron.git
synced 2026-04-10 03:01:51 -04:00
9928c7d828
* fix: harden GitHub Actions against script injection vulnerabilities
Replace direct ${{ }} expression interpolation in run: blocks with
environment variables to prevent script injection attacks. Changes:
- archaeologist-dig.yml: move clone_url, head.sha, base.ref to env vars
- non-maintainer-dependency-change.yml: move user.login to env var
- issue-unlabeled.yml: move toJSON(labels) to env var
- issue-labeled.yml: move issue.number to env var
- pipeline-electron-lint.yml: validate chromium_revision format
- cipd-install/action.yml: move all inputs to env vars and quote them
- set-chromium-cookie/action.yml: reference secrets via $ENV_VAR
- Add security comments to all 5 pull_request_target workflows
https://claude.ai/code/session_01UUWmLxn5hyyxrhK8rGxU2s
* fix: allow version strings in chromium_revision validation
The previous regex `^[a-f0-9]+$` only matched git SHAs but
chromium_revision is a version string like `148.0.7741.0`.
Broaden to `^[a-zA-Z0-9._-]+$` which still blocks shell
metacharacters.
https://claude.ai/code/session_01UUWmLxn5hyyxrhK8rGxU2s
---------
Co-authored-by: Claude <noreply@anthropic.com>
40 lines
1.7 KiB
YAML
40 lines
1.7 KiB
YAML
name: Pull Request Opened/Synchronized
|
|
|
|
on:
|
|
pull_request_target:
|
|
types: [opened, synchronize]
|
|
|
|
# SECURITY: This workflow uses pull_request_target and has access to secrets.
|
|
# Do NOT checkout or run code from the PR head. All code execution must use
|
|
# the base branch only. Adding a ref to PR head would expose secrets to
|
|
# untrusted code.
|
|
permissions: {}
|
|
|
|
jobs:
|
|
check-signed-commits:
|
|
name: Check signed commits in PR
|
|
if: ${{ !contains(github.event.pull_request.labels.*.name, 'needs-signed-commits')}}
|
|
runs-on: ubuntu-slim
|
|
permissions:
|
|
contents: read
|
|
pull-requests: write
|
|
steps:
|
|
- name: Check signed commits in PR
|
|
uses: 1Password/check-signed-commits-action@ed2885f3ed2577a4f5d3c3fe895432a557d23d52 # v1
|
|
with:
|
|
comment: |
|
|
⚠️ This PR contains unsigned commits. This repository enforces [commit signatures](https://docs.github.com/en/authentication/managing-commit-signature-verification)
|
|
for all incoming PRs. To get your PR merged, please sign those commits
|
|
(`git rebase --exec 'git commit -S --amend --no-edit -n' @{upstream}`) and force push them to this branch
|
|
(`git push --force-with-lease`)
|
|
|
|
For more information on signing commits, see GitHub's documentation on [Telling Git about your signing key](https://docs.github.com/en/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key).
|
|
|
|
- name: Add needs-signed-commits label
|
|
if: ${{ failure() }}
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
PR_URL: ${{ github.event.pull_request.html_url }}
|
|
run: |
|
|
gh pr edit $PR_URL --add-label needs-signed-commits
|