chore(security): harden helpers + document conflict-labeler safety

From the workflow security audit: - symlink-native-dirs.js: drop the execSync shell strings for fs.symlink/mkdir (removes a latent shell-injection surface; also clears dead commented code). - automerge.sh: add 'set -euo pipefail' and restore the starting branch on exit so a mid-merge failure can't leave the repo on the wrong branch. - conflict.yml: document that this pull_request_target workflow must never check out or run PR-head code (it only labels via the API today).
2026-06-02 12:08:37 +01:00 · 2026-06-01 20:35:05 +02:00
parent 54ee507209
commit 06510d2bd6
3 changed files with 70 additions and 89 deletions
--- a/.github/workflows/conflict.yml
+++ b/.github/workflows/conflict.yml
@@ -1,24 +1,29 @@
-name: 🏷️🔀Merge Conflict Labeler
-
-on:
-  push:
-    branches: [develop]
-  pull_request_target:
-    branches: [develop]
-    types: [synchronize]
-
-jobs:
-  label:
-    name: 🏷️ Labeling Merge Conflicts
-    runs-on: ubuntu-24.04
-    if: ${{ github.repository == 'streamyfin/streamyfin' }}
-    permissions:
-      contents: read
-      pull-requests: write
-    steps:
-      - name: 🚩 Apply merge conflict label
-        uses: eps1lon/actions-label-merge-conflict@1df065ebe6e3310545d4f4c4e862e43bdca146f0 # v3.0.3
-        with:
-          dirtyLabel: '⚔️ merge-conflict'
-          commentOnDirty: 'This pull request has merge conflicts. Please resolve the conflicts so the PR can be successfully reviewed and merged.'
-          repoToken: '${{ secrets.GITHUB_TOKEN }}'
+name: 🏷️🔀Merge Conflict Labeler
+
+on:
+  push:
+    branches: [develop]
+  # SECURITY: pull_request_target runs with the base repo's write token and secrets.
+  # This job only labels via the API and is safe ONLY because it never checks out or
+  # runs the PR head's code. NEVER add `actions/checkout` of the PR head (or any `run:`
+  # that interpolates PR-controlled data) to this workflow — that would turn it into a
+  # full repo-compromise vector.
+  pull_request_target:
+    branches: [develop]
+    types: [synchronize]
+
+jobs:
+  label:
+    name: 🏷️ Labeling Merge Conflicts
+    runs-on: ubuntu-24.04
+    if: ${{ github.repository == 'streamyfin/streamyfin' }}
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - name: 🚩 Apply merge conflict label
+        uses: eps1lon/actions-label-merge-conflict@1df065ebe6e3310545d4f4c4e862e43bdca146f0 # v3.0.3
+        with:
+          dirtyLabel: '⚔️ merge-conflict'
+          commentOnDirty: 'This pull request has merge conflicts. Please resolve the conflicts so the PR can be successfully reviewed and merged.'
+          repoToken: '${{ secrets.GITHUB_TOKEN }}'