From c8a7aacc07007289557d9f899f91cedeb39cc940 Mon Sep 17 00:00:00 2001 From: John McChesney TenEyck Jr <59268465+jmcte@users.noreply.github.com> Date: Mon, 22 Jun 2026 09:49:24 +0100 Subject: [PATCH] Scrub GitHub auth before runner jobs --- docker/runner-entrypoint.sh | 27 ++++++++++++++++++++++++++- scripts/smoke-test.sh | 1 + scripts/smoke/actions-runner/run.sh | 8 ++++++++ 3 files changed, 35 insertions(+), 1 deletion(-) diff --git a/docker/runner-entrypoint.sh b/docker/runner-entrypoint.sh index c83050e..8295ffd 100755 --- a/docker/runner-entrypoint.sh +++ b/docker/runner-entrypoint.sh @@ -23,6 +23,31 @@ run_runner_bash() { env RUNNER_EXECUTION_MODE="${runner_exec_mode}" "$@" gosu runner bash -lc "${command}" } +run_runner_job_bash() { + local command="$1" + shift || true + + if [[ "${runner_exec_mode}" == "root" ]]; then + env \ + -u GITHUB_PAT \ + -u GITHUB_APP_ID \ + -u GITHUB_APP_INSTALLATION_ID \ + -u GITHUB_APP_PRIVATE_KEY \ + RUNNER_ALLOW_RUNASROOT=1 \ + RUNNER_EXECUTION_MODE="${runner_exec_mode}" \ + "$@" bash -lc "${command}" + return + fi + + env \ + -u GITHUB_PAT \ + -u GITHUB_APP_ID \ + -u GITHUB_APP_INSTALLATION_ID \ + -u GITHUB_APP_PRIVATE_KEY \ + RUNNER_EXECUTION_MODE="${runner_exec_mode}" \ + "$@" gosu runner bash -lc "${command}" +} + cleanup_local_state() { rm -f \ "${RUNNER_HOME}/.runner" \ @@ -254,5 +279,5 @@ runner_configured="true" audit_event runner_registered log "starting runner ${RUNNER_NAME}" -run_runner_bash "cd '${RUNNER_HOME}' && exec ./run.sh" \ +run_runner_job_bash "cd '${RUNNER_HOME}' && exec ./run.sh" \ 2>&1 | tee -a "${RUNNER_LOG_DIR}/runner.log" diff --git a/scripts/smoke-test.sh b/scripts/smoke-test.sh index 13dbc4c..55a0de5 100755 --- a/scripts/smoke-test.sh +++ b/scripts/smoke-test.sh @@ -181,6 +181,7 @@ run_smoke_case() { grep -q -- "--runnergroup synology-private --ephemeral --disableupdate" "${state_dir}/config-invocations.log" grep -q "config path: /tmp/runner-state/runner-home" "${state_dir}/config-context.log" grep -q "run path: /tmp/runner-state/runner-home" "${state_dir}/run-context.log" + grep -q "github auth: unset" "${state_dir}/run-context.log" grep -q "runner writable home: /tmp/runner-state/runner-home" "${runner_stdout}" grep -q "^job output$" "${state_dir}/logs/runner.log" grep -q "run.sh stub executed" "${state_dir}/run.log" diff --git a/scripts/smoke/actions-runner/run.sh b/scripts/smoke/actions-runner/run.sh index e19fc1a..e6483e7 100755 --- a/scripts/smoke/actions-runner/run.sh +++ b/scripts/smoke/actions-runner/run.sh @@ -4,6 +4,14 @@ set -euo pipefail printf '%s run.sh stub executed\n' "$(date -Iseconds)" >> "${RUNNER_STATE_DIR}/run.log" printf 'run path: %s\n' "$(pwd)" >> "${RUNNER_STATE_DIR}/run-context.log" printf 'run mode: %s\n' "${RUNNER_EXECUTION_MODE:-unknown}" >> "${RUNNER_STATE_DIR}/run-context.log" +if [[ -n "${GITHUB_PAT:-}" \ + || -n "${GITHUB_APP_ID:-}" \ + || -n "${GITHUB_APP_INSTALLATION_ID:-}" \ + || -n "${GITHUB_APP_PRIVATE_KEY:-}" ]]; then + printf 'github auth leaked to run.sh\n' >> "${RUNNER_STATE_DIR}/run-context.log" + exit 1 +fi +printf 'github auth: unset\n' >> "${RUNNER_STATE_DIR}/run-context.log" mkdir -p "${RUNNER_WORK_DIR}/workspace" touch "${RUNNER_WORK_DIR}/workspace/job.txt" echo "job output"