Restrict github token (#140)
This commit is contained in:
committed by
pullfrog[bot]
parent
04cc24bf64
commit
01ee59a96c
@@ -119192,9 +119192,6 @@ function filterEnv(isPublicRepo) {
|
||||
if (isPublicRepo && isSensitive(key)) continue;
|
||||
filtered[key] = value2;
|
||||
}
|
||||
if (process.env.ORIGINAL_GITHUB_TOKEN) {
|
||||
filtered.GITHUB_TOKEN = process.env.ORIGINAL_GITHUB_TOKEN;
|
||||
}
|
||||
return filtered;
|
||||
}
|
||||
function spawnSandboxed(params) {
|
||||
@@ -120772,10 +120769,11 @@ var PushBranch = type({
|
||||
branchName: type.string.describe("The branch name to push (defaults to current branch)").optional(),
|
||||
force: type.boolean.describe("Force push (use with caution)").default(false)
|
||||
});
|
||||
function PushBranchTool(_ctx) {
|
||||
function PushBranchTool(ctx) {
|
||||
const defaultBranch = ctx.repo.repo.default_branch || "main";
|
||||
return tool({
|
||||
name: "push_branch",
|
||||
description: "Push the current branch (or specified branch) to the remote repository. Git automatically determines the correct remote based on branch config (set by checkout_pr for fork PRs). Never force push unless explicitly requested.",
|
||||
description: "Push the current branch (or specified branch) to the remote repository. Git automatically determines the correct remote based on branch config (set by checkout_pr for fork PRs). Never force push unless explicitly requested. Pushes to the default branch are blocked.",
|
||||
parameters: PushBranch,
|
||||
execute: execute(async ({ branchName, force }) => {
|
||||
const branch = branchName || $("git", ["rev-parse", "--abbrev-ref", "HEAD"], { log: false });
|
||||
@@ -120790,6 +120788,11 @@ function PushBranchTool(_ctx) {
|
||||
remoteBranch = mergeRef.replace("refs/heads/", "");
|
||||
} catch {
|
||||
}
|
||||
if (remoteBranch === defaultBranch) {
|
||||
throw new Error(
|
||||
`Push blocked: cannot push directly to default branch '${remoteBranch}'. Create a feature branch and open a PR instead.`
|
||||
);
|
||||
}
|
||||
const refspec = branch === remoteBranch ? branch : `${branch}:${remoteBranch}`;
|
||||
const args3 = force ? ["push", "--force", "-u", remote, refspec] : ["push", "-u", remote, refspec];
|
||||
log.debug(`pushing ${branch} to ${remote}/${remoteBranch}`);
|
||||
@@ -140600,14 +140603,15 @@ async function setupGit(params) {
|
||||
} catch {
|
||||
log.debug("\xBB no existing authentication headers to remove");
|
||||
}
|
||||
const originToken = params.bashPermission === "enabled" ? params.token : params.originalToken || params.token;
|
||||
if (params.event.is_pr !== true || !params.event.issue_number) {
|
||||
const originUrl2 = `https://x-access-token:${params.token}@github.com/${params.owner}/${params.name}.git`;
|
||||
const originUrl2 = `https://x-access-token:${originToken}@github.com/${params.owner}/${params.name}.git`;
|
||||
$("git", ["remote", "set-url", "origin", originUrl2], { cwd: repoDir });
|
||||
log.info("\xBB updated origin URL with authentication token");
|
||||
return;
|
||||
}
|
||||
const prNumber = params.event.issue_number;
|
||||
const originUrl = `https://x-access-token:${params.token}@github.com/${params.owner}/${params.name}.git`;
|
||||
const originUrl = `https://x-access-token:${originToken}@github.com/${params.owner}/${params.name}.git`;
|
||||
$("git", ["remote", "set-url", "origin", originUrl], { cwd: repoDir });
|
||||
const prContext = await checkoutPrBranch({
|
||||
octokit: params.octokit,
|
||||
@@ -140693,6 +140697,8 @@ async function main() {
|
||||
});
|
||||
await setupGit({
|
||||
token: tokenRef.token,
|
||||
originalToken: process.env.ORIGINAL_GITHUB_TOKEN,
|
||||
bashPermission: payload.bash,
|
||||
owner: repo.owner,
|
||||
name: repo.name,
|
||||
event: payload.event,
|
||||
|
||||
Reference in New Issue
Block a user