chore: relax HTTP header name validation to match RFC 7230

Updated the regex in `src/helpers.ts` to allow all valid characters in an HTTP token (RFC 7230, section 3.2.6), including symbols like `_`, `.`, `!`, and `*`. Previously, the validation was overly restrictive, only allowing alphanumeric characters and hyphens.

Also updated the corresponding unit test in `__tests__/helpers.test.ts` to reflect the change.

__tests__/helpers.test.ts

@@ -214,13 +214,11 @@ valid123: value5`
 
       expect(result).toEqual({
         'valid-header': 'value1',
+        invalid_underscore: 'value3',
         valid123: 'value5',
       })
 
       expect(core.warning).toHaveBeenCalledWith(expect.stringContaining('Skipping invalid header name: invalid header'))
-      expect(core.warning).toHaveBeenCalledWith(
-        expect.stringContaining('Skipping invalid header name: invalid_underscore'),
-      )
       expect(core.warning).toHaveBeenCalledWith(expect.stringContaining('Skipping invalid header name: invalid@header'))
     })
 

src/helpers.ts

@@ -121,9 +121,10 @@ function validateAndMaskHeaders(headers: Record<string, unknown>): Record<string
   const sensitivePatterns = ['key', 'token', 'secret', 'password', 'authorization']
 
   for (const [name, value] of Object.entries(headers)) {
-    // Validate header name (basic HTTP header name validation, RFC 7230: letters, digits, and hyphens)
-    if (!/^[A-Za-z0-9-]+$/.test(name)) {
-      core.warning(`Skipping invalid header name: ${name} (only alphanumeric characters and hyphens allowed)`)
+    // Validate header name (RFC 7230: token = 1*tchar)
+    // tchar = "!" / "#" / "$" / "%" / "&" / "'" / "*" / "+" / "-" / "." / "^" / "_" / "`" / "|" / "~" / DIGIT / ALPHA
+    if (!/^[A-Za-z0-9!#$%&'*+\-.^_`|~]+$/.test(name)) {
+      core.warning(`Skipping invalid header name: ${name} (contains invalid characters)`)
       continue
     }