Pass JOB_TOKEN and DEPENDABOT_API_URL env vars to the proxy container

Extract proxy environment construction into a proxyEnv helper and
forward the JOB_TOKEN and DEPENDABOT_API_URL environment variables to
the proxy container. Each is only forwarded when actually set on the
host, so an unset variable is omitted entirely (matching prior behavior).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: brettfo

internal/infra/proxy.go

@@ -79,16 +79,7 @@ func NewProxy(ctx context.Context, cli *client.Client, params *RunParams, nets *
 	}
 	config := &container.Config{
 		Image: params.ProxyImage,
-		Env: []string{
-			"HTTP_PROXY=" + os.Getenv("HTTP_PROXY"),
-			"HTTPS_PROXY=" + os.Getenv("HTTPS_PROXY"),
-			"NO_PROXY=" + os.Getenv("NO_PROXY"),
-			"JOB_ID=" + jobID,
-			"PROXY_CACHE=true",
-			"LOG_RESPONSE_BODY_ON_AUTH_FAILURE=true",
-			"ACTIONS_ID_TOKEN_REQUEST_TOKEN=" + os.Getenv("ACTIONS_ID_TOKEN_REQUEST_TOKEN"),
-			"ACTIONS_ID_TOKEN_REQUEST_URL=" + os.Getenv("ACTIONS_ID_TOKEN_REQUEST_URL"),
-		},
+		Env:   proxyEnv(),
 		Entrypoint: []string{
 			"sh", "-c", "update-ca-certificates && /dependabot-proxy",
 		},
@@ -141,6 +132,30 @@ func NewProxy(ctx context.Context, cli *client.Client, params *RunParams, nets *
 	return proxy, nil
 }
 
+// proxyEnv builds the environment variables passed to the proxy container.
+func proxyEnv() []string {
+	env := []string{
+		"HTTP_PROXY=" + os.Getenv("HTTP_PROXY"),
+		"HTTPS_PROXY=" + os.Getenv("HTTPS_PROXY"),
+		"NO_PROXY=" + os.Getenv("NO_PROXY"),
+		"JOB_ID=" + jobID,
+		"PROXY_CACHE=true",
+		"LOG_RESPONSE_BODY_ON_AUTH_FAILURE=true",
+		"ACTIONS_ID_TOKEN_REQUEST_TOKEN=" + os.Getenv("ACTIONS_ID_TOKEN_REQUEST_TOKEN"),
+		"ACTIONS_ID_TOKEN_REQUEST_URL=" + os.Getenv("ACTIONS_ID_TOKEN_REQUEST_URL"),
+	}
+	// Only forward JOB_TOKEN when it is actually set on the host, so the proxy
+	// container sees no JOB_TOKEN variable at all when the host doesn't set one.
+	if token, ok := os.LookupEnv("JOB_TOKEN"); ok {
+		env = append(env, "JOB_TOKEN="+token)
+	}
+	// Likewise, only forward DEPENDABOT_API_URL when the host has it set.
+	if apiURL, ok := os.LookupEnv("DEPENDABOT_API_URL"); ok {
+		env = append(env, "DEPENDABOT_API_URL="+apiURL)
+	}
+	return env
+}
+
 func putProxyConfig(ctx context.Context, cli *client.Client, config *Config, id string) error {
 	opt := container.CopyToContainerOptions{}
 

internal/infra/proxy_test.go

@@ -0,0 +1,99 @@
+package infra
+
+import (
+	"os"
+	"strings"
+	"testing"
+)
+
+func envValue(env []string, key string) (string, bool) {
+	prefix := key + "="
+	for _, e := range env {
+		if strings.HasPrefix(e, prefix) {
+			return strings.TrimPrefix(e, prefix), true
+		}
+	}
+	return "", false
+}
+
+func Test_proxyEnv_JobToken(t *testing.T) {
+	t.Run("passes JOB_TOKEN from environment", func(t *testing.T) {
+		t.Setenv("JOB_TOKEN", "super-secret-token")
+
+		env := proxyEnv()
+
+		value, ok := envValue(env, "JOB_TOKEN")
+		if !ok {
+			t.Fatal("expected JOB_TOKEN to be present in proxy env")
+		}
+		if value != "super-secret-token" {
+			t.Errorf("expected JOB_TOKEN to be %q, got %q", "super-secret-token", value)
+		}
+	})
+
+	t.Run("omits JOB_TOKEN when unset", func(t *testing.T) {
+		t.Setenv("JOB_TOKEN", "placeholder")
+		os.Unsetenv("JOB_TOKEN")
+
+		env := proxyEnv()
+
+		if _, ok := envValue(env, "JOB_TOKEN"); ok {
+			t.Error("expected JOB_TOKEN to be absent from proxy env when host has it unset")
+		}
+	})
+
+	t.Run("forwards empty JOB_TOKEN when set to empty", func(t *testing.T) {
+		t.Setenv("JOB_TOKEN", "")
+
+		env := proxyEnv()
+
+		value, ok := envValue(env, "JOB_TOKEN")
+		if !ok {
+			t.Fatal("expected JOB_TOKEN to be present when host sets it (even empty)")
+		}
+		if value != "" {
+			t.Errorf("expected JOB_TOKEN to be empty, got %q", value)
+		}
+	})
+}
+
+func Test_proxyEnv_DependabotAPIURL(t *testing.T) {
+	t.Run("passes DEPENDABOT_API_URL from environment", func(t *testing.T) {
+		t.Setenv("DEPENDABOT_API_URL", "https://api.example.com")
+
+		env := proxyEnv()
+
+		value, ok := envValue(env, "DEPENDABOT_API_URL")
+		if !ok {
+			t.Fatal("expected DEPENDABOT_API_URL to be present in proxy env")
+		}
+		if value != "https://api.example.com" {
+			t.Errorf("expected DEPENDABOT_API_URL to be %q, got %q", "https://api.example.com", value)
+		}
+	})
+
+	t.Run("omits DEPENDABOT_API_URL when unset", func(t *testing.T) {
+		t.Setenv("DEPENDABOT_API_URL", "placeholder")
+		os.Unsetenv("DEPENDABOT_API_URL")
+
+		env := proxyEnv()
+
+		if _, ok := envValue(env, "DEPENDABOT_API_URL"); ok {
+			t.Error("expected DEPENDABOT_API_URL to be absent from proxy env when host has it unset")
+		}
+	})
+
+	t.Run("forwards empty DEPENDABOT_API_URL when set to empty", func(t *testing.T) {
+		t.Setenv("DEPENDABOT_API_URL", "")
+
+		env := proxyEnv()
+
+		value, ok := envValue(env, "DEPENDABOT_API_URL")
+		if !ok {
+			t.Fatal("expected DEPENDABOT_API_URL to be present when host sets it (even empty)")
+		}
+		if value != "" {
+			t.Errorf("expected DEPENDABOT_API_URL to be empty, got %q", value)
+		}
+	})
+}