vrr/spawn
2
0
Fork 0
mirror of https://github.com/OpenRouterTeam/spawn.git synced 2026-04-28 03:49:31 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 10

fix(security): use heredoc for gh auth login to prevent token exposure (#2364)

Browse source 
Replaces the pipeline form with a heredoc to prevent the GitHub token
from appearing in the process list (ps aux) on multi-user systems.

Fixes #2363

Agent: security-auditor

Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
A 2026-03-08 22:10:15 -07:00 committed by GitHub
parent 6b769e95ab
commit 080ea5a705
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 3 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

4
sh/shared/github-auth.sh
View file

@ -311,7 +311,9 @@ ensure_gh_auth() {
# GITHUB_TOKEN is already unset above so gh auth login won't refuse
# with "The value of the GITHUB_TOKEN environment variable is being
# used for authentication."
printf '%s\n' "${_gh_token}" | gh auth login --with-token || {
gh auth login --with-token <<EOF || {
${_gh_token}
EOF
log_error "Failed to authenticate with GITHUB_TOKEN"
export GITHUB_TOKEN="${_gh_token}"
return 1