From 22d09ab7e96bf36773d4d0b89e5e79cddfaaf5df Mon Sep 17 00:00:00 2001
From: "hf-security-analysis[bot]"
 <265538906+hf-security-analysis[bot]@users.noreply.github.com>
Date: Tue, 19 May 2026 10:39:34 +0000
Subject: [PATCH] fix(security): remediate workflow vulnerability in
 .github/workflows/security-audit.yml

---
 .github/workflows/security-audit.yml | 22 ++++++++++++++--------
 1 file changed, 14 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/security-audit.yml b/.github/workflows/security-audit.yml
index be26f32c..27a2d3f8 100644
--- a/.github/workflows/security-audit.yml
+++ b/.github/workflows/security-audit.yml
@@ -156,18 +156,24 @@ jobs:
 
           MENTION=""
           if [ -n "${SLACK_IDS[$COMMIT_AUTHOR]:-}" ]; then
-            ROLE=$(gh api "repos/${REPO}/collaborators/${COMMIT_AUTHOR}/permission" --jq '.role_name' 2>/dev/null || true)
-            if [ "$ROLE" = "admin" ] || [ "$ROLE" = "maintain" ]; then
-              MENTION="<@${SLACK_IDS[$COMMIT_AUTHOR]}> "
+            ROLE=$(gh api "repos/${REPO}/collaborators/${COMMIT_AUTHOR}/permission" --jq '.role_name' 2>/dev/null || echo "none")
+            if [ "$ROLE" != "admin" ] && [ "$ROLE" != "maintain" ]; then
+              echo "Error: Commit author ${COMMIT_AUTHOR} does not have admin or maintain role (role: ${ROLE})"
+              exit 1
             fi
+            MENTION="<@${SLACK_IDS[$COMMIT_AUTHOR]}> "
+          else
+            echo "Error: Commit author ${COMMIT_AUTHOR} not in authorized SLACK_IDS list"
+            exit 1
           fi
 
-          printf -v HEADER '%s*Security Audit Finding*\n*Commit:* <%s|%s>\n*Author:* %s\n\n---\n\n' \
-            "$MENTION" "$COMMIT_URL" "$COMMIT_TITLE" "$COMMIT_AUTHOR"
-
           jq -n \
-            --arg text "${HEADER}${FINDINGS}" \
-            '{"text": $text}' > /tmp/slack_payload.json
+            --arg mention "$MENTION" \
+            --arg commit_url "$COMMIT_URL" \
+            --arg commit_title "$COMMIT_TITLE" \
+            --arg commit_author "$COMMIT_AUTHOR" \
+            --arg findings "$FINDINGS" \
+            '{"text": (($mention + "*Security Audit Finding*\n*Commit:* <" + $commit_url + "|" + $commit_title + ">\n*Author:* " + $commit_author + "\n\n---\n\n" + $findings))}' > /tmp/slack_payload.json
 
           curl -sf -X POST "$SLACK_WEBHOOK_URL" \
             -H 'Content-Type: application/json' \