Add warning that GITHUB_TOKENs cannot be passed to subsequent jobs #29386
Conversation
Automatically generated comment ℹ️This comment is automatically generated and will be overwritten every time changes are committed to this branch. The table contains an overview of files in the Content directory changesYou may find it useful to copy this table into the pull request summary. There you can edit it to share links to important articles or changes and to give a high-level overview of how the changes in your pull request support the overall goals of the pull request.
fpt: Free, Pro, Team |
|
@MarkIannucci Thanks so much for submitting a PR! I'll get this triaged for review ⚡ |
There was a problem hiding this comment.
Thanks for opening this PR to share your learnings with others!
- I think this might be more visible if we put it in the introductory text before the workflow, maybe after line 24
- There are a couple other workflow examples that use the
actions/create-github-app-tokenaction. Can you update those places as well?
| {% warning %} | ||
|
|
||
| **Warning:** Automatic token protection prevents passing tokens generated with this method to subsequent jobs. By design, GitHub Runners are written to protect `GITHUB_TOKENS`. As a consequence, they will set the values of GITHUB_OUTPUTS to the empty string if they contain tokens issued with this functionality. | ||
|
|
||
| {% endwarning %} |
There was a problem hiding this comment.
A couple of suggestions to:
- Use a note since we try to reserve warning callouts for potentially destructive actions
- Add a potential workaround
- Remove some text
| {% warning %} | |
| **Warning:** Automatic token protection prevents passing tokens generated with this method to subsequent jobs. By design, GitHub Runners are written to protect `GITHUB_TOKENS`. As a consequence, they will set the values of GITHUB_OUTPUTS to the empty string if they contain tokens issued with this functionality. | |
| {% endwarning %} | |
| {% note %} | |
| **Note:** Due to automatic token protection, you cannot pass tokens generated with this method to downstream jobs. If you need to share the token with another job, you can store the token as an {% data variables.product.prodname_actions %} secret. For more information, see "[AUTOTITLE](/rest/actions/secrets#create-or-update-a-repository-secret)." | |
| {% endnote %} |
There was a problem hiding this comment.
Thank you for the review. The potential workaround is not viable as it allows a token fetched by one workflow to be used by any other workflow in the repo which could be used to escalate privileges (as long as the attack was well timed).
There was a problem hiding this comment.
I'm happy to incorporate the comment elsewhere once we figure out the correct wording.
There was a problem hiding this comment.
In that case, would it be better to omit the workaround and just say this?
{% note %}
**Note:** Due to automatic token protection, you cannot pass tokens generated with this method to downstream jobs.
{% endnote %}
|
@MarkIannucci Feel free to ping us when this is ready for another review! 👍 |
|
This PR has been automatically closed because there has been no response to to our request for more information from the original author. Please reach out if you have the information we requested, or open a new issue to describing your changes. Then we can begin the review process. |
Why:
We've lost a ton of time attempting to pass tokens generated in one job to reusable workflows.
It seems we are not alone in this time loss. I also haven't found any documentation about the functionality which prohibits setting a job's output to a
GITHUB_TOKENother than this comment in an issue.Closes:
What's being changed (if available, include any code snippets, screenshots, or gifs):
Check off the following:
I have reviewed my changes in staging, available via the View deployment link in this PR's timeline.
datadirectory.For content changes, I have completed the self-review checklist.