claw
93d89ba662
PR Ready Gate / clear-labels (pull_request) Successful in 2s
CI / test (pull_request) Successful in 22s
CI / review (anthropic--claude-4.6-sonnet, sonnet, SONNET_REVIEW_TOKEN) (pull_request) Successful in 33s
CI / review (gpt-5, security, ., rodin/security-patterns, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (pull_request) Successful in 1m14s
CI / review (gpt-5, gpt, GPT_REVIEW_TOKEN) (pull_request) Successful in 1m58s
Security fixes: - On GitHub/GHES (VCS_TYPE=github), inputs.gitea-url is now completely ignored. API calls use github.api_url; downloads use github.server_url. Tokens are never sent to user-supplied URLs. - Replace action_token step output with masked GITHUB_ENV variable to prevent token leakage in debug logs. - Validate action-repo against owner/repo pattern to prevent path traversal. - Validate SERVER_URL in Gitea path: require https:// scheme, reject whitespace and newlines. - Strengthen VERSION validation: block slashes and whitespace in addition to newlines. - Add integrity check in Install step: verify SERVER_URL matches github.server_url on GitHub runners. Addresses findings from security-review-bot on PR #121. Deferred: full IP-level SSRF defense (see #123).