Restrict github token (#140)

This commit is contained in:
Colin McDonnell
2026-01-21 02:17:46 +00:00
committed by pullfrog[bot]
parent 04cc24bf64
commit 01ee59a96c
6 changed files with 48 additions and 18 deletions
+13 -7
View File
@@ -119192,9 +119192,6 @@ function filterEnv(isPublicRepo) {
if (isPublicRepo && isSensitive(key)) continue;
filtered[key] = value2;
}
if (process.env.ORIGINAL_GITHUB_TOKEN) {
filtered.GITHUB_TOKEN = process.env.ORIGINAL_GITHUB_TOKEN;
}
return filtered;
}
function spawnSandboxed(params) {
@@ -120772,10 +120769,11 @@ var PushBranch = type({
branchName: type.string.describe("The branch name to push (defaults to current branch)").optional(),
force: type.boolean.describe("Force push (use with caution)").default(false)
});
function PushBranchTool(_ctx) {
function PushBranchTool(ctx) {
const defaultBranch = ctx.repo.repo.default_branch || "main";
return tool({
name: "push_branch",
description: "Push the current branch (or specified branch) to the remote repository. Git automatically determines the correct remote based on branch config (set by checkout_pr for fork PRs). Never force push unless explicitly requested.",
description: "Push the current branch (or specified branch) to the remote repository. Git automatically determines the correct remote based on branch config (set by checkout_pr for fork PRs). Never force push unless explicitly requested. Pushes to the default branch are blocked.",
parameters: PushBranch,
execute: execute(async ({ branchName, force }) => {
const branch = branchName || $("git", ["rev-parse", "--abbrev-ref", "HEAD"], { log: false });
@@ -120790,6 +120788,11 @@ function PushBranchTool(_ctx) {
remoteBranch = mergeRef.replace("refs/heads/", "");
} catch {
}
if (remoteBranch === defaultBranch) {
throw new Error(
`Push blocked: cannot push directly to default branch '${remoteBranch}'. Create a feature branch and open a PR instead.`
);
}
const refspec = branch === remoteBranch ? branch : `${branch}:${remoteBranch}`;
const args3 = force ? ["push", "--force", "-u", remote, refspec] : ["push", "-u", remote, refspec];
log.debug(`pushing ${branch} to ${remote}/${remoteBranch}`);
@@ -140600,14 +140603,15 @@ async function setupGit(params) {
} catch {
log.debug("\xBB no existing authentication headers to remove");
}
const originToken = params.bashPermission === "enabled" ? params.token : params.originalToken || params.token;
if (params.event.is_pr !== true || !params.event.issue_number) {
const originUrl2 = `https://x-access-token:${params.token}@github.com/${params.owner}/${params.name}.git`;
const originUrl2 = `https://x-access-token:${originToken}@github.com/${params.owner}/${params.name}.git`;
$("git", ["remote", "set-url", "origin", originUrl2], { cwd: repoDir });
log.info("\xBB updated origin URL with authentication token");
return;
}
const prNumber = params.event.issue_number;
const originUrl = `https://x-access-token:${params.token}@github.com/${params.owner}/${params.name}.git`;
const originUrl = `https://x-access-token:${originToken}@github.com/${params.owner}/${params.name}.git`;
$("git", ["remote", "set-url", "origin", originUrl], { cwd: repoDir });
const prContext = await checkoutPrBranch({
octokit: params.octokit,
@@ -140693,6 +140697,8 @@ async function main() {
});
await setupGit({
token: tokenRef.token,
originalToken: process.env.ORIGINAL_GITHUB_TOKEN,
bashPermission: payload.bash,
owner: repo.owner,
name: repo.name,
event: payload.event,