chore(security): harden helpers + document conflict-labeler safety

From the workflow security audit: - symlink-native-dirs.js: drop the execSync shell strings for fs.symlink/mkdir (removes a latent shell-injection surface; also clears dead commented code). - automerge.sh: add 'set -euo pipefail' and restore the starting branch on exit so a mid-merge failure can't leave the repo on the wrong branch. - conflict.yml: document that this pull_request_target workflow must never check out or run PR-head code (it only labels via the API today).
2026-06-02 03:58:36 +01:00 · 2026-06-01 20:35:05 +02:00
parent 54ee507209
commit 06510d2bd6
3 changed files with 70 additions and 89 deletions
--- a/scripts/automerge.sh
+++ b/scripts/automerge.sh
@@ -1,12 +1,22 @@
 #!/bin/bash
-[[ -z $(git status --porcelain) ]] &&
-git checkout master &&
-git pull --ff-only &&
-git checkout develop &&
-git merge master &&
-git push --follow-tags &&
-git checkout master &&
-git merge develop --ff-only &&
-git push &&
-git checkout develop ||
-(echo "Error: Failed to merge" && exit 1)
+# Local helper: fast-forward master into develop and back. Aborts on any failure and
+# restores the branch you started on. Not used in CI.
+set -euo pipefail
+
+if [[ -n $(git status --porcelain) ]]; then
+  echo "Error: working tree is not clean — commit or stash first." >&2
+  exit 1
+fi
+
+start_branch=$(git rev-parse --abbrev-ref HEAD)
+trap 'git checkout "$start_branch" >/dev/null 2>&1 || true' EXIT
+
+git checkout master
+git pull --ff-only
+git checkout develop
+git merge master
+git push --follow-tags
+git checkout master
+git merge develop --ff-only
+git push
+git checkout develop