From fd7c8580afb3a2aaa0278bcc25ed5d4c5c48886a Mon Sep 17 00:00:00 2001 From: ChristopherHX Date: Wed, 17 May 2023 14:13:38 +0800 Subject: [PATCH] Prevent exposing GITEA_RUNNER_REGISTRATION_TOKEN to act (#188) You can currently expose the token to jobs even while using docker in docker `-e GITEA_RUNNER_REGISTRATION_TOKEN` tells the docker client of act to read GITEA_RUNNER_REGISTRATION_TOKEN from the process and now it can be stolen. Reviewed-on: https://gitea.com/gitea/act_runner/pulls/188 Reviewed-by: Jason Song Co-authored-by: ChristopherHX Co-committed-by: ChristopherHX --- run.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/run.sh b/run.sh index aa8f456..8317b2d 100755 --- a/run.sh +++ b/run.sh @@ -41,5 +41,7 @@ if [[ ! -s .runner ]]; then fi done fi +# Prevent reading the token from the act_runner process +unset GITEA_RUNNER_REGISTRATION_TOKEN act_runner daemon ${CONFIG_ARG}