GITHUB_TOKEN environment variable is silently overwritten #60

New issue

Open

opened 2023-07-19 08:54:59 +00:00 by link2xt · 0 comments

link2xt commented

2023-07-19 08:54:59 +00:00

We have a workflow named .forgejo/workflows/test.yml with the following env section on top:

env:
  GITHUB_USER: ${{secrets.XDC_GITHUB_USER}}
  GITHUB_TOKEN: ${{secrets.XDC_GITHUB_TOKEN}}
  CODEBERG_USER: ${{secrets.XDC_CODEBERG_USER}}
  CODEBERG_TOKEN: ${{secrets.XDC_CODEBERG_TOKEN}}

There is a PR if you want to check: https://codeberg.org/webxdc/xdcget/pulls/39

Turns out GITHUB_TOKEN is a no-op because it is then overwritten by some token by the runner itself, probably for GitHub compatibility. Then the tool under test checked out of the repository tries to use $GITHUB_USER:$GITHUB_TOKEN pair to authorize to GitHub, and it fails as the token is some Codeberg token rather than a valid GitHub token from the secrets.

As a solution I suggest that trying to set environment variables that are overwritten by the runner should result in a visible warning or an error. This will likely save some debugging time for other developers, because having a GITHUB_TOKEN environment variable to do releases on GitHub or things like that is probably quite common.

We have a workflow named `.forgejo/workflows/test.yml` with the following `env` section on top: ``` env: GITHUB_USER: ${{secrets.XDC_GITHUB_USER}} GITHUB_TOKEN: ${{secrets.XDC_GITHUB_TOKEN}} CODEBERG_USER: ${{secrets.XDC_CODEBERG_USER}} CODEBERG_TOKEN: ${{secrets.XDC_CODEBERG_TOKEN}} ``` There is a PR if you want to check: https://codeberg.org/webxdc/xdcget/pulls/39 Turns out `GITHUB_TOKEN` is a no-op because it is then overwritten by some token by the runner itself, probably for GitHub compatibility. Then the tool under test checked out of the repository tries to use `$GITHUB_USER:$GITHUB_TOKEN` pair to authorize to GitHub, and it fails as the token is some Codeberg token rather than a valid GitHub token from the secrets. As a solution I suggest that trying to set environment variables that are overwritten by the runner should result in a visible warning or an error. This will likely save some debugging time for other developers, because having a `GITHUB_TOKEN` environment variable to do releases on GitHub or things like that is probably quite common.