Strip GitHub auth from runner job environment#141
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: c8a7aacc07
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| env \ | ||
| -u GITHUB_PAT \ | ||
| -u GITHUB_APP_ID \ | ||
| -u GITHUB_APP_INSTALLATION_ID \ | ||
| -u GITHUB_APP_PRIVATE_KEY \ |
There was a problem hiding this comment.
In root execution mode, this only removes the GitHub auth variables from the child ./run.sh environment; the entrypoint shell that started the pipeline still keeps its original environment while the runner is active. For supported root-mode runners such as RUNNER_EXEC_MODE_OVERRIDE=root on the Linux Docker plane or Synology root fallback, workflow processes also run as root and can read another root process's /proc/<pid>/environ, so they can still recover GITHUB_PAT or the App credentials despite this sanitization.
Useful? React with 👍 / 👎.
athena-omt
left a comment
athena-omt
left a comment
There was a problem hiding this comment.
Athena review: approves. The change is focused, tests cover the new guard, and I don't see a blocker in the diff.
pheidon
left a comment
pheidon
left a comment
There was a problem hiding this comment.
Pheidon review: approves. The change is focused, tests cover the new guard, and I don't see a blocker in the diff.
4 participants
Motivation
GITHUB_PATand GitHub App envs) which job-level processes can read, creating a credential-exposure vulnerability.Description
run_runner_job_bashindocker/runner-entrypoint.shthat launches./run.shwithenv -uto unsetGITHUB_PAT,GITHUB_APP_ID,GITHUB_APP_INSTALLATION_ID, andGITHUB_APP_PRIVATE_KEYbefore executing the job process.run_runner_job_bashso registration/cleanup still use the existing credential-bearing path while jobs run without inherited GitHub auth.scripts/smoke/actions-runner/run.shto fail if any GitHub auth env vars are present and to record the sanitized state, and add an assertion toscripts/smoke-test.shto verify the job process seesgithub auth: unset.docker/runner-entrypoint.sh,scripts/smoke/actions-runner/run.sh, andscripts/smoke-test.sh.Testing
pnpm --silent build && pnpm --silent test, and all tests passed (48 test files,263 testssucceeded).bash -non modified shell scripts which succeeded.pnpm --silent smoke-testbut it was blocked in this environment because Docker is not installed (docker: command not found), so full smoke execution could not complete here.Codex Task