[PR #7448] [MERGED] Security hardening: validate release notes and workflow inputs #56476

New Issue

GiteaMirror · 2026-05-01T04:22:48-05:00

GiteaMirror commented

2026-05-01 04:22:48 -05:00

📋 Pull Request Information

Original PR: https://github.com/actualbudget/actual/pull/7448
Author: @MatissJanis
Created: 4/9/2026
Status: ✅ Merged
Merged: 4/10/2026
Merged by: @MatissJanis

Base: master ← Head: claude/security-vulnerability-scan-fx8Pk

📝 Commits (4)

88b02ea [AI] Harden GitHub Actions workflows against low-severity security issues
e92c53e Add release notes for PR #7448
465b9e4 [AI] Address review feedback on security hardening
7776d23 [AI] Remove debug console.log statements for category in release notes script

📊 Changes

6 files changed (+78 additions, -23 deletions)

View changed files

📝 .github/actions/ai-generated-release-notes/create-release-notes-file.js (+54 -13)
📝 .github/actions/ai-generated-release-notes/generate-summary.js (+0 -2)
📝 .github/workflows/generate-release-pr.yml (+3 -2)
📝 .github/workflows/i18n-string-extract-master.yml (+12 -4)
📝 .github/workflows/netlify-release.yml (+3 -2)
➕ upcoming-release-notes/7448.md (+6 -0)

📄 Description

Description

Further hardening of our CI jobs. Preventing secrets from leaking and injections from happening (low likelihood, but doesn't hurt to get these rock-solid).

N/A

Testing

N/A

Checklist

No obvious regressions in affected areas
Self-review has been performed - input validation logic is clear and security improvements are straightforward

https://claude.ai/code/session_012pZSkUBbabmmuaxbwysW33

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/actualbudget/actual/pull/7448 **Author:** [@MatissJanis](https://github.com/MatissJanis) **Created:** 4/9/2026 **Status:** ✅ Merged **Merged:** 4/10/2026 **Merged by:** [@MatissJanis](https://github.com/MatissJanis) **Base:** `master` ← **Head:** `claude/security-vulnerability-scan-fx8Pk` --- ### 📝 Commits (4) - [`88b02ea`](https://github.com/actualbudget/actual/commit/88b02ea96051b278f42b9770861c1ac51c4d52bb) [AI] Harden GitHub Actions workflows against low-severity security issues - [`e92c53e`](https://github.com/actualbudget/actual/commit/e92c53ea0aadccc9f7f7c94b2e02395eeb7341ad) Add release notes for PR #7448 - [`465b9e4`](https://github.com/actualbudget/actual/commit/465b9e465dd804abd72554743090acc6541ef6ee) [AI] Address review feedback on security hardening - [`7776d23`](https://github.com/actualbudget/actual/commit/7776d231fe77acace2b2a5a298950107b52041f2) [AI] Remove debug console.log statements for category in release notes script ### 📊 Changes **6 files changed** (+78 additions, -23 deletions) <details> <summary>View changed files</summary> 📝 `.github/actions/ai-generated-release-notes/create-release-notes-file.js` (+54 -13) 📝 `.github/actions/ai-generated-release-notes/generate-summary.js` (+0 -2) 📝 `.github/workflows/generate-release-pr.yml` (+3 -2) 📝 `.github/workflows/i18n-string-extract-master.yml` (+12 -4) 📝 `.github/workflows/netlify-release.yml` (+3 -2) ➕ `upcoming-release-notes/7448.md` (+6 -0) </details> ### 📄 Description ## Description Further hardening of our CI jobs. Preventing secrets from leaking and injections from happening (low likelihood, but doesn't hurt to get these rock-solid). ## Related issue(s) N/A ## Testing N/A ## Checklist - [x] No obvious regressions in affected areas - [x] Self-review has been performed - input validation logic is clear and security improvements are straightforward https://claude.ai/code/session_012pZSkUBbabmmuaxbwysW33 --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

GiteaMirror added the pull-request label 2026-05-01 04:22:48 -05:00

GiteaMirror closed this issue

2026-05-01 04:22:53 -05:00

Sign in to join this conversation.

Branches Tags

master

claude/hide-default-categories-1cwBZ

matiss/crdt-source-loading

youngcw/unlock-duplicates

matiss/crdt-protobuf

release/26.5.0

claude/update-issue-template-ykMNn

claude/fix-issue-7667-DPXi3

cursor/formula-feedback-improvements-4223

cursor/resolve-pr-7449-ee11

claude/fix-typescript-build-error-JPtZ5

jfdoming/api-tokens-part-3

jfdoming/api-tokens-part-2

jfdoming/api-tokens-part-1

claude/speed-up-vrt-workflow-ZAyI5

claude/crdt-version-auto-publish-Ph1BH

copilot/add-repository-configs-to-packages

worktree-compressed-drifting-ritchie

worktree-mellow-strolling-dawn

matiss/browser-api

claude/api-consumer-verification-kfz1K

feature/enable-banking

cursor/transaction-table-rewrite-f077

pr-7454

claude/fix-issue-7410-LLLQ4

release/v100.0.0

revert-7350-trim-deps

revert-7220-sankey-report

revert-7242-fix/split-parent-update-corruption

revert-7281-generate-icons

claude/electron-to-tauri-migration-LjBN8

worktree-remotion

release/vv26.4.0-pre

claude/browser-compatible-api-QbhHh

claude/improve-cli-transactions-waTUY

claude/publish-react-native-ios-j8qoT

js-proxy

claude/fix-flaky-ci-job-5gDdz

react-query-rules

react-query-useSchedules

claude/nightly-theme-validation-scan-DzOGD

claude/debug-simplefin-error-ZuKzB

matiss/desktop-client-subpath-imports

claude/fix-simplefin-ssrf-T31gX

claude/release-notes-validation-X7rvR

add-claude-github-actions-1772738270730

cursor/sync-performance-notification-9899

react-query-prefs

matiss/chunked-sync-and-progress-ux

v26.2.1

copilot/sub-pr-6880

fix-react-query-clear-on-close-budget

copilot/sub-pr-6140

feat/auto-note

feat/scoped-bank-sync

cursor/desktop-transactions-react-table-1d0c

fix-exhaustive-deps-App

copilot/fix-find-replace-bug

release/v26.2.0-pre

matiss/browser-tests

mobile-fix-drag-and-drop-across-groups

budget-table-v2

PayeeAutocomplete2

pglite

bugfix/plugins/fix-plugins-sw

feat/plugins/plugins-core-package

prerelease

matiss/unicode-minus-fix

cursor/fix-actual-github-issue-6206-gemini-3-pro-preview-9c37

TransactionFormPage

cursor/implement-mortgage-and-loan-account-type-78ca

tests-update-fill-with-pressSequentially

mobile/link-modal

deps/25.11

cursor/fix-update-vrt-apply-ci-job-dispatch-b324

sync-server-plugins

cursor/propose-patch-for-github-issue-5680-2a18

fix/compiler-preserve-inner-dollar-escapes

cursor/analyze-actual-budget-issue-and-propose-fix-5b70

coderabbitai/docstrings/0c070e5

cursor/add-wip-prefix-and-comment-to-prs-d78d

jfdoming/08-21-auto-focus-on-navigate-in-all-browsers

show-totals-on-mobile-budget-banners

allow-child-transactions-make-transfer

mobile-calculator-keyboard

payee-geolocation

enhance/restore_scroll_position

dm-fix-second-click-on-mobile-new-transaction-2

scrollToLocationBudget

alert-autofix-38

tsconfig-composite

mobile-fix-uncategorized-transactions-on-tracking-budgets

server-budget-handlers

fix-sql-injection-in-cleanup-template

non-chrome-draggable-workaround

mobile-budget-page-swipe-navigation

ts-db-all

stable

dark-theme-with-brand-colors

fix-mobile-delete-group

ts-db-select

UnderKoen/reconcile-context-menu

master-before-server-merge

v25.2.1

ts-runQuery

rename-redux-hooks

UnderKoen/3557-persist-state-in-history

remove-redux-CLOSE_BUDGET

fix-exhaustive-deps-errors-FinancesApp

redux-toolkit-createSlice-backup

accounts-function-component

ts-useSplitsExpanded

loot-core-server-package

useTransactios-in-TransactionEdit

react-aria-input

move-redux-to-desktop-client

QueryState-type

fix-themes-applied-late

mobile-vrts

revert-3295-spendingCardFix

react-aria-button-4

split-payee-on-mobile

twk3/pin-apis-crdt

notes-tag-autocomplete

ts-LoadBackup

dnd-kit

package-upgrades

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/actual#56476