fix: use github runner token when calling the api, to prevent rate li…#124
fix: use github runner token when calling the api, to prevent rate li…#124gmpinder merged 2 commits intoblue-build:mainfrom
Conversation
|
I think this would be more secure if you put the token into an environment variable and use that instead. |
|
Huh, TIL curl can interpolate env vars in headers! let me update... |
|
You can't use single quotes that doesn't get expanded |
It's not curl doing it. It's the Shell program doing it. It expands the variable before passing it into the command. The reason why I suggest putting it in the environment variable is to prevent it from being templated into the GitHub script directly. |
Sometimes the runner can get rate-limited during the step where it calls the API to determine the latest tag. This fixes that by passing the runner's github token as an authentication token. Using curl's built-in variable support, we can avoid passing the plaintext secret on the command line as an argument, thus avoiding the theoretical security issue of someone being able to view the command line args using `ps`.
Sorry, I misread the docs, but what I was trying to do was prevent the variable from being expanded by the shell. In general it's considered bad practice to pass a secret as a plaintext command line arg, because the secret will show up to anything running In any case, I did completely misread how to pass a variable in a header, but I got it right this time :) |
|
Omg sorry I forgot to push my local fix |
3 participants
…miting
Sometimes the runner can get rate-limited during the step where it calls the API to determine the repo tag. This fixes that by passing the runner's github token as an authentication token.