mirror of
https://github.com/electron/electron.git
synced 2026-04-10 03:01:51 -04:00
9928c7d828
* fix: harden GitHub Actions against script injection vulnerabilities
Replace direct ${{ }} expression interpolation in run: blocks with
environment variables to prevent script injection attacks. Changes:
- archaeologist-dig.yml: move clone_url, head.sha, base.ref to env vars
- non-maintainer-dependency-change.yml: move user.login to env var
- issue-unlabeled.yml: move toJSON(labels) to env var
- issue-labeled.yml: move issue.number to env var
- pipeline-electron-lint.yml: validate chromium_revision format
- cipd-install/action.yml: move all inputs to env vars and quote them
- set-chromium-cookie/action.yml: reference secrets via $ENV_VAR
- Add security comments to all 5 pull_request_target workflows
https://claude.ai/code/session_01UUWmLxn5hyyxrhK8rGxU2s
* fix: allow version strings in chromium_revision validation
The previous regex `^[a-f0-9]+$` only matched git SHAs but
chromium_revision is a version string like `148.0.7741.0`.
Broaden to `^[a-zA-Z0-9._-]+$` which still blocks shell
metacharacters.
https://claude.ai/code/session_01UUWmLxn5hyyxrhK8rGxU2s
---------
Co-authored-by: Claude <noreply@anthropic.com>
59 lines
2.4 KiB
YAML
59 lines
2.4 KiB
YAML
name: PR Template Check
|
|
|
|
on:
|
|
pull_request_target:
|
|
types: [opened, ready_for_review]
|
|
|
|
# SECURITY: This workflow uses pull_request_target and has access to secrets.
|
|
# Do NOT checkout or run code from the PR head. All code execution must use
|
|
# the base branch only. Adding a ref to PR head would expose secrets to
|
|
# untrusted code.
|
|
permissions: {}
|
|
|
|
jobs:
|
|
check-pr-template:
|
|
if: ${{ github.event.pull_request.head.repo.fork && !github.event.pull_request.draft && !startsWith(github.head_ref, 'roller/') }}
|
|
name: Check PR Template
|
|
runs-on: ubuntu-slim
|
|
permissions:
|
|
contents: read
|
|
pull-requests: write
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
|
|
with:
|
|
sparse-checkout: .github/PULL_REQUEST_TEMPLATE.md
|
|
sparse-checkout-cone-mode: false
|
|
- name: Check for required sections
|
|
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
|
|
with:
|
|
script: |
|
|
const fs = require('fs');
|
|
const template = fs.readFileSync('.github/PULL_REQUEST_TEMPLATE.md', 'utf8');
|
|
const requiredSections = [...template.matchAll(/^(#{1,4} .+)$/gm)].map(
|
|
(m) => m[1],
|
|
);
|
|
if (requiredSections.length === 0) {
|
|
console.log('No heading sections found in PR template');
|
|
return;
|
|
}
|
|
const body = context.payload.pull_request.body || '';
|
|
const missingSections = requiredSections.filter(
|
|
(section) => !body.includes(section),
|
|
);
|
|
if (missingSections.length > 0) {
|
|
const list = missingSections.map((s) => `- \`${s}\``).join('\n');
|
|
await github.rest.issues.createComment({
|
|
owner: context.repo.owner,
|
|
repo: context.repo.repo,
|
|
issue_number: context.payload.pull_request.number,
|
|
body: `This PR was automatically closed because the PR template was not properly filled out. The following required sections are missing:\n\n${list}\n\nPlease update your PR description to include all required sections and reopen the PR.`,
|
|
});
|
|
await github.rest.pulls.update({
|
|
owner: context.repo.owner,
|
|
repo: context.repo.repo,
|
|
pull_number: context.payload.pull_request.number,
|
|
state: 'closed',
|
|
});
|
|
}
|