🐛 detect label names in dangerous workflows

[AdamKorcz]

What kind of change does this PR introduce?

(Is it a bug fix, feature, docs update, something else?)

Bug fix

• PR title follows the guidelines defined in our pull request documentation

What is the current behavior?

Currently dangerous workflows don't detect label names.

What is the new behavior (if this is a feature change)?**

Dangerous workflows detect label names.

• Tests for the changes have been added (for bug fixes/features)

Which issue(s) this PR fixes

Fixes #2236

Special notes for your reviewer

Does this PR introduce a user-facing change?

Yes

Dangerous workflows check for label names

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 68.29%. Comparing base (353ed60) to head (5d9fe37).
⚠️ Report is 252 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4718      +/-   ##
==========================================
+ Coverage   66.80%   68.29%   +1.49%     
==========================================
  Files         230      249      +19     
  Lines       16602    18899    +2297     
==========================================
+ Hits        11091    12908    +1817     
- Misses       4808     5131     +323     
- Partials      703      860     +157     

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

This pull request has been marked stale because it has been open for 10 days with no activity

[spencerschrock]

Accounting for when #2236 was opened, the referenced lines were:
https://github.com/google/GoogleSignIn-iOS/blob/fce284c734ef0b8dfdcc83497062bb1dff390998/.github/workflows/pr_notification.yml#L55-L70

                      "keyValue": {
                        "topLabel": "Assignees",
                        "content": "- ${{ join(github.event.pull_request.assignees.*.login, ', ') }}"
                      }
                    },
                    {
                      "keyValue": {
                        "topLabel": "Reviewers",
                        "content": "- ${{ join(github.event.pull_request.requested_reviewers.*.login, ', ') }}"
                      }
                    },
                    {
                      "keyValue": {
                        "topLabel": "Labels",
                        "content": "- ${{ join(github.event.pull_request.labels.*.name, ', ') }}"
                      }

Since that issue was opened, we do detect some wildcards:

scorecard/checks/raw/dangerous_workflow.go

Lines 46 to 47 in 51bda92

	`commits.*\.author\.email|` +
	`commits.*\.author\.name|` +

In this case, I don't see any attacker controlled data in github.event.pull_request.labels.*.name
If you expand on pull_requests.labels object here, the name is the name of the label, which is set in the repo, not by the user.:

name string Required The name of the label.

Unless I'm missing something?

[github-actions]

This pull request has been marked stale because it has been open for 10 days with no activity

[AdamKorcz]

Please reopen.

[spencerschrock]

Please reopen.

Done. But waiting for response on your side

[github-actions]

This pull request has been marked stale because it has been open for 10 days with no activity