Skip to content

[plan] Fix APM GitHub App token never invalidated after use #21472

New issue
New issue
Closed
#21508
Closed
[plan] Fix APM GitHub App token never invalidated after use#21472
#21508
Assignees
pelikhancopilot-swe-agent
Labels
ai-generatedcookieIssue Monster Loves Cookies!plan
@github-actions

Description

@github-actions
github-actions
bot
opened on Mar 17, 2026

Context

From security audit discussion #21454 (Sergo Run 24, 2026-03-17).

Problem

buildAPMAppTokenMintStep() is called in pkg/workflow/compiler_activation_job.go around line 424 to mint a GitHub App installation token for APM cross-org repository access. This token is consumed by the apm_pack step via ${{ steps.apm-app-token.outputs.token }}, but is never revoked after use.

All five other token-minting paths in the codebase correctly call buildGitHubAppTokenInvalidationStep() after use:

  • compiler_safe_outputs_job.go:301
  • checkout_manager.go:323
  • mcp_github_config.go:536
  • notify_comment.go:357
  • safe_outputs_jobs.go:122

GitHub App installation tokens have a 1-hour default lifetime, meaning the token grants cross-org repository access for up to 60 minutes after the workflow exits.

Severity: HIGH — Token lifecycle violation, least-privilege principle breach.
Confirmed unfixed since: Run 23 (2026-03-16).

Files to Modify

  • pkg/workflow/compiler_activation_job.go — add paired invalidation step after the APM bundle artifact upload step (around line 443)

Approach

After the APM artifact upload step, add an invalidation step (guarded by data.APMDependencies.GitHubApp != nil):

if data.APMDependencies.GitHubApp != nil {
    steps = append(steps, c.buildGitHubAppTokenInvalidationStep()...)
}

Note: buildGitHubAppTokenInvalidationStep() is a method on *Compiler (c), while buildAPMAppTokenMintStep() is a package-level function. The activation job already has a Compiler receiver at this call site, so the method is accessible.

The invalidation step should run even if apm_pack fails — verify it uses an always() condition consistent with other invalidation steps.

Acceptance Criteria

  • buildGitHubAppTokenInvalidationStep() is called after the APM pack step in compiler_activation_job.go
  • The invalidation runs even when apm_pack fails (check always() condition)
  • Confirm the apm-app-token step ID matches what buildGitHubAppTokenInvalidationStep targets
  • Tests in apm_dependencies_compilation_test.go and compiler_activation_jobs_test.go pass
  • make agent-finish passes with no errors

Generated by Plan Command for issue #discussion #21454 ·

  • expires on Mar 19, 2026, 11:44 PM UTC

Metadata

Metadata

Assignees

Labels

ai-generatedcookieIssue Monster Loves Cookies!plan

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions