Description: Multiple third-party GitHub Actions are referenced by mutable tags (e.g.,
rtCamp/action-slack-notify@v2, peter-evans/create-pull-request@v6,
bazel-contrib/setup-bazel@0.18.0, and actions/checkout@v4) rather than being pinned to a
full commit SHA, which creates a supply-chain risk where a compromised or retagged action
could exfiltrate secrets like SLACK_WEBHOOK_URL or SELENIUM_CI_TOKEN.
pre-release.yml [22-210]

get-approval:
  name: Get Approval
  uses: ./.github/workflows/get-approval.yml
  with:
    title: Release approval needed
    message: |
      Selenium ${{ github.event.inputs.version }} release preparation started.
      Please approve to lock trunk when ready.
  secrets:
    SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}

update-rust:
  name: Update Rust Version
  runs-on: ubuntu-latest
  if: github.event.repository.fork == false
  steps:
    - name: "Checkout repo"
      uses: actions/checkout@v4
      with:
        persist-credentials: false
        fetch-depth: 0


 ... (clipped 168 lines)

• Create ticket/issue

Follow the guide to enable codebase context checks.

Objective: To create a detailed and reliable record of critical system actions for security analysis
and compliance.

Status: Passed

Learn more about managing compliance generic rules or creating your own custom rules

Objective: Ensure all identifiers clearly express their purpose and intent, making code
self-documenting

Status: Passed

Learn more about managing compliance generic rules or creating your own custom rules

Objective: To prevent the leakage of sensitive system information through error messages while
providing sufficient detail for internal debugging.

Status: Passed

Learn more about managing compliance generic rules or creating your own custom rules

Objective: To ensure logs are useful for debugging and auditing without exposing sensitive
information like PII, PHI, or cardholder data.

Status: Passed

Learn more about managing compliance generic rules or creating your own custom rules

Objective: Ensure comprehensive error handling that provides meaningful context and graceful
degradation

Status:
Missing input validation: The version normalization only handles major.minor and otherwise proceeds without
rejecting malformed versions, which can cause confusing downstream failures without
actionable context.

- name: Normalize version
  id: version
  run: |
    VERSION="${{ github.event.inputs.version }}"
    if [[ "$VERSION" =~ ^[0-9]+\.[0-9]+$ ]]; then
      VERSION="${VERSION}.0"
    fi
    echo "value=$VERSION" >> "$GITHUB_OUTPUT"
- name: Update browser versions

Learn more about managing compliance generic rules or creating your own custom rules

Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent
vulnerabilities

Status:
Shell injection risk: The workflow passes the unvalidated and unquoted version input into a shell command,
allowing a crafted input to alter shell execution.

- name: Normalize version
  id: version
  run: |
    VERSION="${{ github.event.inputs.version }}"
    if [[ "$VERSION" =~ ^[0-9]+\.[0-9]+$ ]]; then
      VERSION="${VERSION}.0"
    fi
    echo "value=$VERSION" >> "$GITHUB_OUTPUT"
- name: Update browser versions
  id: browsers
  run: |
    ./go update_browsers ${{ github.event.inputs.chrome_channel }}
    if git diff --staged --quiet; then
      echo "updated=false" >> "$GITHUB_OUTPUT"
    else
      git commit -m "update pinned browser versions"
      echo "updated=true" >> "$GITHUB_OUTPUT"
    fi
- name: Update devtools versions
  id: devtools
  run: |


 ... (clipped 41 lines)

Learn more about managing compliance generic rules or creating your own custom rules