fix: pin 2 unpinned action(s),extract 2 unsafe expression(s) to env vars

[dagecko]

Security: Harden GitHub Actions workflows

Hey, we found some CI/CD security issues in this repo's workflows using Runner Guard, our open-source CI/CD security scanner at Vigilant. These are the same vulnerability classes being actively exploited right now in the tj-actions, Trivy, LiteLLM supply chain attack chain. We scanned the top 50K repos on GitHub and over 20,000 have this same problem. We're trying to get fixes out to as many maintainers as possible before more repos get hit.

This PR fixes what we could automatically, and flags anything else that needs a manual look. There's a real person behind this PR, we're actively checking back on comments so if you have any questions just drop them here and we'll respond.

Fixes applied (in this PR)

Rule	Severity	File	Description
RGS-002	high	.github/workflows/release-preview-publish.yml	Extracted 2 unsafe expression(s) to env vars
RGS-007	high	.github/workflows/validate-lockfile.yml	Pinned 2 third-party action(s) to commit SHA

Advisory: additional findings (manual review recommended)

| Rule | Severity | File | Description |
| RGS-001 | critical | .github/workflows/validate-lockfile.yml | pull_request_target with Fork Code Checkout |
| RGS-005 | medium | .github/workflows/pr-labeler.yml | Excessive Permissions on Untrusted Trigger |

Why this matters

GitHub Actions workflows that use untrusted input in run: blocks, expose
secrets inline, or use unpinned third-party actions are vulnerable to
code injection, credential theft, and supply chain attacks. These are the same
vulnerability classes exploited in the tj-actions/changed-files incident
and subsequent supply chain attacks, which compromised CI secrets across
thousands of repositories.

How to verify

Review the diff — each change is mechanical and preserves workflow behavior:

• Expression extraction (RGS-002/008/014): Moves ${{ }} expressions from
  run: blocks into env: mappings, preventing shell injection
• SHA pinning (RGS-007): Pins third-party actions to immutable commit SHAs
  (original version tag preserved as comment)
• Debug env removal (RGS-015): Removes ACTIONS_RUNNER_DEBUG/ACTIONS_STEP_DEBUG
  which leak secrets in workflow logs

Run brew install Vigilant-LLC/tap/runner-guard && runner-guard scan . or install from the
repo to verify.

---

Found by Runner Guard | Built by Vigilant Cyber Security | Learn more

If this PR is not welcome, just close it -- we won't send another.

[netlify]

✅ Deploy Preview for mermaid-js ready!

Name	Link
🔨 Latest commit	9bcd78f
🔍 Latest deploy log	https://app.netlify.com/projects/mermaid-js/deploys/69c55f6ce653320008a0d6b9
😎 Deploy Preview	https://deploy-preview-7529--mermaid-js.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 9bcd78f

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[pkg-pr-new]

Open in StackBlitz

@mermaid-js/examples

npm i https://pkg.pr.new/@mermaid-js/examples@7529

mermaid

npm i https://pkg.pr.new/mermaid@7529

@mermaid-js/layout-elk

npm i https://pkg.pr.new/@mermaid-js/layout-elk@7529

@mermaid-js/layout-tidy-tree

npm i https://pkg.pr.new/@mermaid-js/layout-tidy-tree@7529

@mermaid-js/mermaid-zenuml

npm i https://pkg.pr.new/@mermaid-js/mermaid-zenuml@7529

@mermaid-js/parser

npm i https://pkg.pr.new/@mermaid-js/parser@7529

@mermaid-js/tiny

npm i https://pkg.pr.new/@mermaid-js/tiny@7529

commit: 9bcd78f

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 3.34%. Comparing base (e9d4c11) to head (9bcd78f).

Additional details and impacted files

@@            Coverage Diff             @@
##           develop   #7529      +/-   ##
==========================================
- Coverage     3.34%   3.34%   -0.01%     
==========================================
  Files          524     525       +1     
  Lines        55256   55267      +11     
  Branches       795     795              
==========================================
  Hits          1850    1850              
- Misses       53406   53417      +11     

Flag	Coverage Δ
unit	3.34% <ø> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.
see 1 file with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[dagecko]

Resubmitted as #7541. Had a problem with my fork, apologies for the noise.