Remove passing the GH_PERSONAL_ACCESS_TOKEN to actions/checkout#56
Merged
Conversation
stplasim
approved these changes
May 15, 2026
stplasim
left a comment
stplasim
left a comment
There was a problem hiding this comment.
Good fix, this is a real attack vector. Worth noting we have a similar situation with GRADLE_ENCRYPTION_KEY: it'll be empty on fork PRs, but the Gradle action handles that gracefully and just skips the configuration cache. Builds will still work, just a touch slower. Should be fine.
Member
Author
Good point! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The CI for PR #55 fails because we pass the
GH_PERSONAL_ACCESS_TOKENtoactions/checkout.It fails because the pull request is opened from a community fork.
In GitHub Actions, secrets (like
GH_PERSONAL_ACCESS_TOKEN) are not exposed to workflows triggered by pull requests from external forks for security reasons.Because the secret is not available in the fork PR context, the expression evaluates to an empty string. The
actions/checkoutaction sees the token parameter provided but empty, which causes theError: Input required and not supplied: token error.The action
actions/checkoutuses the defaultgithub.tokenautomatically if we omit the token parameter.I'll fix it for the
test.ymlworkflow for now, but not therelease.ymlworkflow, as this is a different topic, as therelease.ymlworkflow also pushes a commit (change the version in theREADME.md) back to the repo, which also triggers the CI again, as we use theGH_PERSONAL_ACCESS_TOKENthere.Omitting the token or using
GITHUB_TOKENorgithub.tokenwould not trigger other workflows (which could be what we want).I checked how other open-source dependencies we use in this project do it, and they all omit passing any token, so the default
github.tokenis used.https://github.com/google/error-prone/blob/960e04b8c6269512bab29bc7eac1fa6669961d1a/.github/workflows/ci.yml#L53-L54
https://github.com/uber/NullAway/blob/9b04703048af3f13e749a43fbf494834cda6ecd7/.github/workflows/continuous-integration.yml#L22-L23
https://github.com/assertj/assertj/blob/82886e8da929e9bbee275b9c4249883f18f1e7f0/.github/workflows/main.yml#L28
https://github.com/ongres/scram/blob/5fdd1016549a84a5f38ac453c271b8393fc75936/.github/workflows/maven.yml#L19
https://github.com/pgjdbc/pgjdbc/blob/1276a3decb6e05c8e836498a44b88658a4fbf46a/.github/workflows/main.yml#L43-L45
https://github.com/projectlombok/lombok/blob/c8f91b529497dfde33a72eef69a361d8bfbbd41d/.github/workflows/ant.yml#L13
https://github.com/tbroyer/gradle-errorprone-plugin/blob/e56fce6bbafc18c8a4c25fcceafdbe9712cb56e6/.github/workflows/gradle.yaml#L17