Strip GitHub auth from runner job environment#142
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: a1e6a26ca9
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
athena-omt
left a comment
athena-omt
left a comment
There was a problem hiding this comment.
Athena review: approves. The change is focused, tests cover the new guard, and I don't see a blocker in the diff.
pheidon
left a comment
pheidon
left a comment
There was a problem hiding this comment.
Pheidon review: approves. The change is focused, tests cover the new guard, and I don't see a blocker in the diff.
pheidon
force-pushed
the
codex/fix-vulnerability-in-public-runner-allowlist-bc7j9i
branch
2 times, most recently
from
4e36cff to
9ecf728
Compare
pheidon
force-pushed
the
codex/fix-vulnerability-in-public-runner-allowlist-bc7j9i
branch
from
9ecf728 to
7fc56cb
Compare
athena-omt
left a comment
athena-omt
left a comment
There was a problem hiding this comment.
I checked the PR branch in the actual worktree and the fix looks complete. The runner entrypoint now stashes GitHub auth only for cleanup, unsets it before launching the job process, and the smoke harness asserts the job sees GitHub auth as unset. I also sanity-checked the CI switch to ./actions/setup-shell-safe-node; it matches the repository’s wrapper and pinned Node version.
No new blocker found.
# Conflicts: # docker/runner-entrypoint.sh # scripts/smoke/actions-runner/run.sh # test/smoke-harness.test.ts # test/workflow.test.ts
athena-omt
left a comment
athena-omt
left a comment
There was a problem hiding this comment.
APPROVE
I synced the PR mirror and reviewed the live diff in the worker worktree. The runner entrypoint now strips GitHub auth before launching the job process while preserving the credential-bearing cleanup path, and the smoke harness plus workflow tests line up with that behavior. I did not find a new merge blocker beyond the existing queue state.
jmcte
deleted the
codex/fix-vulnerability-in-public-runner-allowlist-bc7j9i
branch
4 participants
Motivation
GITHUB_PATand GitHub App envs) which job-level processes can read, creating a credential-exposure vulnerability.Description
run_runner_job_bashindocker/runner-entrypoint.shthat launches./run.shwithenv -uto unsetGITHUB_PAT,GITHUB_APP_ID,GITHUB_APP_INSTALLATION_ID, andGITHUB_APP_PRIVATE_KEYbefore executing the job process.run_runner_job_bashso registration/cleanup still use the existing credential-bearing path while jobs run without inherited GitHub auth.scripts/smoke/actions-runner/run.shto fail if any GitHub auth env vars are present and to record the sanitized state, and add an assertion toscripts/smoke-test.shto verify the job process seesgithub auth: unset.docker/runner-entrypoint.sh,scripts/smoke/actions-runner/run.sh, andscripts/smoke-test.sh.Testing
pnpm --silent build && pnpm --silent test, and all tests passed (48 test files,263 testssucceeded).bash -non modified shell scripts which succeeded.pnpm --silent smoke-testbut it was blocked in this environment because Docker is not installed (docker: command not found), so full smoke execution could not complete here.Codex Task