fix(NODE-7477): OIDC host allowlist fix

[PavelSafronov]

Description

Summary of Changes

Notes for Reviewers

What is the motivation for this change?

Release Highlight

Tighten OIDC ALLOWED_HOSTS wildcard matching

The OIDC ALLOWED_HOSTS wildcard handling has been fixed to require full subdomain/path matches for *. and */ entries, preventing partial suffix matches from being incorrectly accepted.

Double check the following

• Lint is passing (npm run check:lint)
• Self-review completed using the steps outlined here
• PR title follows the correct format: type(NODE-xxxx)[!]: description
  • Example: feat(NODE-1234)!: rewriting everything in coffeescript
• Changes are covered by tests
• New TODOs have a related JIRA ticket

[Copilot]

Pull request overview

This PR tightens the OIDC ALLOWED_HOSTS matching logic by preventing “partial” wildcard suffix matches (e.g., test-mongodb.com no longer matches *.mongodb.com), and adds unit tests covering the new matching behavior. It also introduces a new GitHub Actions release workflow for the v7.1.x branch.

Changes:

• Update hostMatchesWildcards to require boundary-aware wildcard matches for *. (domains) and */ (unix socket paths).
• Add unit tests to ensure partial suffix matches are rejected for both domain and unix socket patterns.
• Add a release-7.1 GitHub Actions workflow targeting the v7.1.x branch.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

File	Description
src/utils.ts	Implements stricter wildcard boundary matching for OIDC host allowlist validation.
test/unit/utils.test.ts	Adds regression tests for previously-accepted partial wildcard matches.
.github/workflows/release-7.1.yml	Adds a release automation workflow for the v7.1.x branch.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.