Harden Black action version parsing (#5031)

Author: JelleZijlstra

CHANGES.md

@@ -68,6 +68,13 @@
 
 <!-- For example, Docker, GitHub Actions, pre-commit, editors -->
 
+- Harden parsing of `black` requirements in the GitHub Action when `use_pyproject` is
+  enabled so that only version specifiers are accepted and direct references such as
+  `black @ https://...` are rejected. Users should upgrade to the latest version of the
+  action as soon as possible. This update is received automatically when using
+  `psf/black@stable`, and is independent of the version of Black installed by the
+  action. (#5031)
+
 ### Documentation
 
 <!-- Major changes to documentation and policies. Small docs changes

action/main.py

@@ -17,7 +17,11 @@
 USE_PYPROJECT = os.getenv("INPUT_USE_PYPROJECT") == "true"
 OUTPUT_FILE = os.getenv("OUTPUT_FILE", default="")
 
-BLACK_VERSION_RE = re.compile(r"^black([^A-Z0-9._-]+.*)$", re.IGNORECASE)
+BLACK_VERSION_RE = re.compile(
+    r"^black((?:\s*(?:~=|==|!=|<=|>=|<|>|===)\s*[A-Za-z0-9*+._-]+)"
+    r"(?:\s*,\s*(?:~=|==|!=|<=|>=|<|>|===)\s*[A-Za-z0-9*+._-]+)*)\s*$",
+    re.IGNORECASE,
+)
 EXTRAS_RE = re.compile(r"\[.*\]")
 EXPORT_SUBST_FAIL_RE = re.compile(r"\$Format:.*\$")
 

docs/integrations/github_actions.md

@@ -59,6 +59,11 @@ To read the version from the `pyproject.toml` file instead, set `use_pyproject`
 `project.optional-dependencies` table. Note that this requires Python >= 3.11, so using
 the setup-python action may be required, for example:
 
+**Security note:** `use_pyproject` only accepts standard version specifiers for `black`
+(for example `==`, `~=`, `>=` and ranges like `>=25,<26`). Direct references such as
+`black @ https://...` are not supported. If your workflow runs on untrusted pull
+requests (for example from forks), prefer setting `with.version` explicitly.
+
 ```yaml
 - uses: actions/setup-python@v6
   with: