GITHUB_TOKEN not present in script set as ACTIONS_RUNNER_HOOK_JOB_STARTED

[mirobertod]

Describe the bug The env var GITHUB_TOKEN is not present in the context of the script set as ACTIONS_RUNNER_HOOK_JOB_STARTED. Not sure if this has some security concern, but we would need a valid GITHUB_TOKEN during our pre-job script.

To Reproduce Steps to reproduce the behavior:

1. Create a simple bash script that run the command env and set its path as env var for ACTIONS_RUNNER_HOOK_JOB_STARTED
2. Trigger the workflow
3. See there is no GITHUB_TOKEN available.

Expected behavior The env var GITHUB_TOKEN should be present in the context of the script set as ACTIONS_RUNNER_HOOK_JOB_STARTED.

Runner Version and Platform

Version of your runner? 2.308.0

OS of the machine running the runner? Linux Debian 11, Kubernetes (GKE) using actions-runner-controller.

Thanks

[AmorfEvo]

We also struggle with same problem...

[mirobertod]

Hey guys, any update on this? Thanks

[EricDales]

Hello,

Any chance this change might be implemented soon ?

Thanks in advance for your feedback Éric

[MiticoBerna]

Any news about this?

[ericsciple]

@mirobertod @AmorfEvo @EricDales @MiticoBerna could you help us understand more about your scenario. Especially interested in scenarios involving organization-level or enterprise-level runners.

[MiticoBerna]

Hi @ericsciple, thank you for your interest.

We want to prevent unauthorized modifications of the CI yaml files under .github folder.

Our goal is to download the repository using the token to verify if, for example, a signature we placed at the top of the CI YAML file has been altered by someone else.

If you have a better approach to ensure that the CI configuration can be modified only from authorized people, let us know.