fix(security): harden .gitignore, pin actions, fix CI injection risk

gl0bal01 · claude · gl0bal01 · commit c65a81b2c8e8 · 2026-03-18T21:46:18.000Z
- .gitignore: replace specific .env.* entries with .env.* glob + !.env.example
- .env.example: fix nuclei template path from /root/ to /opt/
- mirror.yml: pin actions/checkout to SHA
- update-doi.yml: pin actions/checkout to SHA, fix command injection risk
  by moving github.event.release.tag_name to env var instead of inline

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/.env.example b/.env.example
@@ -31,7 +31,7 @@ EXIFTOOL_PATH=exiftool
 SHERLOCK_PATH=sherlock
 MAIGRET_PATH=maigret
 NUCLEI_PATH=nuclei
-NUCLEI_TEMPLATE_PATH=/root/nuclei-templates/http/osint/user-enumeration
+NUCLEI_TEMPLATE_PATH=/opt/nuclei-templates/http/osint/user-enumeration
 
 # JWT Tool
 JWT_TOOL_PATH=/opt/tools/jwt_tool
diff --git a/.github/workflows/mirror.yml b/.github/workflows/mirror.yml
@@ -9,7 +9,7 @@ jobs:
   codeberg:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
       - name: Configure Git
diff --git a/.github/workflows/update-doi.yml b/.github/workflows/update-doi.yml
@@ -12,22 +12,26 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Wait for Zenodo processing
         run: sleep 300
 
       - name: Update CITATION.cff
+        env:
+          TAG_NAME: ${{ github.event.release.tag_name }}
         run: |
-          sed -i "s/^version:.*/version: ${{ github.event.release.tag_name }}/" CITATION.cff
+          sed -i "s/^version:.*/version: $TAG_NAME/" CITATION.cff
           sed -i "s/^date-released:.*/date-released: $(date +%Y-%m-%d)/" CITATION.cff
 
       - name: Commit changes
+        env:
+          TAG_NAME: ${{ github.event.release.tag_name }}
         run: |
           git config --local user.name "GitHub Action"
           git config --local user.email "action@github.com"
           git add CITATION.cff
-          git commit -m "Update citation info for ${{ github.event.release.tag_name }}" || exit 0
+          git commit -m "Update citation info for $TAG_NAME" || exit 0
           git push
diff --git a/.gitignore b/.gitignore
@@ -7,10 +7,8 @@ yarn.lock
 
 # Environment variables and configuration
 .env
-.env.local
-.env.development.local
-.env.test.local
-.env.production.local
+.env.*
+!.env.example
 config.json
 
 # Temporary files and directories
