[BUG] Composite actions should be provisioned with ACTIONS_RUNTIME_TOKEN just like the node and docker ones
#3046
Labels
bug
Something isn't working
Comments
|
This issue is stale because it has been open 365 days with no activity. Remove stale label or comment or this will be closed in 15 days. |
|
unstale |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently,
ACTIONS_RUNTIME_TOKENis exposed to nodejs and docker action types, but not the composite ones. So accessing it is rather limited to 2/3 types of the action types. It's not a private implementation detail and GitHub's own docs even show accessing it through the normal JS env var interface (process.env): https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers#requesting-the-jwt-using-environment-variables. There's also no recommendations not to use it, it's rather undocumented that it's surprisingly inaccessible from within non-actions and composite actions.Which is why I think it's actually a bug that got overlooked, unintentionally vendor-locking the action authors to docker or nodejs. It shouldn't be like this so I'm filing this issue to ask this (and related) env vars to be exposed to all action types equally.
The other action implementations set the env var like this:
runner/src/Runner.Worker/Handlers/NodeScriptActionHandler.cs
Line 56 in 9e3e57f
runner/src/Runner.Worker/Handlers/ContainerActionHandler.cs
Line 221 in 9e3e57f
The text was updated successfully, but these errors were encountered: