Skip to content

Commit bf8ffdb

Browse files
mrz1836mrz1836
committed
fix: token safety
1 parent 8989d81 commit bf8ffdb

4 files changed

Lines changed: 14 additions & 7 deletions

File tree

.github/workflows/auto-merge-on-approval.yml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -100,6 +100,7 @@ jobs:
100100
id: config
101101
env:
102102
ENV_JSON: ${{ needs.load-env.outputs.env-json }}
103+
GH_PAT_TOKEN: ${{ secrets.GH_PAT_TOKEN }}
103104
run: |
104105
echo "📋 Extracting auto-merge configuration from environment..."
105106
@@ -156,7 +157,7 @@ jobs:
156157
echo " 🏷️ Labels to add: $LABELS_TO_ADD"
157158
echo " 🤖 Skip bot PRs: $SKIP_BOT_PRS"
158159
159-
if [[ "$PREFERRED_TOKEN" == "GH_PAT_TOKEN" && -n "${{ secrets.GH_PAT_TOKEN }}" ]]; then
160+
if [[ "$PREFERRED_TOKEN" == "GH_PAT_TOKEN" && -n "$GH_PAT_TOKEN" ]]; then
160161
echo " 🔑 Token: Personal Access Token (PAT)"
161162
else
162163
echo " 🔑 Token: Default GITHUB_TOKEN"

.github/workflows/dependabot-auto-merge.yml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -101,6 +101,7 @@ jobs:
101101
id: config
102102
env:
103103
ENV_JSON: ${{ needs.load-env.outputs.env-json }}
104+
GH_PAT_TOKEN: ${{ secrets.GH_PAT_TOKEN }}
104105
run: |
105106
echo "📋 Extracting Dependabot configuration from environment..."
106107
@@ -145,7 +146,7 @@ jobs:
145146
echo " 🏷️ Manual review label: $MANUAL_REVIEW_LABEL"
146147
echo " 🏷️ Auto-merge labels: $AUTO_MERGE_LABELS"
147148
148-
if [[ "$PREFERRED_TOKEN" == "GH_PAT_TOKEN" && -n "${{ secrets.GH_PAT_TOKEN }}" ]]; then
149+
if [[ "$PREFERRED_TOKEN" == "GH_PAT_TOKEN" && -n "$GH_PAT_TOKEN" ]]; then
149150
echo " 🔑 Token: Personal Access Token (PAT)"
150151
else
151152
echo " 🔑 Token: Default GITHUB_TOKEN"

.github/workflows/stale-check.yml

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -84,10 +84,11 @@ jobs:
8484
- name: 🔑 Log token configuration
8585
env:
8686
ENV_JSON: ${{ needs.load-env.outputs.env-json }}
87+
GH_PAT_TOKEN: ${{ secrets.GH_PAT_TOKEN }}
8788
run: |
8889
PREFERRED_TOKEN=$(echo "$ENV_JSON" | jq -r '.PREFERRED_GITHUB_TOKEN')
8990
90-
if [[ "$PREFERRED_TOKEN" == "GH_PAT_TOKEN" && -n "${{ secrets.GH_PAT_TOKEN }}" ]]; then
91+
if [[ "$PREFERRED_TOKEN" == "GH_PAT_TOKEN" && -n "$GH_PAT_TOKEN" ]]; then
9192
echo "✅ Using Personal Access Token (PAT) for stale check operations"
9293
else
9394
echo "✅ Using default GITHUB_TOKEN for stale check operations"
@@ -153,6 +154,7 @@ jobs:
153154
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
154155
env:
155156
ENV_JSON: ${{ needs.load-env.outputs.env-json }}
157+
GH_PAT_TOKEN: ${{ secrets.GH_PAT_TOKEN }}
156158
with:
157159
github-token: ${{ secrets.GH_PAT_TOKEN != '' && secrets.GH_PAT_TOKEN || secrets.GITHUB_TOKEN }}
158160
script: |
@@ -164,7 +166,7 @@ jobs:
164166
const daysBeforeClose = parseInt('${{ steps.config.outputs.days-before-close }}');
165167
const envJson = JSON.parse(process.env.ENV_JSON);
166168
const preferredToken = envJson.PREFERRED_GITHUB_TOKEN;
167-
const isUsingPAT = preferredToken === 'GH_PAT_TOKEN' && '${{ secrets.GH_PAT_TOKEN }}' !== '';
169+
const isUsingPAT = preferredToken === 'GH_PAT_TOKEN' && process.env.GH_PAT_TOKEN !== '';
168170
169171
console.log('📋 === Processing Issues ===');
170172
console.log(`🏷️ Exempt labels: ${exemptLabels.join(', ')}`);
@@ -536,12 +538,13 @@ jobs:
536538
- name: 📊 Generate workflow summary
537539
env:
538540
ENV_JSON: ${{ needs.load-env.outputs.env-json }}
541+
GH_PAT_TOKEN: ${{ secrets.GH_PAT_TOKEN }}
539542
run: |
540543
echo "🚀 Generating workflow summary..."
541544
542545
# Determine which token was used
543546
PREFERRED_TOKEN=$(echo "$ENV_JSON" | jq -r '.PREFERRED_GITHUB_TOKEN')
544-
if [[ "$PREFERRED_TOKEN" == "GH_PAT_TOKEN" && -n "${{ secrets.GH_PAT_TOKEN }}" ]]; then
547+
if [[ "$PREFERRED_TOKEN" == "GH_PAT_TOKEN" && -n "$GH_PAT_TOKEN" ]]; then
545548
TOKEN_TYPE="🔑 Personal Access Token (PAT)"
546549
else
547550
TOKEN_TYPE="🔑 Default GITHUB_TOKEN"

.github/workflows/sync-labels.yml

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -110,10 +110,11 @@ jobs:
110110
- name: 🔑 Log token configuration
111111
env:
112112
ENV_JSON: ${{ needs.load-env.outputs.env-json }}
113+
GH_PAT_TOKEN: ${{ secrets.GH_PAT_TOKEN }}
113114
run: |
114115
PREFERRED_TOKEN=$(echo "$ENV_JSON" | jq -r '.PREFERRED_GITHUB_TOKEN')
115116
116-
if [[ "$PREFERRED_TOKEN" == "GH_PAT_TOKEN" && -n "${{ secrets.GH_PAT_TOKEN }}" ]]; then
117+
if [[ "$PREFERRED_TOKEN" == "GH_PAT_TOKEN" && -n "$GH_PAT_TOKEN" ]]; then
117118
echo "✅ Using Personal Access Token (PAT) for label operations"
118119
else
119120
echo "✅ Using default GITHUB_TOKEN for label operations"
@@ -211,6 +212,7 @@ jobs:
211212
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
212213
env:
213214
ENV_JSON: ${{ needs.load-env.outputs.env-json }}
215+
GH_PAT_TOKEN: ${{ secrets.GH_PAT_TOKEN }}
214216
with:
215217
github-token: ${{ secrets.GH_PAT_TOKEN != '' && secrets.GH_PAT_TOKEN || secrets.GITHUB_TOKEN }}
216218
script: |
@@ -220,7 +222,7 @@ jobs:
220222
const labelsCount = '${{ steps.parse_labels.outputs.labels_count }}';
221223
const envJson = JSON.parse(process.env.ENV_JSON);
222224
const preferredToken = envJson.PREFERRED_GITHUB_TOKEN;
223-
const isUsingPAT = preferredToken === 'GH_PAT_TOKEN' && '${{ secrets.GH_PAT_TOKEN }}' !== '';
225+
const isUsingPAT = preferredToken === 'GH_PAT_TOKEN' && process.env.GH_PAT_TOKEN !== '';
224226
225227
console.log('🏷️ === Label Sync Configuration ===');
226228
console.log(`📊 Labels count: ${labelsCount}`);

0 commit comments

Comments
 (0)