mirror of
https://github.com/streamyfin/streamyfin.git
synced 2026-06-02 03:58:36 +01:00
06510d2bd6
From the workflow security audit: - symlink-native-dirs.js: drop the execSync shell strings for fs.symlink/mkdir (removes a latent shell-injection surface; also clears dead commented code). - automerge.sh: add 'set -euo pipefail' and restore the starting branch on exit so a mid-merge failure can't leave the repo on the wrong branch. - conflict.yml: document that this pull_request_target workflow must never check out or run PR-head code (it only labels via the API today).
30 lines
1.2 KiB
YAML
30 lines
1.2 KiB
YAML
name: 🏷️🔀Merge Conflict Labeler
|
||
|
||
on:
|
||
push:
|
||
branches: [develop]
|
||
# SECURITY: pull_request_target runs with the base repo's write token and secrets.
|
||
# This job only labels via the API and is safe ONLY because it never checks out or
|
||
# runs the PR head's code. NEVER add `actions/checkout` of the PR head (or any `run:`
|
||
# that interpolates PR-controlled data) to this workflow — that would turn it into a
|
||
# full repo-compromise vector.
|
||
pull_request_target:
|
||
branches: [develop]
|
||
types: [synchronize]
|
||
|
||
jobs:
|
||
label:
|
||
name: 🏷️ Labeling Merge Conflicts
|
||
runs-on: ubuntu-24.04
|
||
if: ${{ github.repository == 'streamyfin/streamyfin' }}
|
||
permissions:
|
||
contents: read
|
||
pull-requests: write
|
||
steps:
|
||
- name: 🚩 Apply merge conflict label
|
||
uses: eps1lon/actions-label-merge-conflict@1df065ebe6e3310545d4f4c4e862e43bdca146f0 # v3.0.3
|
||
with:
|
||
dirtyLabel: '⚔️ merge-conflict'
|
||
commentOnDirty: 'This pull request has merge conflicts. Please resolve the conflicts so the PR can be successfully reviewed and merged.'
|
||
repoToken: '${{ secrets.GITHUB_TOKEN }}'
|