The pull_request_target workflow checked out and executed Go scripts from
the PR head, allowing attackers to inject arbitrary code via init()
functions with access to a write-scoped GITHUB_TOKEN. This was confirmed
exploited in the wild (ref: StepSecurity blog).
Checkout now targets the base branch so only trusted scripts execute.
PR head SHA is fetched as data-only for diffing via a new PR_HEAD_SHA
env var. Write operations (comments, labels) are isolated in a separate
report job that never checks out code. All job permissions follow least
privilege — quality runs read-only, report holds the write token.
fixed: #6083
Signed-off-by: Avelino <31996+avelino@users.noreply.github.com>
Co-Authored-By: Thierry Abalea <thierry.abalea@shipfox.io>
* fix typo in README.md
fixes#3204
* #1446 implement test for stale repositories
* fix#1446
* fixes#3211 added check if issue has not been previously opened
* fixes#3211 add limit to number of issues created at a time
* fixes#3211 reformat issue message
* checks for dead links as well
* fixes#3211 handle status code 302 and 301
* fixes#3211 handle status code 302 and 301
* fixes#3211 handle status code 302 and 301
* fixes#3211 test workflow
* fixes#3211 test workflow
* fixes#3211 test workflow again
* fixes#3211 test workflow again
* remove workflows and start over
* re add workflow
* apply review suggestions
* add environment variable. modify workflow to run once a week
* add check for archived repositories and reformat
* reformat code to improve readability
* reformat to improve readability
* cause continue and not break if href not found
* satisfy code climate requirements
* initial version html generate
After being made to change the master generate html based on markdown,
ref #363
* change package name, repo to main
* up port 80 on caddy server
* install mux on travis build
* generate sitemap
* added robots.txt
* set metatags on html page
* update repo via exec
get the most current readme
* remove unnecessary lowdash assign
* fix linter errors, remove unnecessary conversion, add binary to .gitignore
* fix fonts, use domain-level assets
