From 5d4f79b98c60d8bc63fbf96428da3735c0f149c1 Mon Sep 17 00:00:00 2001
From: Juan Escalada <juanescalada175@gmail.com>
Date: Wed, 22 Apr 2026 10:52:03 +0900
Subject: [PATCH 1/5] fix: check for body type before parsePush execution

---
 src/proxy/processors/push-action/parsePush.ts | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/proxy/processors/push-action/parsePush.ts b/src/proxy/processors/push-action/parsePush.ts
index 2a324c055..d4bb6361b 100644
--- a/src/proxy/processors/push-action/parsePush.ts
+++ b/src/proxy/processors/push-action/parsePush.ts
@@ -56,6 +56,11 @@ async function exec(req: Request, action: Action): Promise<Action> {
     if (!req.body || req.body.length === 0) {
       throw new Error('No body found in request');
     }
+
+    if (Array.isArray(req.body) || !Buffer.isBuffer(req.body)) {
+      throw new Error('Invalid body type');
+    }
+
     const [packetLines, packDataOffset] = parsePacketLines(req.body);
     const refUpdates = packetLines.filter((line) => line.includes(BRANCH_PREFIX));
 

From 04f334564bab8b8afd5eb5b8c7d44ccaac17ffb4 Mon Sep 17 00:00:00 2001
From: Juan Escalada <juanescalada175@gmail.com>
Date: Wed, 22 Apr 2026 12:22:45 +0900
Subject: [PATCH 2/5] fix: limit pr_title job permissions, split release
 drafter job

---
 .github/workflows/pr-lint.yml | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/pr-lint.yml b/.github/workflows/pr-lint.yml
index 6301eb168..3f95db566 100644
--- a/.github/workflows/pr-lint.yml
+++ b/.github/workflows/pr-lint.yml
@@ -16,9 +16,7 @@ permissions:
 jobs:
   pr_title:
     permissions:
-      contents: write
-      pull-requests: write
-      statuses: write
+      pull-requests: read
     name: Validate & Label PR
     runs-on: ubuntu-latest
     steps:
@@ -45,6 +43,17 @@ jobs:
             revert
             test
             break
+  release-drafter:
+    permissions:
+      contents: write
+      pull-requests: read
+    name: Release Drafter
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
       - uses: release-drafter/release-drafter@139054aeaa9adc52ab36ddf67437541f039b88e2 # v7
         with:
           commitish: main

From b3f9f7fd3950e3e844ecea7912186d7f9e2d4a1a Mon Sep 17 00:00:00 2001
From: Juan Escalada <juanescalada175@gmail.com>
Date: Wed, 22 Apr 2026 12:31:39 +0900
Subject: [PATCH 3/5] fix: missing permissions in dokcer-publish.yml

---
 .github/workflows/docker-publish.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
index 0ac37895d..7c028e2a6 100644
--- a/.github/workflows/docker-publish.yml
+++ b/.github/workflows/docker-publish.yml
@@ -8,6 +8,8 @@ on:
 
 jobs:
   docker-build-publish:
+    permissions:
+      contents: read
     name: Build and Publish Docker Image
     runs-on: ubuntu-latest
 

From 04145b1052b160d8ae7797c6cf7b96ff15ce185f Mon Sep 17 00:00:00 2001
From: Juan Escalada <juanescalada175@gmail.com>
Date: Thu, 23 Apr 2026 10:45:54 +0900
Subject: [PATCH 4/5] fix: remove peer installation step (fixes unpinned
 dependency in CodeQL scan)

---
 .github/workflows/sample-publish.yml | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/.github/workflows/sample-publish.yml b/.github/workflows/sample-publish.yml
index 5e27cdbd6..19e8bbc19 100644
--- a/.github/workflows/sample-publish.yml
+++ b/.github/workflows/sample-publish.yml
@@ -33,8 +33,6 @@ jobs:
 
       - name: Install peers and publish
         working-directory: plugins/git-proxy-plugin-samples
-        run: |
-          npm install --include=peer
-          npm publish --provenance --access=public
+        run: npm publish --provenance --access=public
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

From aa7c42c3b683ffb4e7db0de5d898053d84cd2373 Mon Sep 17 00:00:00 2001
From: Juan Escalada <juanescalada175@gmail.com>
Date: Thu, 23 Apr 2026 10:58:51 +0900
Subject: [PATCH 5/5] fix: unpinned dependency alert on lint.yml, rename
 publish step in sample-publish

---
 .github/workflows/lint.yml           | 2 +-
 .github/workflows/sample-publish.yml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index f9a7a7357..c6c41230b 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -29,7 +29,7 @@ jobs:
           fetch-depth: 0
 
       - name: Install Dependencies
-        run: npm install --workspaces
+        run: npm ci --workspaces
 
       - name: Code Linting
         run: |
diff --git a/.github/workflows/sample-publish.yml b/.github/workflows/sample-publish.yml
index 19e8bbc19..ae446749f 100644
--- a/.github/workflows/sample-publish.yml
+++ b/.github/workflows/sample-publish.yml
@@ -31,7 +31,7 @@ jobs:
         working-directory: plugins/git-proxy-plugin-samples
         run: npm run build
 
-      - name: Install peers and publish
+      - name: Publish git-proxy-plugin-samples
         working-directory: plugins/git-proxy-plugin-samples
         run: npm publish --provenance --access=public
         env: