fix: expose GITHUB_TOKEN in bulk_repo_update run script step#226
fix: expose GITHUB_TOKEN in bulk_repo_update run script step#226irfanuddinahmad wants to merge 1 commit into
Conversation
Allows scripts that need GitHub API access (e.g. pinact for SHA resolution) to authenticate without extra setup in the script itself. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
This PR updates the Bulk Repo Update GitHub Actions workflow to expose a GitHub API token to the user-provided script step, enabling tools like pinact to authenticate when resolving tags to SHAs as part of the org-wide SHA-pinning migration (#165).
Changes:
- Adds an
envblock to therun scriptstep to setGITHUB_TOKENfromsecrets.requirements_bot_github_token.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - name: run script | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.requirements_bot_github_token }} | ||
| run: ${{ github.event.inputs.script }} |
farhan
left a comment
farhan
left a comment
There was a problem hiding this comment.
PR seems alright
point is should we expose the github_token for the script?
| run: pip install ${{ github.event.inputs.packages }} | ||
|
|
||
| - name: run script | ||
| env: |
There was a problem hiding this comment.
sharing claude view on the exposure of this github token in the script:
The PR's intent is legitimate (pinact needs a token to resolve SHAs). But the
implementation exposes a high-privilege org-wide bot token to an unrestricted freeform
script execution step, which is a significant escalation of the pre-existing arbitrary
code execution risk. The token should be scoped to a dedicated, purpose-specific step
rather than the generic run script step.
There was a problem hiding this comment.
Agreed, rather than giving it the bot token, we can have github actions generate a read-only token which is all this should need.
https://docs.github.com/en/actions/reference/workflows-and-actions/workflow-syntax#permissions
Summary
GITHUB_TOKENto theenvblock of therun scriptstep inbulk_repo_update.ymlpinactfor SHA resolution) to authenticate without embedding token handling in the script input itselfContext
Part of the org-wide GitHub Actions SHA-pinning migration: #165
The immediate use case is running
pinact runvia this workflow to bulk-pin alluses:action refs to full commit SHAs across openedx repos.pinactrequires a GitHub token to resolve tags → SHAs via the API.Test plan
bulk_repo_update.ymlon a single test repo withscript: pinact runafter merging — confirm pinact resolves SHAs without auth errors🤖 Generated with Claude Code