fix(pnpm-install): keep github-registry-token off disk#279
Merged
Conversation
The token previously landed in ~/.npmrc as plain text, where any later
step in the same job could read it — a regression vs the npm pattern
this action replaced.
Instead, write the literal template '${GITHUB_REGISTRY_TOKEN}' into
~/.npmrc (single quotes, no shell expansion) and inject the env var
only for the install step. pnpm expands the template at registry-fetch
time; once the install step exits, the env var is gone and ~/.npmrc
holds an unusable template — later steps cannot exfiltrate the token.
Reported by František on the apify-core pnpm migration review.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
github-actions
Bot
added
the
t-tooling
fnesveda
approved these changes
May 5, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Reported by František on the apify-core pnpm migration review: the current
github-registry-tokenflow writes the expanded token into~/.npmrc, where any later step in the same job can read it. That's a regression vs the npm pattern this action replaced.The npm pattern was two-step:
npm config set '//npm.pkg.github.com/:_authToken=${APIFY_..._TOKEN}'— single quotes, the template (literal${VAR}) lands in~/.npmrc, not the actual value.npm installran withenv: APIFY_..._TOKEN: ${{ secrets... }}— npm expanded the template at fetch time using the env var, which only existed for that one step.The token never touched disk, and was unreachable to any later step. This PR restores that behaviour for the composite:
'\${GITHUB_REGISTRY_TOKEN}'(single quotes — load-bearing) into~/.npmrc.GITHUB_REGISTRY_TOKENinenv:. pnpm expands the template at registry-fetch time, then the env var is gone.~/.npmrccontains…_authToken=\${GITHUB_REGISTRY_TOKEN}— an unusable template. Anything compromised in a later step cannot read the token.Compatibility
No input/output changes. Callers don't need to update anything.
Verification
@mainand runs successfully against this token; once this lands the only behaviour change is the contents of~/.npmrc(template instead of expanded value).