fix(security): bundle for APS-19076 / APS-19077 / APS-19078

- APS-19076 (CVSS 9.3, env-var injection): allowlist env-var names
  exported from the BrowserStack rerun API in setBStackRerunEnvVars.
  Adds ALLOWED_RERUN_ENV_VARS (BROWSERSTACK_RERUN, BROWSERSTACK_RERUN_TESTS,
  BROWSERSTACK_BUILD_NAME) to setup-env/config/constants.js; filtered
  loop in setup-env/src/actionInput/index.js calls core.exportVariable
  only for allowlisted keys and core.warning for everything else.
  Updates existing test, adds negative-case test, rebuilds dist.

- APS-19077 (CVSS 8.7, supply chain + token scope): pins
  actions/setup-node@v4.4.0 and actions/checkout@v4.2.2 by SHA in both
  .github/workflows/setup-env.yml and setup-local.yml; adds top-level
  permissions: { contents: read } block to give the GITHUB_TOKEN least
  privilege (these workflows only run unit tests).

- APS-19078 (CVSS 7.6, stored XSS via report HTML): adds sanitize-html
  to browserstack-report-action; sanitizes basicHtml/richHtml in
  ReportProcessor.js with a strict allowlist (no inline event handlers,
  no javascript: URLs); strips JS hooks from richCss with sanitizeCss();
  injects CSP meta (script-src 'none'; default-src 'none') into the
  artifact HTML head in UploadFileForArtifact.js as defense-in-depth;
  rebuilds dist.

Tests: setup-env 37 passing (was 36, +1 negative-case); report-action
18 passing (no regression). Standalone XSS-strip sanity covers six
payloads including <img src=x onerror=alert(1)>, <script>, javascript:
URLs, <svg onload>, <iframe javascript:>; all stripped, safe HTML
preserved.

Resolves: APS-19076, APS-19077, APS-19078

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: Jimesh-browserstack

.github/workflows/setup-env.yml

@@ -10,17 +10,23 @@ on:
     - '.github/workflows/setup-env*'
 
 
+# Security (APS-19077): least-privilege token scope. These workflows only
+# run unit tests; they do not push, comment, or release. Read access to repo
+# contents is sufficient.
+permissions:
+  contents: read
+
 jobs:
   unit-tests:
     runs-on: ${{ matrix.operating-system }}
     strategy:
       matrix:
         operating-system: [ubuntu-latest, macos-latest, windows-latest]
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
     - name: Set Node.js 24.x
-      uses: actions/setup-node@master
+      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
       with:
         node-version: 24.x
         cache: 'npm'

.github/workflows/setup-local.yml

@@ -10,17 +10,23 @@ on:
     - '.github/workflows/setup-local*'
 
 
+# Security (APS-19077): least-privilege token scope. These workflows only
+# run unit tests; they do not push, comment, or release. Read access to repo
+# contents is sufficient.
+permissions:
+  contents: read
+
 jobs:
   unit-tests:
     runs-on: ${{ matrix.operating-system }}
     strategy:
       matrix:
         operating-system: [ubuntu-latest, macos-latest, windows-latest]
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
     - name: Set Node.js 24.x
-      uses: actions/setup-node@master
+      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
       with:
         node-version: 24.x
         cache: 'npm'