Conversation
dsyme
changed the title
There was a problem hiding this comment.
Pull request overview
Improves security of the interactive init flow by preventing implicit use of the user’s gh auth token when configuring repository secrets, reducing the chance of accidentally uploading a personal token to the repo during initialization.
Changes:
- Removed
parser.GetGitHubToken()fallback forCOPILOT_GITHUB_TOKENduring init secret detection and setting. - Updated the init confirmation prompt messaging to emphasize that secrets will be uploaded and that the default choice is to skip.
- Added security-focused inline comments explaining why init should only use explicitly-provided environment variables.
Comments suppressed due to low confidence (1)
pkg/cli/init.go:352
- This COPILOT_GITHUB_TOKEN switch case re-reads the same environment variable (secretName already equals "COPILOT_GITHUB_TOKEN" here), so it doesn’t provide an actual alternative name. Consider removing the case or mapping to real alternative env var names to keep the “Try alternative names” logic meaningful.
case "COPILOT_GITHUB_TOKEN":
// Only check explicit environment variable, do NOT use gh auth token fallback
// This prevents accidentally uploading user's personal token to the repository
secretValue = os.Getenv("COPILOT_GITHUB_TOKEN")
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| // The init command should only detect explicitly set environment variables, not scrape | ||
| // the user's gh auth token. Using gh auth token for secrets would be a security risk | ||
| // as users may not realize their personal token is being uploaded to the repository. | ||
| // The trial command handles this differently with explicit warnings. |
There was a problem hiding this comment.
The comment says “The trial command handles this differently with explicit warnings,” but the trial flow appears to set COPILOT_GITHUB_TOKEN via parser.GetGitHubToken()/prompts without an explicit warning about uploading a personal gh auth token. Please either add the referenced warning in the trial path or reword/remove this sentence so the security rationale comment stays accurate.
| // The trial command handles this differently with explicit warnings. | |
| // If other flows use a gh auth token as a fallback, they must include explicit warnings |
| case "COPILOT_GITHUB_TOKEN": | ||
| // Use the proper GitHub token helper | ||
| secretValue, _ = parser.GetGitHubToken() | ||
| // Only check explicit environment variable, do NOT use gh auth token fallback | ||
| // This prevents accidentally uploading user's personal token to the repository | ||
| secretValue = os.Getenv("COPILOT_GITHUB_TOKEN") |
There was a problem hiding this comment.
This COPILOT_GITHUB_TOKEN branch is redundant: secretValue was already initialized with os.Getenv(spec.Name), and spec.Name is "COPILOT_GITHUB_TOKEN". Consider removing this case (or using it for true alternative env var names) to avoid implying extra lookup logic that doesn’t change behavior.
This issue also appears on line 349 of the same file.
See below for a potential fix:
Summary
Details
The changes focus on improving security during the repository initialization process by:
The modifications ensure users have more control and awareness when setting up repository secrets, particularly for sensitive tokens like GitHub authentication credentials.