fix: pass github-token input to APM subprocess as GITHUB_TOKEN#15
Merged
danielmeppiel merged 1 commit intomainfrom Mar 19, 2026
Merged
fix: pass github-token input to APM subprocess as GITHUB_TOKEN#15danielmeppiel merged 1 commit intomainfrom
danielmeppiel merged 1 commit intomainfrom
Conversation
The action declares a github-token input (defaulting to github.token) but never reads it or exports it to the subprocess environment. GitHub Actions does not auto-export input values as env vars, so APM runs unauthenticated — hitting rate limits (60/hr) and failing on private repo dependencies. Fix: read the input with core.getInput, mask it with core.setSecret, and set process.env.GITHUB_TOKEN before any APM subprocess calls. Ref: microsoft/apm#356 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Fixes the action’s github-token input not being propagated to APM subprocesses by exporting it as GITHUB_TOKEN (and masking it) before any APM CLI invocations, ensuring authenticated GitHub API/dependency access.
Changes:
- Read
github-token, mask it viacore.setSecret(), and setprocess.env.GITHUB_TOKENfor subprocess inheritance. - Add unit tests validating
GITHUB_TOKENpropagation and no-op behavior when the input is empty. - Regenerate
dist/index.jsto include the runtime changes.
Reviewed changes
Copilot reviewed 2 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
src/runner.ts |
Exports github-token input to process.env.GITHUB_TOKEN and masks it before running APM. |
src/__tests__/runner.test.ts |
Adds coverage for token propagation/masking and empty-input behavior. |
dist/index.js |
Updates bundled output to reflect the source changes (ncc build artifact). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| const githubToken = core.getInput('github-token'); | ||
| if (githubToken) { | ||
| core.setSecret(githubToken); | ||
| process.env.GITHUB_TOKEN = githubToken; |
Collaborator
Author
There was a problem hiding this comment.
Good catch — fixed in #16. Changed = to ??= so an existing GITHUB_TOKEN (e.g., a PAT from job-level env:) is preserved. Added a test for the non-clobber case.
danielmeppiel
added a commit
that referenced
this pull request
Mar 19, 2026
Use nullish-coalescing assignment (??=) so a GITHUB_TOKEN already present in the environment (e.g., a PAT set via job-level env:) is not clobbered by the action's default github.token input. Addresses review feedback on #15. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The action declares a
github-tokeninput (defaults to${{ github.token }}) but never reads it or exports it to the subprocess environment. GitHub Actions does not auto-export input values as environment variables, so APM runs unauthenticated.Impact:
GITHUB_TOKENin subprocess)github-tokenexpect it to work — it doesn'tFound during microsoft/apm#356 which fixed APM itself to be resilient to missing tokens, but noted this action-side bug needed a separate fix.
Fix
Read the
github-tokeninput withcore.getInput(), mask it withcore.setSecret(), and setprocess.env.GITHUB_TOKENbefore any APM subprocess calls. SincerunApm()passes{ ...process.env }to child processes, the token propagates automatically.Tests
passes github-token input as GITHUB_TOKEN env var— verifies token is set in env and maskeddoes not set GITHUB_TOKEN when github-token input is empty— verifies no-op when emptyAll 44 tests pass.