Pass through original GITHUB_TOKEN in scrub-env mode

This commit is contained in:
Colin McDonnell
2026-01-15 01:20:16 +00:00
committed by pullfrog[bot]
parent 75b429ceca
commit 4547b0032e
5 changed files with 28 additions and 8 deletions
+6 -2
View File
@@ -104337,6 +104337,7 @@ async function acquireNewToken(opts) {
var githubInstallationToken;
async function setupGitHubInstallationToken() {
assert2(!githubInstallationToken, "GitHub installation token is already set.");
process.env.ORIGINAL_GITHUB_TOKEN = process.env.GITHUB_TOKEN;
const acquiredToken = await acquireNewToken();
core2.setSecret(acquiredToken);
githubInstallationToken = acquiredToken;
@@ -104389,10 +104390,10 @@ function createOctokit(token) {
return new OctokitWithPlugins({
auth: token,
throttle: {
onRateLimit: (retryAfter, options, octokit, retryCount) => {
onRateLimit: (_retryAfter, _options, _octokit, retryCount) => {
return retryCount <= 2;
},
onSecondaryRateLimit: (retryAfter, options, octokit, retryCount) => {
onSecondaryRateLimit: (_retryAfter, _options, _octokit, retryCount) => {
return retryCount <= 2;
}
}
@@ -138026,6 +138027,9 @@ function filterEnv(isPublicRepo) {
if (isPublicRepo && isSensitive(key)) continue;
filtered[key] = value2;
}
if (process.env.ORIGINAL_GITHUB_TOKEN) {
filtered.GITHUB_TOKEN = process.env.ORIGINAL_GITHUB_TOKEN;
}
return filtered;
}
function spawnSandboxed(command, options) {
+6 -2
View File
@@ -104337,6 +104337,7 @@ async function acquireNewToken(opts) {
var githubInstallationToken;
async function setupGitHubInstallationToken() {
assert2(!githubInstallationToken, "GitHub installation token is already set.");
process.env.ORIGINAL_GITHUB_TOKEN = process.env.GITHUB_TOKEN;
const acquiredToken = await acquireNewToken();
core2.setSecret(acquiredToken);
githubInstallationToken = acquiredToken;
@@ -104389,10 +104390,10 @@ function createOctokit(token) {
return new OctokitWithPlugins({
auth: token,
throttle: {
onRateLimit: (retryAfter, options, octokit, retryCount) => {
onRateLimit: (_retryAfter, _options, _octokit, retryCount) => {
return retryCount <= 2;
},
onSecondaryRateLimit: (retryAfter, options, octokit, retryCount) => {
onSecondaryRateLimit: (_retryAfter, _options, _octokit, retryCount) => {
return retryCount <= 2;
}
}
@@ -138026,6 +138027,9 @@ function filterEnv(isPublicRepo) {
if (isPublicRepo && isSensitive(key)) continue;
filtered[key] = value2;
}
if (process.env.ORIGINAL_GITHUB_TOKEN) {
filtered.GITHUB_TOKEN = process.env.ORIGINAL_GITHUB_TOKEN;
}
return filtered;
}
function spawnSandboxed(command, options) {
+5
View File
@@ -26,6 +26,11 @@ function filterEnv(isPublicRepo: boolean): Record<string, string> {
if (isPublicRepo && isSensitive(key)) continue;
filtered[key] = value;
}
// restore original GITHUB_TOKEN (the one set by GitHub Actions, not our installation token)
// this allows git operations in subprocesses to work while keeping our installation token secure
if (process.env.ORIGINAL_GITHUB_TOKEN) {
filtered.GITHUB_TOKEN = process.env.ORIGINAL_GITHUB_TOKEN;
}
return filtered;
}
+6 -2
View File
@@ -104337,6 +104337,7 @@ async function acquireNewToken(opts) {
var githubInstallationToken;
async function setupGitHubInstallationToken() {
assert2(!githubInstallationToken, "GitHub installation token is already set.");
process.env.ORIGINAL_GITHUB_TOKEN = process.env.GITHUB_TOKEN;
const acquiredToken = await acquireNewToken();
core2.setSecret(acquiredToken);
githubInstallationToken = acquiredToken;
@@ -104389,10 +104390,10 @@ function createOctokit(token) {
return new OctokitWithPlugins({
auth: token,
throttle: {
onRateLimit: (retryAfter, options, octokit, retryCount) => {
onRateLimit: (_retryAfter, _options, _octokit, retryCount) => {
return retryCount <= 2;
},
onSecondaryRateLimit: (retryAfter, options, octokit, retryCount) => {
onSecondaryRateLimit: (_retryAfter, _options, _octokit, retryCount) => {
return retryCount <= 2;
}
}
@@ -138026,6 +138027,9 @@ function filterEnv(isPublicRepo) {
if (isPublicRepo && isSensitive(key)) continue;
filtered[key] = value2;
}
if (process.env.ORIGINAL_GITHUB_TOKEN) {
filtered.GITHUB_TOKEN = process.env.ORIGINAL_GITHUB_TOKEN;
}
return filtered;
}
function spawnSandboxed(command, options) {
+5 -2
View File
@@ -230,6 +230,7 @@ const findInstallationId = async (
);
};
// for local development only
async function acquireTokenViaGitHubApp(): Promise<string> {
const repoContext = parseRepoContext();
@@ -263,6 +264,8 @@ let githubInstallationToken: string | undefined;
*/
export async function setupGitHubInstallationToken() {
assert(!githubInstallationToken, "GitHub installation token is already set.");
// store original GITHUB_TOKEN before we overwrite it (used by filterEnv in bash.ts)
process.env.ORIGINAL_GITHUB_TOKEN = process.env.GITHUB_TOKEN;
const acquiredToken = await acquireNewToken();
core.setSecret(acquiredToken);
githubInstallationToken = acquiredToken;
@@ -339,10 +342,10 @@ export function createOctokit(token: string): OctokitWithPlugins {
return new OctokitWithPlugins({
auth: token,
throttle: {
onRateLimit: (retryAfter, options, octokit, retryCount) => {
onRateLimit: (_retryAfter, _options, _octokit, retryCount) => {
return retryCount <= 2;
},
onSecondaryRateLimit: (retryAfter, options, octokit, retryCount) => {
onSecondaryRateLimit: (_retryAfter, _options, _octokit, retryCount) => {
return retryCount <= 2;
},
},