test: add token pool integration for rate limit distribution #7397
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,36 @@ | ||
| name: "Fetch GitHub Token from Pool" | ||
| description: "Fetches a token from mise-versions token pool" | ||
| inputs: | ||
| api-secret: | ||
| description: "API secret for mise-versions" | ||
| required: true | ||
| outputs: | ||
| token: | ||
| description: "The GitHub token" | ||
| value: ${{ steps.fetch.outputs.token }} | ||
| token-id: | ||
| description: "Token ID for rate-limit reporting" | ||
| value: ${{ steps.fetch.outputs.token_id }} | ||
| runs: | ||
| using: "composite" | ||
| steps: | ||
| - id: fetch | ||
| shell: bash | ||
| run: | | ||
| if [ -z "${{ inputs.api-secret }}" ]; then | ||
| echo "No API secret provided, skipping token fetch" | ||
| exit 0 | ||
| fi | ||
| response=$(curl -sf -H "Authorization: Bearer ${{ inputs.api-secret }}" \ | ||
|
There was a problem hiding this comment. The api-secret is directly interpolated into the curl command. This creates a security risk if the secret contains special characters. Use an environment variable instead to avoid potential command injection and ensure proper shell escaping. |
||
| "https://mise-versions.jdx.dev/api/token" || true) | ||
| if [ -n "$response" ]; then | ||
| token=$(echo "$response" | jq -r '.token') | ||
| # Validate token looks like a GitHub token (starts with gh and has reasonable length) | ||
| if [[ "$token" =~ ^gh[a-z]_[A-Za-z0-9_]+$ ]] && [ ${#token} -ge 20 ]; then | ||
|
There was a problem hiding this comment. Bug: Token regex rejects fine-grained personal access tokensThe token validation regex |
||
| echo "::add-mask::$token" | ||
| echo "token=$token" >> "$GITHUB_OUTPUT" | ||
| echo "token_id=$(echo "$response" | jq -r '.token_id')" >> "$GITHUB_OUTPUT" | ||
| else | ||
| echo "Invalid or missing token in response, skipping" | ||
| fi | ||
| fi | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -94,6 +94,14 @@ jobs: | |
| tranche: ${{ fromJson(needs.list-changed-tools.outputs.tools == '' && '[0,1,2,3,4,5,6,7]' || '[0]') }} | ||
| steps: | ||
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | ||
| - name: Fetch token from pool | ||
| id: token | ||
| uses: ./.github/actions/fetch-token | ||
| with: | ||
| api-secret: ${{ secrets.MISE_VERSIONS_API_SECRET }} | ||
| - name: Set GITHUB_TOKEN from pool | ||
| if: steps.token.outputs.token | ||
| run: echo "GITHUB_TOKEN=${{ steps.token.outputs.token }}" >> "$GITHUB_ENV" | ||
|
There was a problem hiding this comment. Writing the token directly to GITHUB_ENV could expose it in the environment. While GitHub Actions should handle this, consider whether this approach maintains the same security guarantees as using secrets context. The token should ideally be masked before being written to the environment file. |
||
| - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 | ||
| with: | ||
| name: mise | ||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -185,6 +185,14 @@ jobs: | |
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | ||
| with: | ||
| fetch-depth: 0 | ||
| - name: Fetch token from pool | ||
| id: token | ||
| uses: ./.github/actions/fetch-token | ||
| with: | ||
| api-secret: ${{ secrets.MISE_VERSIONS_API_SECRET }} | ||
| - name: Set GITHUB_TOKEN from pool | ||
| if: steps.token.outputs.token | ||
| run: echo "GITHUB_TOKEN=${{ steps.token.outputs.token }}" >> "$GITHUB_ENV" | ||
|
There was a problem hiding this comment. Writing the token directly to GITHUB_ENV could expose it in the environment. While GitHub Actions should handle this, consider whether this approach maintains the same security guarantees as using secrets context. The token should ideally be masked before being written to the environment file. |
||
| - name: Install build and test dependencies | ||
| run: | | ||
| sudo apt-get update | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The api-secret is being checked for emptiness but is also directly interpolated into the shell script. If the secret contains special characters or shell metacharacters, it could lead to command injection. While GitHub Actions masks secrets in logs, the interpolation pattern could still be exploited. Consider using environment variables instead: set
API_SECRET: ${{ inputs.api-secret }}in anenv:block at the step level, then reference$API_SECRETin the script.