fix: preserve HAB_AUTH_TOKEN through sudo and fix Windows hab PATH

Nik08 · Copilot · sean-sype-simmons · commit 6ae4abab5c8b · 2026-04-06T10:15:54.000-04:00
Linux/macOS: `sudo hab pkg install` was dropping the HAB_AUTH_TOKEN
environment variable because sudo does not preserve env vars by default.
The token was correctly set via `export`, but the hab process running
under sudo never received it, resulting in 401 Unauthorized from Builder.

Fix: use `sudo -E` to preserve the environment across all three
`sudo hab pkg install` invocations (Linux build install, Linux download,
macOS download).

Windows: hab binary was installed to C:\ProgramData\Habitat but that
directory was never added to GITHUB_PATH in the Configure Habitat step,
causing subsequent steps to fail with 'hab is not recognized'.

Fix: add C:\ProgramData\Habitat to GITHUB_PATH.

Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
Signed-off-by: Nikita Mathur &lt;nikita.mathur@progress.com&gt;
diff --git a/.github/workflows/grype-hab-package-scan.yml b/.github/workflows/grype-hab-package-scan.yml
@@ -152,7 +152,7 @@ jobs:
             hartifacts=$(ls results/*.hart)
             if [ -f "$hartifacts" ]; then
                 echo "Built package artifact: $hartifacts"
-                sudo hab pkg install $hartifacts
+                sudo -E hab pkg install $hartifacts
             else
                 echo "Error: No .hart file found in results/"
                 exit 1
@@ -189,7 +189,7 @@ jobs:
                 PACKAGE="${PACKAGE}/${{ inputs.hab_release }}"
             fi
             
-            INSTALL_CMD="sudo hab pkg install ${PACKAGE}"
+            INSTALL_CMD="sudo -E hab pkg install ${PACKAGE}"
             
             if [ -n "${{ inputs.hab_channel }}" ]; then
                 INSTALL_CMD="${INSTALL_CMD} --channel ${{ inputs.hab_channel }}"
@@ -298,6 +298,7 @@ jobs:
             echo "HAB_LICENSE=accept-no-persist" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
             New-Item -ItemType Directory -Force -Path "C:\hab\accepted-licenses"
             New-Item -ItemType File -Force -Path "C:\hab\accepted-licenses\habitat"
+            echo "C:\ProgramData\Habitat" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
 
       - name: Checkout code
         if: ${{ inputs.build_package == true }}
@@ -582,7 +583,7 @@ jobs:
                 PACKAGE="${PACKAGE}/${{ inputs.hab_release }}"
             fi
             
-            INSTALL_CMD="sudo hab pkg install ${PACKAGE}"
+            INSTALL_CMD="sudo -E hab pkg install ${PACKAGE}"
             
             if [ -n "${{ inputs.hab_channel }}" ]; then
                 INSTALL_CMD="${INSTALL_CMD} --channel ${{ inputs.hab_channel }}"
