remove global github token env coupling (#373)

thread mcp token into exit cleanup and drop process env mutation from token resolution so token access stays explicit and in-memory.

Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
Colin McDonnell
2026-02-22 14:13:03 +00:00
committed by pullfrog[bot]
parent cfd38d82fc
commit 1b4f4374f3
2 changed files with 1 additions and 44 deletions
-20
View File
@@ -140387,22 +140387,6 @@ function createOctokit(token) {
// utils/token.ts
var mcpTokenValue;
function setEnvironmentVariable(name, value2) {
const hadValue = Object.hasOwn(process.env, name);
const originalValue = process.env[name];
if (typeof value2 === "string") {
process.env[name] = value2;
} else {
delete process.env[name];
}
return () => {
if (hadValue) {
process.env[name] = originalValue;
} else {
delete process.env[name];
}
};
}
function getJobToken() {
const inputToken = core3.getInput("token");
if (inputToken) {
@@ -140418,7 +140402,6 @@ async function resolveTokens(params) {
assert2(!mcpTokenValue, "tokens are already resolved");
const externalToken = process.env.GH_TOKEN;
if (externalToken) {
const revertGithubToken2 = setEnvironmentVariable("GITHUB_TOKEN", externalToken);
mcpTokenValue = externalToken;
if (isGitHubActions) {
core3.setSecret(externalToken);
@@ -140429,7 +140412,6 @@ async function resolveTokens(params) {
mcpToken: externalToken,
async [Symbol.asyncDispose]() {
mcpTokenValue = void 0;
revertGithubToken2();
}
};
}
@@ -140446,7 +140428,6 @@ async function resolveTokens(params) {
core3.setSecret(mcpToken);
}
log.info("\xBB acquired full MCP token");
const revertGithubToken = setEnvironmentVariable("GITHUB_TOKEN", mcpToken);
mcpTokenValue = mcpToken;
let disposingRef;
const dispose = async () => {
@@ -140456,7 +140437,6 @@ async function resolveTokens(params) {
disposingRef = Promise.withResolvers();
try {
mcpTokenValue = void 0;
revertGithubToken();
await Promise.all([
revokeGitHubInstallationToken(gitToken),
revokeGitHubInstallationToken(mcpToken)
+1 -24
View File
@@ -13,25 +13,6 @@ export { revokeGitHubInstallationToken as revokeInstallationToken };
// store MCP token in memory for getGitHubInstallationToken()
let mcpTokenValue: string | undefined;
function setEnvironmentVariable(name: string, value: string | undefined) {
const hadValue = Object.hasOwn(process.env, name);
const originalValue = process.env[name];
if (typeof value === "string") {
process.env[name] = value;
} else {
delete process.env[name];
}
return () => {
if (hadValue) {
process.env[name] = originalValue;
} else {
delete process.env[name];
}
};
}
/**
* get the job-scoped token from action input.
* this token has permissions defined by the workflow's permissions block.
@@ -84,7 +65,6 @@ export async function resolveTokens(params: ResolveTokensParams): Promise<TokenR
// external token takes precedence - use for both git and MCP
if (externalToken) {
const revertGithubToken = setEnvironmentVariable("GITHUB_TOKEN", externalToken);
mcpTokenValue = externalToken;
if (isGitHubActions) {
@@ -98,7 +78,6 @@ export async function resolveTokens(params: ResolveTokensParams): Promise<TokenR
mcpToken: externalToken,
async [Symbol.asyncDispose]() {
mcpTokenValue = undefined;
revertGithubToken();
// GH_TOKEN isn't acquired here, so it's not revoked here either
},
};
@@ -128,8 +107,6 @@ export async function resolveTokens(params: ResolveTokensParams): Promise<TokenR
}
log.info("» acquired full MCP token");
// set MCP token as GITHUB_TOKEN for compatibility
const revertGithubToken = setEnvironmentVariable("GITHUB_TOKEN", mcpToken);
mcpTokenValue = mcpToken;
let disposingRef: PromiseWithResolvers<void> | undefined;
@@ -143,7 +120,7 @@ export async function resolveTokens(params: ResolveTokensParams): Promise<TokenR
disposingRef = Promise.withResolvers();
try {
mcpTokenValue = undefined;
revertGithubToken();
// revoke both tokens
await Promise.all([
revokeGitHubInstallationToken(gitToken),
revokeGitHubInstallationToken(mcpToken),