fix(security): harden CI workflow and disable Maven auto-release [APS-19020]

CI / release supply-chain hardening:

- .github/workflows/ci.yml:
  * pin actions/checkout from @v2 to commit SHA
    34e114876b0b11c390a56381ad16ebd13914f8d5 (v4.3.1)
  * pin actions/setup-java from @V3 to commit SHA
    c1e323688fd81a25caa38c78aa6df2d33d3e20d9 (v4.8.0)
  * add top-level `permissions: contents: read` block (mirrors the
    pattern already used in .github/workflows/Semgrep.yml in this
    repo). Token-scope minimization for the workflow.

- pom.xml: nexus-staging-maven-plugin's <autoReleaseAfterClose>
  flipped true -> false. After mvn release:perform, the staged
  release on OSSRH must now be promoted manually. The release
  runbook will be updated separately.

- CHANGELOG.md: new file with an Unreleased section summarizing
  all three security fixes (APS-19018, APS-19019, APS-19020) and
  calling out the setProxy behaviour change for consumers.

Resolves: APS-19020

Author: Jimesh-browserstack

.github/workflows/ci.yml

@@ -8,14 +8,17 @@ on:
     branches:
     - master
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
       - name: Set up JDK 8
-        uses: actions/setup-java@v3
+        uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4.8.0
         with:
           java-version: 8
           distribution: 'temurin'

CHANGELOG.md

@@ -0,0 +1,40 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+## [Unreleased]
+
+### Security
+
+- **SSRF guard on `AutomateClient.getSessionLogs`** — the URL returned by the
+  BrowserStack API is now validated before being fetched. Only `https` URLs whose
+  host (parsed via `java.net.URI`) ends in `.browserstack.com` are accepted; all
+  other URLs throw `AutomateException`. This prevents a maliciously-crafted
+  session record from causing the client to issue requests against an attacker
+  endpoint. (APS-19018)
+
+- **`setProxy` is now per-instance** — previously, calling
+  `BrowserStackClient.setProxy(...)` mutated a JVM-wide `static HTTP_TRANSPORT`
+  field, so a proxy configured on one client instance leaked to every other
+  instance running in the same JVM (and a non-proxied client could end up using
+  another tenant's proxy). The transport is now an instance field. **Anyone
+  whose code relied on cross-instance proxy state must now call `setProxy` on
+  each `BrowserStackClient` / `AutomateClient` they construct.** (APS-19019)
+
+- **`checkAuthState` now throws when EITHER credential is missing** — previously
+  the guard only fired when both `username` and `accessKey` were `null`,
+  meaning a client with one credential set and one missing would proceed and
+  produce a malformed `Authorization: Basic` header. The condition is now
+  `username == null || accessKey == null`. (APS-19019)
+
+### CI / Release
+
+- **GitHub Actions hardening** — `.github/workflows/ci.yml` actions are now
+  pinned to commit SHAs (`actions/checkout@v4.3.1`,
+  `actions/setup-java@v4.8.0`) and a top-level `permissions: contents: read`
+  block has been added. (APS-19020)
+
+- **Maven release auto-promote disabled** — `nexus-staging-maven-plugin`'s
+  `autoReleaseAfterClose` is now `false`. Staged releases must be manually
+  promoted via OSSRH after a `mvn release:perform`. See the BrowserStack
+  internal release runbook for the manual promotion step. (APS-19020)

pom.xml

@@ -89,7 +89,7 @@
 				<configuration>
 					<serverId>ossrh</serverId>
 					<nexusUrl>https://oss.sonatype.org/</nexusUrl>
-					<autoReleaseAfterClose>true</autoReleaseAfterClose>
+					<autoReleaseAfterClose>false</autoReleaseAfterClose>
 				</configuration>
 			</plugin>
 			<plugin>