mirror of
https://github.com/electron/electron.git
synced 2026-05-02 03:00:22 -04:00
ca1522385c
chore: harden GitHub Actions against script injection patterns (#50512) * fix: harden GitHub Actions against script injection vulnerabilities Replace direct ${{ }} expression interpolation in run: blocks with environment variables to prevent script injection attacks. Changes: - archaeologist-dig.yml: move clone_url, head.sha, base.ref to env vars - non-maintainer-dependency-change.yml: move user.login to env var - issue-unlabeled.yml: move toJSON(labels) to env var - issue-labeled.yml: move issue.number to env var - pipeline-electron-lint.yml: validate chromium_revision format - cipd-install/action.yml: move all inputs to env vars and quote them - set-chromium-cookie/action.yml: reference secrets via $ENV_VAR - Add security comments to all 5 pull_request_target workflows https://claude.ai/code/session_01UUWmLxn5hyyxrhK8rGxU2s * fix: allow version strings in chromium_revision validation The previous regex `^[a-f0-9]+$` only matched git SHAs but chromium_revision is a version string like `148.0.7741.0`. Broaden to `^[a-zA-Z0-9._-]+$` which still blocks shell metacharacters. https://claude.ai/code/session_01UUWmLxn5hyyxrhK8rGxU2s --------- Co-authored-by: Claude <noreply@anthropic.com>
51 lines
1.9 KiB
YAML
51 lines
1.9 KiB
YAML
name: Pull Request Labeled
|
|
|
|
on:
|
|
pull_request_target:
|
|
types: [labeled]
|
|
|
|
# SECURITY: This workflow uses pull_request_target and has access to secrets.
|
|
# Do NOT checkout or run code from the PR head. All code execution must use
|
|
# the base branch only. Adding a ref to PR head would expose secrets to
|
|
# untrusted code.
|
|
permissions: {}
|
|
|
|
jobs:
|
|
pull-request-labeled-backport-requested:
|
|
name: backport/requested label added
|
|
if: github.event.label.name == 'backport/requested 🗳'
|
|
runs-on: ubuntu-latest
|
|
permissions: {}
|
|
steps:
|
|
- name: Trigger Slack workflow
|
|
uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1
|
|
with:
|
|
webhook: ${{ secrets.BACKPORT_REQUESTED_SLACK_WEBHOOK_URL }}
|
|
webhook-type: webhook-trigger
|
|
payload: |
|
|
{
|
|
"base_ref": ${{ toJSON(github.event.pull_request.base.ref) }},
|
|
"title": ${{ toJSON(github.event.pull_request.title) }},
|
|
"url": ${{ toJSON(github.event.pull_request.html_url) }},
|
|
"user": ${{ toJSON(github.event.pull_request.user.login) }}
|
|
}
|
|
pull-request-labeled-deprecation-review-complete:
|
|
name: deprecation-review/complete label added
|
|
if: github.event.label.name == 'deprecation-review/complete ✅'
|
|
runs-on: ubuntu-latest
|
|
permissions: {}
|
|
steps:
|
|
- name: Generate GitHub App token
|
|
uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
|
|
id: generate-token
|
|
with:
|
|
creds: ${{ secrets.RELEASE_BOARD_GH_APP_CREDS }}
|
|
org: electron
|
|
- name: Set status
|
|
uses: dsanders11/project-actions/edit-item@2134fe7cc71c58b7ae259c82a8e63c6058255678 # v1.7.0
|
|
with:
|
|
token: ${{ steps.generate-token.outputs.token }}
|
|
project-number: 94
|
|
field: Status
|
|
field-value: ✅ Reviewed
|