Potential fix for code scanning alert no. 2: Code injection

[iav]

Potential fix for https://github.com/iav/armbian/security/code-scanning/2

Use the untrusted value via an intermediate environment variable and read it from process.env inside the script, instead of embedding ${{ ... }} directly into JavaScript code.

Best fix in this file:

• In the Remove review-related labels step, add:
  • env:
  • PR_NUMBER: ${{ steps.pr.outputs.number }}
• In the script, replace:
  • const issue_number = ${{ steps.pr.outputs.number }};
    with:
  • const issue_number = Number.parseInt(process.env.PR_NUMBER || "", 10);
  • plus a validation guard to ensure it is a positive integer before calling the API.

This preserves functionality (using the same PR number) while preventing code injection through expression interpolation in script source.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

Summary by CodeRabbit

• Chores
  • Improved CI workflow for PR label handling: the workflow now validates the PR number and more reliably removes review-related labels.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 57585e96-5f31-4254-b3c8-d7351bab6321

📥 Commits

Reviewing files that changed from the base of the PR and between 7276fcb and 0778eef.

📒 Files selected for processing (1)

• .github/workflows/maintenance-label-on-approval.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/maintenance-label-on-approval.yml

---

📝 Walkthrough

Walkthrough

The pull request adds input validation to a GitHub Actions workflow step that removes review-related labels from pull requests. The PR number is now passed as an environment variable, parsed as an integer, validated for positivity, and the operation proceeds only if validation succeeds.

Changes

GitHub Actions - PR Label Management

Layer / File(s)	Summary
PR Number Validation and Label Removal .github/workflows/maintenance-label-on-approval.yml	Script receives PR number via env.PR_NUMBER, validates it as a positive integer, fails the step if invalid, and removes review labels using the validated number.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

A workflow so keen, with validation pristine,
Now checks every number, ensuring it's clean.
No bad PR sneaks through—the script stands on guard,
Parsing and testing, its duty not hard. 🐰✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title specifically references fixing a code injection security alert, which directly aligns with the PR's main objective of addressing a code-scanning alert by preventing direct interpolation of GitHub Actions expressions into JavaScript.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}