mirror of
https://github.com/electron/electron.git
synced 2026-05-02 03:00:22 -04:00
ca1522385c
chore: harden GitHub Actions against script injection patterns (#50512) * fix: harden GitHub Actions against script injection vulnerabilities Replace direct ${{ }} expression interpolation in run: blocks with environment variables to prevent script injection attacks. Changes: - archaeologist-dig.yml: move clone_url, head.sha, base.ref to env vars - non-maintainer-dependency-change.yml: move user.login to env var - issue-unlabeled.yml: move toJSON(labels) to env var - issue-labeled.yml: move issue.number to env var - pipeline-electron-lint.yml: validate chromium_revision format - cipd-install/action.yml: move all inputs to env vars and quote them - set-chromium-cookie/action.yml: reference secrets via $ENV_VAR - Add security comments to all 5 pull_request_target workflows https://claude.ai/code/session_01UUWmLxn5hyyxrhK8rGxU2s * fix: allow version strings in chromium_revision validation The previous regex `^[a-f0-9]+$` only matched git SHAs but chromium_revision is a version string like `148.0.7741.0`. Broaden to `^[a-zA-Z0-9._-]+$` which still blocks shell metacharacters. https://claude.ai/code/session_01UUWmLxn5hyyxrhK8rGxU2s --------- Co-authored-by: Claude <noreply@anthropic.com>