fix: address Copilot PR review feedback

fengmk2 · fengmk2 · commit 42d342a4e04d · 2026-04-22T20:49:18.000+08:00
- Switch RESERVED_ENV_VARS from a fixed denylist to prefix-based blocking
  (RUNNER_*, GITHUB_*) with GITHUB_TOKEN on an explicit allowlist. Previously
  a `.npmrc` referencing e.g. ${GITHUB_REF} or ${RUNNER_NAME} would re-export
  those via GITHUB_ENV and clobber runner-provided values for later steps
- Skip registry values containing ${VAR} when computing registriesNeedingAuth;
  npm/pnpm do not expand env vars inside `.npmrc` keys, so synthesizing an
  `_authToken` line against a non-literal URL would silently produce an
  unreachable auth entry. The referenced var is still collected for env
  propagation
- Reword the README so `registry-url` is described as bypassing the action's
  repo-.npmrc detection, not the package manager's config resolution
diff --git a/README.md b/README.md
@@ -117,7 +117,9 @@ steps:
 If you already have the `_authToken` line in your repo `.npmrc` (e.g. for local
 dev symmetry), that's respected as-is and the action won't overwrite it.
 
-Alternatively, pass `registry-url` explicitly to skip repo-level `.npmrc` entirely:
+Alternatively, pass `registry-url` explicitly to bypass the action's repo-level
+`.npmrc` detection and auth propagation logic (the package manager may still
+read the repo `.npmrc` per its own config resolution):
 
 ```yaml
 steps:
diff --git a/dist/index.mjs b/dist/index.mjs
diff --git a/src/auth.test.ts b/src/auth.test.ts
@@ -251,6 +251,34 @@ describe("propagateProjectNpmrcAuth", () => {
     expect(exportVariable).not.toHaveBeenCalledWith("HOME", expect.anything());
   });
 
+  it("blocks runner-managed GITHUB_* and RUNNER_* vars by default", () => {
+    mockNpmrc(
+      [
+        "tag=${GITHUB_REF}",
+        "agent=${RUNNER_NAME}",
+        "//npm.pkg.github.com/:_authToken=${NODE_AUTH_TOKEN}",
+      ].join("\n"),
+    );
+    vi.stubEnv("GITHUB_REF", "refs/heads/main");
+    vi.stubEnv("RUNNER_NAME", "runner-1");
+    vi.stubEnv("NODE_AUTH_TOKEN", "tok");
+
+    propagateProjectNpmrcAuth(projectDir);
+
+    expect(exportVariable).not.toHaveBeenCalledWith("GITHUB_REF", expect.anything());
+    expect(exportVariable).not.toHaveBeenCalledWith("RUNNER_NAME", expect.anything());
+    expect(exportVariable).toHaveBeenCalledWith("NODE_AUTH_TOKEN", "tok");
+  });
+
+  it("allows GITHUB_TOKEN through as an auth token", () => {
+    mockNpmrc("//npm.pkg.github.com/:_authToken=${GITHUB_TOKEN}");
+    vi.stubEnv("GITHUB_TOKEN", "gh-token");
+
+    propagateProjectNpmrcAuth(projectDir);
+
+    expect(exportVariable).toHaveBeenCalledWith("GITHUB_TOKEN", "gh-token");
+  });
+
   it("exports all referenced auth-like env vars, deduping repeats", () => {
     mockNpmrc(
       [
@@ -384,6 +412,17 @@ describe("propagateProjectNpmrcAuth", () => {
     expect(exportVariable).toHaveBeenCalledWith("NPM_CONFIG_USERCONFIG", supplementalPath);
   });
 
+  it("skips registries whose value contains ${VAR} (cannot synthesize a valid auth key)", () => {
+    mockNpmrc("@myorg:registry=${CUSTOM_REGISTRY}");
+    vi.stubEnv("NODE_AUTH_TOKEN", "tok");
+    vi.stubEnv("CUSTOM_REGISTRY", "https://npm.example.com");
+
+    propagateProjectNpmrcAuth(projectDir);
+
+    expect(writeFileSync).not.toHaveBeenCalled();
+    expect(exportVariable).toHaveBeenCalledWith("CUSTOM_REGISTRY", "https://npm.example.com");
+  });
+
   it("treats _authToken key case-insensitively when checking project .npmrc", () => {
     mockNpmrc(
       [
diff --git a/src/auth.ts b/src/auth.ts
@@ -85,21 +85,18 @@ function writeRegistryToFile(registryUrl: string, fileLocation: string, scope?:
   exportVariable("NODE_AUTH_TOKEN", process.env.NODE_AUTH_TOKEN || "XXXXX-XXXXX-XXXXX-XXXXX");
 }
 
-// Env vars the runner/system manages — never re-export via GITHUB_ENV
-const RESERVED_ENV_VARS = new Set([
-  "PATH",
-  "HOME",
-  "USERPROFILE",
-  "TMPDIR",
-  "RUNNER_TEMP",
-  "RUNNER_OS",
-  "RUNNER_ARCH",
-  "GITHUB_ACTIONS",
-  "GITHUB_WORKSPACE",
-  "GITHUB_REPOSITORY",
-  "GITHUB_REPOSITORY_OWNER",
-  "CI",
-]);
+// GitHub-Actions-managed namespaces: re-exporting any of these via GITHUB_ENV
+// could clobber runner-provided values for subsequent steps. Block the whole
+// prefix by default; allow only vars that are legitimately passed as auth tokens.
+const RUNTIME_ENV_ALLOWLIST = new Set(["GITHUB_TOKEN"]);
+const ALWAYS_RESERVED = new Set(["PATH", "HOME", "USERPROFILE", "TMPDIR", "CI"]);
+
+function isReservedEnvVar(name: string): boolean {
+  if (ALWAYS_RESERVED.has(name)) return true;
+  if (name.startsWith("RUNNER_")) return true;
+  if (name.startsWith("GITHUB_")) return !RUNTIME_ENV_ALLOWLIST.has(name);
+  return false;
+}
 
 function analyzeProjectNpmrc(content: string): {
   registriesNeedingAuth: string[];
@@ -119,7 +116,12 @@ function analyzeProjectNpmrc(content: string): {
     const value = line.slice(eq + 1).trim();
 
     if (lowerKey === "registry" || lowerKey.endsWith(":registry")) {
-      registries.add(value.endsWith("/") ? value : value + "/");
+      // Skip values that rely on env-var expansion — the key for the matching
+      // `_authToken` line must be a literal URL, and `${VAR}` isn't expanded
+      // inside `.npmrc` keys by npm/pnpm.
+      if (!value.includes("${")) {
+        registries.add(value.endsWith("/") ? value : value + "/");
+      }
     }
     if (lowerKey.startsWith("//") && lowerKey.endsWith(":_authtoken")) {
       authKeys.add(lowerKey);
@@ -185,7 +187,7 @@ export function propagateProjectNpmrcAuth(projectDir: string): void {
   }
 
   const propagatable = [...envVarRefs].filter(
-    (name) => !RESERVED_ENV_VARS.has(name) && !!process.env[name],
+    (name) => !isReservedEnvVar(name) && !!process.env[name],
   );
 
   if (propagatable.length === 0) {
