Merge branch 'main' of github.com:microsoft/react-native-windows into refactor-op-tests

JunielKatarn · JunielKatarn · commit 41fa0b1a842e · 2026-06-19T16:20:11.000-07:00
diff --git a/.github/workflows/perf-comment.yml b/.github/workflows/perf-comment.yml
@@ -39,6 +39,11 @@ jobs:
             exit 0
           fi
           PR_NUMBER=$(cat "$PR_FILE" | tr -d '[:space:]')
+          # Validate: must be a positive integer to prevent injection via artifact poisoning
+          if ! echo "$PR_NUMBER" | grep -qE '^[1-9][0-9]*$'; then
+            echo "::error::Invalid PR number in artifact: not a positive integer"
+            exit 1
+          fi
           echo "number=$PR_NUMBER" >> "$GITHUB_OUTPUT"
           echo "skip=false" >> "$GITHUB_OUTPUT"
 
@@ -58,12 +63,20 @@ jobs:
       - name: Post or update PR comment
         if: steps.pr.outputs.skip != 'true' && steps.report.outputs.skip != 'true'
         uses: actions/github-script@v7
+        env:
+          REPORT_PATH: ${{ steps.report.outputs.path }}
+          PR_NUMBER: ${{ steps.pr.outputs.number }}
         with:
           script: |
             const fs = require('fs');
             const marker = '<!-- rnw-perf-results -->';
-            const reportPath = '${{ steps.report.outputs.path }}';
-            const prNumber = parseInt('${{ steps.pr.outputs.number }}', 10);
+            const reportPath = process.env.REPORT_PATH;
+            const prNumber = parseInt(process.env.PR_NUMBER, 10);
+
+            if (!Number.isInteger(prNumber) || prNumber <= 0) {
+              core.setFailed('Invalid PR number from artifact — possible artifact poisoning.');
+              return;
+            }
 
             const markdown = fs.readFileSync(reportPath, 'utf-8');
             const body = `${marker}\n${markdown}`;
