Closed bryanmacfarlane closed 1 year ago
STDIN (interactive config) might be your best bet. Setting env from bash will still get recorded. For example:
Run the command export TEST_ENV_VAR=foo
then history
You can leverage bash's HISTIGNORE here for example. You might export HISTIGNORE with a value ignoring your configuration command. That way, it won't be present in history, but you can still have the advantages of automating the command providing the flag.
But the best solution here related to the documentation might be just to add a warning or a sentence stating that you should be careful when automating the configuration of self-hosted runners and to add an explanation it was mentioned in the issue description.
Interactive config is harder for automation, and HISTIGNORE is valuable only for the bash environment. In this case, it could be mentioned just the security concern about CLI invocation logs and should be kept in mind when automating or running configuration.
I think that https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#hardening-for-self-hosted-runners explains that you should be careful with your environment, but we could file an issue to the docs and a PR adding this use-case just to be more explicit. What do you think?
This issue does not seem to be a problem with the runner application, it concerns the GitHub actions platform more generally. Could you please post your feedback on the GitHub Community Support Forum which is actively monitored. Using the forum ensures that we route your problem to the correct team. 😃
Describe the bug If someone is automating configuring self hosted runners and specifies the
--token
option it could get logged to cli invocation logs (file in nix, security event log in windows).That's mitigated by the token being time bombed but it's still possible to (and more likely in a single use scenario) for a users build to read the cli logs and grab the token before it expires.
The docs should recommend to (1) set envvar (2) configure and then (3) clear the envvar
The runner supports setting an envvar: https://github.com/actions/runner/blob/6c70d53eead402ba5d53676d6ed649a04e219c9b/src/Runner.Listener/CommandSettings.cs#L83
That also registers the token as a secret so it's masked from diag logs.