Open 5nafu opened 3 years ago
Any thoughts on how to deal with this? The env var is required to properly deregister the token when the container is terminated.
I see there is a request for hiding environment variables which would be most convenient, but that hasn't been implemented.
When running the runner with
all environment variables supplied to the runner are exposed to the github actions. This includes (but is not limited) to the personal access token used to register a runner:
An attacker could use a malicious action to leak the tokens and thus gain access to the code.
Action:
Logs:
You can check the action in 5nafu/sanderKnape_github-runner_env_exposure:.github/workflows/debug.yml and the output in /5nafu/sanderKnape_github-runner_env_exposure/actions/runs/835647428