From 37632533465c95b6b1a4126b2ad114aa6a3d9d20 Mon Sep 17 00:00:00 2001
From: El Mehdi Abenhazou <mehdiananas007@gmail.com>
Date: Wed, 3 Jun 2026 02:07:00 +0100
Subject: [PATCH 1/2] ci: fix expression injection in notify-on-review-wanted
 workflow

The workflow used GitHub Actions expressions directly inside shell run steps:

    if [[ -n "${{ github.event.pull_request.number }}" ]]; then
      number="${{ github.event.pull_request.number }}"
      number="${{ github.event.issue.number }}"

Fix: move expressions into env vars, reference env vars in shell.

Ref: https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#understanding-the-risk-of-script-injections

Signed-off-by: El Mehdi Abenhazou <mehdiananas007@gmail.com>
---
 .github/workflows/notify-on-review-wanted.yml | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/notify-on-review-wanted.yml b/.github/workflows/notify-on-review-wanted.yml
index 1d3124e336b80b..939fe3420fe6a6 100644
--- a/.github/workflows/notify-on-review-wanted.yml
+++ b/.github/workflows/notify-on-review-wanted.yml
@@ -20,14 +20,16 @@ jobs:
         env:
           TITLE_ISSUE: ${{ github.event.issue.title }}
           TITLE_PR: ${{ github.event.pull_request.title }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+          ISSUE_NUMBER: ${{ github.event.issue.number }}
         run: |
-          if [[ -n "${{ github.event.pull_request.number }}" ]]; then
-            number="${{ github.event.pull_request.number }}"
+          if [[ -n "$PR_NUMBER" ]]; then
+            number="$PR_NUMBER"
             link="https://github.com/${{ github.repository }}/pull/$number"
             echo "message=The PR (#$number) requires review from Node.js maintainers. See: $link" >> "$GITHUB_OUTPUT"
             echo "title=$TITLE_PR" >> "$GITHUB_OUTPUT"
           else
-            number="${{ github.event.issue.number }}"
+            number="$ISSUE_NUMBER"
             link="https://github.com/${{ github.repository }}/issues/$number"
             echo "message=The issue (#$number) requires review from Node.js maintainers. See: $link" >> "$GITHUB_OUTPUT"
             echo "title=$TITLE_ISSUE" >> "$GITHUB_OUTPUT"

From 8c0828ce7b25bb059a37202ad76e27f8368e95a9 Mon Sep 17 00:00:00 2001
From: El Mehdi Abenhazou <mehdiananas007@gmail.com>
Date: Wed, 3 Jun 2026 03:06:01 +0100
Subject: [PATCH 2/2] ci: fix committer identity