validate download URLs against trusted domain

tobihagemann · tobihagemann · commit a1ee1659124e · 2026-03-31T16:01:49.000+02:00
diff --git a/.github/workflows/update-desktop.yml b/.github/workflows/update-desktop.yml
@@ -50,6 +50,11 @@ jobs:
               return
             fi
 
+            if [[ "$url" != https://github.com/cryptomator/cryptomator/releases/download/* ]]; then
+              echo "Unexpected download URL: $url" >&2
+              exit 1
+            fi
+
             UPDATED_ASSETS=1
             RELEASE_URL="$url" RELEASE_DIGEST="${digest#sha256:}" yq -i "
               .releases.${key}.version = env(DESKTOP_VERSION) |
