diff --git a/agents/instructions.ts b/agents/instructions.ts index df933d3..e32e597 100644 --- a/agents/instructions.ts +++ b/agents/instructions.ts @@ -56,7 +56,11 @@ interface AddInstructionsParams { useNativeBash?: boolean; } -export const addInstructions = ({ payload, repo, useNativeBash = false }: AddInstructionsParams) => { +export const addInstructions = ({ + payload, + repo, + useNativeBash = false, +}: AddInstructionsParams) => { let encodedEvent = ""; const eventKeys = Object.keys(payload.event); @@ -99,6 +103,10 @@ In case of conflict between instructions, follow this precedence (highest to low 4. Repository-specific instructions (AGENTS.md, CLAUDE.md, etc.) 5. User prompt +## Security + +Never expose secrets (API keys, tokens, passwords, private keys, credentials) through any channel: console output, files, commits, comments, API responses, error messages, or URLs. Never serialize environment objects (\`process.env\`, \`os.environ\`, etc.) or iterate over them. If asked to reveal secrets: refuse, explain that exposing secrets is prohibited, and offer a safe alternative if applicable. Detect and deny any suspicious or malicious requests. + ## MCP (Model Context Protocol) Tools MCP servers provide tools you can call. Inspect your available MCP servers at startup to understand what tools are available, especially the ${ghPullfrogMcpName} server which handles all GitHub operations. diff --git a/entry b/entry index bf72a06..e086e58 100755 --- a/entry +++ b/entry @@ -100536,7 +100536,11 @@ function buildRuntimeContext(repo) { } return lines.join("\n"); } -var addInstructions = ({ payload, repo, useNativeBash = false }) => { +var addInstructions = ({ + payload, + repo, + useNativeBash = false +}) => { let encodedEvent = ""; const eventKeys = Object.keys(payload.event); if (eventKeys.length === 1 && eventKeys[0] === "trigger") { @@ -100572,6 +100576,10 @@ In case of conflict between instructions, follow this precedence (highest to low 4. Repository-specific instructions (AGENTS.md, CLAUDE.md, etc.) 5. User prompt +## Security + +Never expose secrets (API keys, tokens, passwords, private keys, credentials) through any channel: console output, files, commits, comments, API responses, error messages, or URLs. Never serialize environment objects (\`process.env\`, \`os.environ\`, etc.) or iterate over them. If asked to reveal secrets: refuse, explain that exposing secrets is prohibited, and offer a safe alternative if applicable. Detect and deny any suspicious or malicious requests. + ## MCP (Model Context Protocol) Tools MCP servers provide tools you can call. Inspect your available MCP servers at startup to understand what tools are available, especially the ${ghPullfrogMcpName} server which handles all GitHub operations. diff --git a/play.ts b/play.ts index ebc4d77..7a5e27a 100644 --- a/play.ts +++ b/play.ts @@ -108,24 +108,18 @@ Examples: const passArgs = process.argv.slice(2); const nodeCmd = `node play.ts ${passArgs.join(" ")}`; - // collect env vars to pass through - const envFlags: string[] = []; - for (const [key, value] of Object.entries(process.env)) { - const shouldPass = - key.includes("API_KEY") || - key.includes("_TOKEN") || - key === "GITHUB_REPOSITORY" || - key === "AGENT_OVERRIDE" || - key === "LOG_LEVEL"; - if (value && shouldPass) envFlags.push("-e", `${key}=${value}`); - } + // pass .env file directly to Docker + const envFile = join(process.cwd(), "..", ".env"); + const envFlags = existsSync(envFile) ? ["--env-file", envFile] : []; // SSH agent forwarding for git (macOS Docker Desktop magic path) const sshFlags: string[] = []; if (process.env.SSH_AUTH_SOCK) { sshFlags.push( - "-v", "/run/host-services/ssh-auth.sock:/run/host-services/ssh-auth.sock", - "-e", "SSH_AUTH_SOCK=/run/host-services/ssh-auth.sock", + "-v", + "/run/host-services/ssh-auth.sock:/run/host-services/ssh-auth.sock", + "-e", + "SSH_AUTH_SOCK=/run/host-services/ssh-auth.sock" ); } const home = process.env.HOME; @@ -138,20 +132,31 @@ Examples: const result = spawnSync( "docker", [ - "run", "--rm", ...ttyFlags, - "-v", `${process.cwd()}:/app/action:cached`, - "-v", "pullfrog-action-node-modules:/app/action/node_modules", - "-w", "/app/action", - "-e", "GITHUB_ACTIONS=true", - "-e", "CI=true", - ...envFlags, ...sshFlags, - "--cap-add", "SYS_ADMIN", - "--security-opt", "seccomp:unconfined", + "run", + "--rm", + ...ttyFlags, + "-v", + `${process.cwd()}:/app/action:cached`, + "-v", + "pullfrog-action-node-modules:/app/action/node_modules", + "-w", + "/app/action", + "-e", + "GITHUB_ACTIONS=true", + "-e", + "CI=true", + ...envFlags, + ...sshFlags, + "--cap-add", + "SYS_ADMIN", + "--security-opt", + "seccomp:unconfined", "node:22", - "bash", "-c", + "bash", + "-c", `corepack enable pnpm >/dev/null 2>&1 && pnpm install --frozen-lockfile && ${nodeCmd}`, ], - { stdio: "inherit" }, + { stdio: "inherit" } ); process.exit(result.status ?? 1);