mirror of
https://github.com/electron/electron.git
synced 2026-04-10 03:01:51 -04:00
9928c7d828
* fix: harden GitHub Actions against script injection vulnerabilities
Replace direct ${{ }} expression interpolation in run: blocks with
environment variables to prevent script injection attacks. Changes:
- archaeologist-dig.yml: move clone_url, head.sha, base.ref to env vars
- non-maintainer-dependency-change.yml: move user.login to env var
- issue-unlabeled.yml: move toJSON(labels) to env var
- issue-labeled.yml: move issue.number to env var
- pipeline-electron-lint.yml: validate chromium_revision format
- cipd-install/action.yml: move all inputs to env vars and quote them
- set-chromium-cookie/action.yml: reference secrets via $ENV_VAR
- Add security comments to all 5 pull_request_target workflows
https://claude.ai/code/session_01UUWmLxn5hyyxrhK8rGxU2s
* fix: allow version strings in chromium_revision validation
The previous regex `^[a-f0-9]+$` only matched git SHAs but
chromium_revision is a version string like `148.0.7741.0`.
Broaden to `^[a-zA-Z0-9._-]+$` which still blocks shell
metacharacters.
https://claude.ai/code/session_01UUWmLxn5hyyxrhK8rGxU2s
---------
Co-authored-by: Claude <noreply@anthropic.com>
74 lines
2.6 KiB
YAML
74 lines
2.6 KiB
YAML
name: Archaeologist
|
|
|
|
on:
|
|
pull_request:
|
|
|
|
permissions: {}
|
|
|
|
jobs:
|
|
archaeologist-dig:
|
|
name: Archaeologist Dig
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
contents: read
|
|
steps:
|
|
- name: Checkout Electron
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
|
|
with:
|
|
fetch-depth: 0
|
|
- name: Setup Node.js/npm
|
|
uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f
|
|
with:
|
|
node-version: 24.12.x
|
|
- name: Setting Up Dig Site
|
|
env:
|
|
CLONE_URL: ${{ github.event.pull_request.head.repo.clone_url }}
|
|
HEAD_SHA: ${{ github.event.pull_request.head.sha }}
|
|
BASE_REF: ${{ github.event.pull_request.base.ref }}
|
|
run: |
|
|
echo "remote: $CLONE_URL"
|
|
echo "sha $HEAD_SHA"
|
|
echo "base ref $BASE_REF"
|
|
git clone https://github.com/electron/electron.git electron
|
|
cd electron
|
|
mkdir -p artifacts
|
|
git remote add fork "$CLONE_URL" && git fetch fork
|
|
git checkout "$HEAD_SHA"
|
|
git merge-base "origin/$BASE_REF" HEAD > .dig-old
|
|
echo "$HEAD_SHA" > .dig-new
|
|
cp .dig-old artifacts
|
|
|
|
- name: Generating Types for SHA in .dig-new
|
|
uses: ./.github/actions/generate-types
|
|
with:
|
|
sha-file: .dig-new
|
|
filename: electron.new.d.ts
|
|
- name: Generating Types for SHA in .dig-old
|
|
uses: ./.github/actions/generate-types
|
|
with:
|
|
sha-file: .dig-old
|
|
filename: electron.old.d.ts
|
|
- name: Upload artifacts
|
|
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f #v7.0.0
|
|
with:
|
|
name: artifacts
|
|
path: electron/artifacts
|
|
include-hidden-files: true
|
|
- name: Set job output
|
|
run: |
|
|
git diff --no-index electron.old.d.ts electron.new.d.ts > patchfile || true
|
|
if [ -s patchfile ]; then
|
|
echo "Changes Detected"
|
|
echo "## Changes Detected" > $GITHUB_STEP_SUMMARY
|
|
echo "Looks like the \`electron.d.ts\` file changed." >> $GITHUB_STEP_SUMMARY
|
|
echo "" >> $GITHUB_STEP_SUMMARY
|
|
echo "\`\`\`\`\`\`diff" >> $GITHUB_STEP_SUMMARY
|
|
cat patchfile >> $GITHUB_STEP_SUMMARY
|
|
echo "\`\`\`\`\`\`" >> $GITHUB_STEP_SUMMARY
|
|
else
|
|
echo "No Changes Detected"
|
|
echo "## No Changes" > $GITHUB_STEP_SUMMARY
|
|
echo "We couldn't see any changes in the \`electron.d.ts\` artifact" >> $GITHUB_STEP_SUMMARY
|
|
fi
|
|
working-directory: ./electron/artifacts
|