Fix and secure GITHUB_TOKEN

core/graph.go

@@ -277,6 +277,30 @@ func RunGraph(ctx context.Context, graphName string, graphContent []byte, opts R
 		return CreateErr(nil, err, "failed to load yaml")
 	}
 
+	// Capture GITHUB_TOKEN / INPUT_GITHUB_TOKEN from the OS environment and store in
+	// OverrideSecrets so it remains available for repo cloning (gh-action) and
+	// is properly surfaced as secrets.GITHUB_TOKEN / github.token. Then remove
+	// from the OS environment to prevent subprocesses from extracting it via
+	// /proc/<ppid>/environ or similar.
+	if opts.OverrideSecrets == nil {
+		opts.OverrideSecrets = make(map[string]string)
+	}
+	if _, exists := opts.OverrideSecrets["GITHUB_TOKEN"]; !exists {
+		if ghToken, ok := opts.OverrideEnv["GITHUB_TOKEN"]; ok && ghToken != "" {
+			opts.OverrideSecrets["GITHUB_TOKEN"] = ghToken
+		} else if ghToken := os.Getenv("GITHUB_TOKEN"); ghToken != "" {
+			opts.OverrideSecrets["GITHUB_TOKEN"] = ghToken
+		} else if inputToken := os.Getenv("INPUT_GITHUB_TOKEN"); inputToken != "" {
+			opts.OverrideSecrets["GITHUB_TOKEN"] = inputToken
+		} else if inputToken := os.Getenv("INPUT_TOKEN"); inputToken != "" {
+			opts.OverrideSecrets["GITHUB_TOKEN"] = inputToken
+		}
+	}
+	delete(opts.OverrideEnv, "GITHUB_TOKEN")
+	os.Unsetenv("GITHUB_TOKEN")
+	os.Unsetenv("INPUT_GITHUB_TOKEN")
+	os.Unsetenv("INPUT_TOKEN")
+
 	ag, errs := LoadGraph(graphYaml, nil, "", false, opts)
 	if len(errs) > 0 {
 		return CreateErr(nil, errs[0], "failed to load graph")
@@ -299,13 +323,13 @@ func RunGraph(ctx context.Context, graphName string, graphContent []byte, opts R
 	isGitHubWorkflow := false
 	if opts.OverrideEnv["GITHUB_ACTIONS"] == "true" {
 		isGitHubWorkflow = true
-		utils.LogOut.Infof("GitHub workflow detected via OverrideEnv")
+		utils.LogOut.Info("GitHub workflow detected via OverrideEnv\n")
 	} else if os.Getenv("GITHUB_ACTIONS") == "true" {
 		isGitHubWorkflow = true
-		utils.LogOut.Infof("GitHub workflow detected via GITHUB_ACTIONS environment variable (.env or shell)")
+		utils.LogOut.Info("GitHub workflow detected via GITHUB_ACTIONS environment variable (.env or shell)\n")
 	} else if entryNode.GetNodeTypeId() == "core/gh-start@v1" {
 		isGitHubWorkflow = true
-		utils.LogOut.Infof("GitHub workflow detected via entry node type: core/gh-start@v1")
+		utils.LogOut.Info("GitHub workflow detected via entry node type: core/gh-start@v1\n")
 	}
 
 	// mimickGitHubEnv: Determines if we need to set up a simulated GitHub environment. The easiest
@@ -406,7 +430,7 @@ func RunGraph(ctx context.Context, graphName string, graphContent []byte, opts R
 			if m, err := decodeJsonFromEnvValue[any](v.Value); err == nil {
 				needsTracker.set(m, source, true, true)
 			}
-		case isGitHubWorkflow && k == "ACT_INPUT_TOKEN":
+		case isGitHubWorkflow && (k == "ACT_INPUT_TOKEN" || k == "ACT_INPUT_GITHUB_TOKEN"):
 			secretTracker.setSingle("GITHUB_TOKEN", v.Value, source, true, true)
 
 		default:
@@ -440,17 +464,19 @@ func RunGraph(ctx context.Context, graphName string, graphContent []byte, opts R
 	}
 
 	if mimickGitHubEnv {
-		if cwd, ok := finalEnv["GITHUB_WORKSPACE"]; ok {
-			newCwd = cwd
-			utils.LogOut.Debugf("changing working directory to GITHUB_WORKSPACE: %s\n", newCwd)
-		}
-
 		// If we are running a github actions workflow, then mimic a GitHub Actions environment
 		// But only do is if we are NOT already in GitHub Actions
 		err = SetupGitHubActionsEnv(finalEnv)
 		if err != nil {
 			return CreateErr(nil, err, "failed to setup GitHub Actions environment")
 		}
+
+		// Use the updated GITHUB_WORKSPACE as the working directory.
+		// SetupGitHubActionsEnv replaces GITHUB_WORKSPACE with a fresh temp folder.
+		if cwd, ok := finalEnv["GITHUB_WORKSPACE"]; ok {
+			newCwd = cwd
+			utils.LogOut.Debugf("changing working directory to GITHUB_WORKSPACE: %s\n", newCwd)
+		}
 	} else if debugCb != nil && newCwd == "" {
 		// for debug sessions, always create a temp working directory if none is set
 		tmpDir, tmpErr := os.MkdirTemp("", "actrun-debug-*")

nodes/gh-action@v1.go

@@ -396,28 +396,14 @@ func init() {
 			return nil, []error{core.CreateErr(nil, nil, "node representing GitHub Action '%v' can only be used in a GitHub Actions workflow.", nodeType)}
 		}
 
-		// Reminder:
-		// `INPUT_TOKEN` comes from the GitHub Action actionforge/action.
-		// `GITHUB_TOKEN` is manually provided, eg through the web app and has a higher precedence.
-		// GITHUB_TOKEN should always be set via secrets, but just in case the user provides it via env, check also there
 		ghToken := opts.OverrideSecrets["GITHUB_TOKEN"]
-		if ghToken == "" {
-			ghToken = opts.OverrideEnv["GITHUB_TOKEN"]
-			if ghToken == "" {
-				ghToken = os.Getenv("GITHUB_TOKEN")
-				if ghToken == "" {
-					// Note that `INPUT_*` env vars are only prefixed for the graph execution, not here
-					ghToken = os.Getenv("INPUT_TOKEN")
-				}
-			}
-		}
 
 		// TODO: (Seb) for the validation process we only need the action.yml, not the entire repo
 		// so check if we are in validate mode and only download the action.yml file
 		_, err = os.Stat(actionRepoRoot)
 		if errors.Is(err, os.ErrNotExist) {
 			if ghToken == "" {
-				return nil, []error{core.CreateErr(nil, nil, "neither GITHUB_TOKEN nor INPUT_TOKEN are set")}
+				return nil, []error{core.CreateErr(nil, nil, "neither GITHUB_TOKEN nor INPUT_GITHUB_TOKEN are set")}
 			}
 
 			cloneUrl := fmt.Sprintf("https://github.com/%s/%s", owner, repo)

tests_e2e/references/reference_app.sh_l12

@@ -23,19 +23,19 @@ hint:
 
 stack trace:
 github.com/actionforge/actrun-cli/core.RunGraphFromFile
-	graph.go:1123
+	graph.go:-1
 github.com/actionforge/actrun-cli/cmd.cmdRootRun
-	cmd_root.go:188
+	cmd_root.go:-1
 github.com/spf13/cobra.(*Command).execute
 	command.go:-1
 github.com/spf13/cobra.(*Command).ExecuteC
 	command.go:-1
 github.com/spf13/cobra.(*Command).Execute
 	command.go:-1
 github.com/actionforge/actrun-cli/cmd.Execute
-	cmd_root.go:200
+	cmd_root.go:-1
 main.main
-	main.go:26
+	main.go:-1
 runtime.main
 	proc.go:-1
 runtime.goexit

tests_e2e/references/reference_dir-walk.sh_l56

@@ -32,31 +32,31 @@ error:
 
 stack trace:
 github.com/actionforge/actrun-cli/nodes.(*WalkNode).ExecuteImpl
-	dir-walk@v1.go:62
+	dir-walk@v1.go:-1
 github.com/actionforge/actrun-cli/core.(*Executions).Execute
-	executions.go:68
+	executions.go:-1
 github.com/actionforge/actrun-cli/nodes.(*StartNode).ExecuteImpl
-	start@v1.go:50
+	start@v1.go:-1
 github.com/actionforge/actrun-cli/nodes.(*StartNode).ExecuteEntry
-	start@v1.go:45
+	start@v1.go:-1
 github.com/actionforge/actrun-cli/core.RunGraph
-	graph.go:514
+	graph.go:-1
 github.com/actionforge/actrun-cli/core.RunGraphFromString
-	graph.go:1104
+	graph.go:-1
 github.com/actionforge/actrun-cli/core.RunGraphFromFile
-	graph.go:1126
+	graph.go:-1
 github.com/actionforge/actrun-cli/cmd.cmdRootRun
-	cmd_root.go:188
+	cmd_root.go:-1
 github.com/spf13/cobra.(*Command).execute
 	command.go:-1
 github.com/spf13/cobra.(*Command).ExecuteC
 	command.go:-1
 github.com/spf13/cobra.(*Command).Execute
 	command.go:-1
 github.com/actionforge/actrun-cli/cmd.Execute
-	cmd_root.go:200
+	cmd_root.go:-1
 main.main
-	main.go:26
+	main.go:-1
 runtime.main
 	proc.go:-1
 runtime.goexit

tests_e2e/references/reference_error_no_output.sh_l8

@@ -33,41 +33,41 @@ hint:
 
 stack trace:
 github.com/actionforge/actrun-cli/core.(*Outputs).OutputValueById
-	outputs.go:114
+	outputs.go:-1
 github.com/actionforge/actrun-cli/core.(*Inputs).InputValueById
-	inputs.go:364
+	inputs.go:-1
 github.com/actionforge/actrun-cli/core.inputValueById[...]
-	inputs.go:483
+	inputs.go:-1
 github.com/actionforge/actrun-cli/core.InputValueFromSubInputs[...]
-	inputs.go:478
+	inputs.go:-1
 github.com/actionforge/actrun-cli/core.InputArrayValueById[...]
-	inputs.go:560
+	inputs.go:-1
 github.com/actionforge/actrun-cli/nodes.(*PrintNode).ExecuteImpl
-	print@v1.go:27
+	print@v1.go:-1
 github.com/actionforge/actrun-cli/core.(*Executions).Execute
-	executions.go:68
+	executions.go:-1
 github.com/actionforge/actrun-cli/nodes.(*StartNode).ExecuteImpl
-	start@v1.go:50
+	start@v1.go:-1
 github.com/actionforge/actrun-cli/nodes.(*StartNode).ExecuteEntry
-	start@v1.go:45
+	start@v1.go:-1
 github.com/actionforge/actrun-cli/core.RunGraph
-	graph.go:514
+	graph.go:-1
 github.com/actionforge/actrun-cli/core.RunGraphFromString
-	graph.go:1104
+	graph.go:-1
 github.com/actionforge/actrun-cli/core.RunGraphFromFile
-	graph.go:1126
+	graph.go:-1
 github.com/actionforge/actrun-cli/cmd.cmdRootRun
-	cmd_root.go:188
+	cmd_root.go:-1
 github.com/spf13/cobra.(*Command).execute
 	command.go:-1
 github.com/spf13/cobra.(*Command).ExecuteC
 	command.go:-1
 github.com/spf13/cobra.(*Command).Execute
 	command.go:-1
 github.com/actionforge/actrun-cli/cmd.Execute
-	cmd_root.go:200
+	cmd_root.go:-1
 main.main
-	main.go:26
+	main.go:-1
 runtime.main
 	proc.go:-1
 runtime.goexit