bugfix: #1072 #1579
bugfix: #1072 #1579
Conversation
…able for security
ilanRosenbaum
changed the title
| @@ -86,21 +87,23 @@ export class Analyzer { | |||
| /**Clone a repository */ | |||
| async clone(repository) { | |||
| const {repo, branch, path} = this.parse(repository) | |||
| let url = /^https?:\/\//.test(repo) ? repo : `https://github.com/${repo}` | |||
| const token = core.getInput("token") | |||
There was a problem hiding this comment.
Can you gate this behind a if (process.env.GITHUB_ACTIONS) so this only execute on GitHub Actions ?
The web instances probably doesn't need to expose its token on guest tokens (even though this indepth mode shouldn't be enabled on them anyways)
There was a problem hiding this comment.
Yes absolutely. Just pushed the change
|
Hi 👋 ! Thanks for looking into this ! The CI is probably broken so don't worry about it |
|
Hey, any update on getting this merged? It's a small change and should make this product work better for a lot of users |
|
Thanks for your contribution ! |
Add token to URL in analyzer so it can access private repos
Remove URL from logs to avoid token being in logs, replaced with what the URL would be without the token