Merge pull request #85 from browserstack/fix/aps-19076-19077-19078-security-bundle

[APS-19076][APS-19077][APS-19078] fix: security hardening — env-var allowlist, workflow SHA pinning, report HTML sanitization

Author: karanshah-browserstack

.github/workflows/setup-env.yml

@@ -10,17 +10,23 @@ on:
     - '.github/workflows/setup-env*'
 
 
+# Security (APS-19077): least-privilege token scope. These workflows only
+# run unit tests; they do not push, comment, or release. Read access to repo
+# contents is sufficient.
+permissions:
+  contents: read
+
 jobs:
   unit-tests:
     runs-on: ${{ matrix.operating-system }}
     strategy:
       matrix:
         operating-system: [ubuntu-latest, macos-latest, windows-latest]
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
     - name: Set Node.js 24.x
-      uses: actions/setup-node@master
+      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
       with:
         node-version: 24.x
         cache: 'npm'

.github/workflows/setup-local.yml

@@ -10,17 +10,23 @@ on:
     - '.github/workflows/setup-local*'
 
 
+# Security (APS-19077): least-privilege token scope. These workflows only
+# run unit tests; they do not push, comment, or release. Read access to repo
+# contents is sufficient.
+permissions:
+  contents: read
+
 jobs:
   unit-tests:
     runs-on: ${{ matrix.operating-system }}
     strategy:
       matrix:
         operating-system: [ubuntu-latest, macos-latest, windows-latest]
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
     - name: Set Node.js 24.x
-      uses: actions/setup-node@master
+      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
       with:
         node-version: 24.x
         cache: 'npm'