chore: sync ci-generic.yml from Template-Generic [skip ci]

.mokogitea/workflows/ci-generic.yml

@@ -13,6 +13,12 @@
 name: "Generic: Project CI"
 
 on:
+  pull_request:
+    branches:
+      - main
+      - dev
+      - dev/**
+      - rc/**
   workflow_dispatch:
 
 permissions:

.mokogitea/workflows/rc-revert.yml

@@ -29,12 +29,20 @@ jobs:
 
     steps:
       - name: Rename branch
+        env:
+          BRANCH: ${{ github.event.pull_request.head.ref }}
+          REPO: ${{ github.repository }}
+          GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
+          TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
         run: |
-          BRANCH="${{ github.event.pull_request.head.ref }}"
+          set -euo pipefail
+          # BRANCH is attacker-controlled (PR head ref). Strict allowlist before ANY use.
+          if ! printf '%s' "$BRANCH" | grep -Eq '^rc/[A-Za-z0-9._/-]+$'; then
+            echo "::error::Refusing unsafe branch name: $BRANCH"; exit 1
+          fi
           SUFFIX="${BRANCH#rc/}"
           DEV_BRANCH="dev/${SUFFIX}"
-          API="${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}/api/v1/repos/${{ github.repository }}/branches"
+          API="${GITEA_URL}/api/v1/repos/${REPO}/branches"
-          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
 
           # Create dev/ branch from rc/ branch
           STATUS=$(curl -sf -o /dev/null -w "%{http_code}" -X POST \
@@ -42,25 +50,22 @@ jobs:
             -H "Content-Type: application/json" \
             -d "{\"new_branch_name\": \"${DEV_BRANCH}\", \"old_branch_name\": \"${BRANCH}\"}" \
             "${API}" 2>/dev/null || true)
-
           if [ "$STATUS" = "201" ]; then
-            echo "Created branch: ${DEV_BRANCH}" >> $GITHUB_STEP_SUMMARY
+            echo "Created branch: ${DEV_BRANCH}" >> "$GITHUB_STEP_SUMMARY"
           else
-            echo "::error::Failed to create ${DEV_BRANCH} from ${BRANCH} (HTTP ${STATUS})"
+            echo "::error::Failed to create ${DEV_BRANCH} from ${BRANCH} (HTTP ${STATUS})"; exit 1
-            exit 1
           fi
 
-          # Delete rc/ branch
+          # Read BRANCH from the environment inside PHP (getenv, no string interpolation -> no PHP injection)
-          ENCODED=$(php -r "echo rawurlencode('${BRANCH}');")
+          ENCODED=$(php -r 'echo rawurlencode(getenv("BRANCH"));')
           STATUS=$(curl -sf -o /dev/null -w "%{http_code}" -X DELETE \
             -H "Authorization: token ${TOKEN}" \
             "${API}/${ENCODED}" 2>/dev/null || true)
-
           if [ "$STATUS" = "204" ]; then
-            echo "Deleted branch: ${BRANCH}" >> $GITHUB_STEP_SUMMARY
+            echo "Deleted branch: ${BRANCH}" >> "$GITHUB_STEP_SUMMARY"
           else
             echo "::warning::Failed to delete ${BRANCH} (HTTP ${STATUS})"
           fi
 
-          echo "### RC Reverted" >> $GITHUB_STEP_SUMMARY
+          echo "### RC Reverted" >> "$GITHUB_STEP_SUMMARY"
-          echo "${BRANCH} → ${DEV_BRANCH}" >> $GITHUB_STEP_SUMMARY
+          echo "${BRANCH} → ${DEV_BRANCH}" >> "$GITHUB_STEP_SUMMARY"

CHANGELOG.md

@@ -18,6 +18,8 @@ BRIEF: Release changelog
 
 ## [09.41.00] --- 2026-06-27
 
+## [09.41.00] --- 2026-06-27
+
 ## [09.41.00] --- 2026-06-25
 
 ## [09.41.00] --- 2026-06-25