actions/runner: keep sensitive values out of argv

Status	File	+	-
M	`internal/actions/expr/eval.go`	28	25
M	`internal/actions/expr/eval_test.go`	29	0
M	`internal/runner/config/config.go`	4	1
M	`internal/runner/config/config_test.go`	6	0
M	`internal/runner/engine/docker.go`	16	5
M	`internal/runner/engine/docker_test.go`	104	6
M	`internal/runner/exec/render.go`	41	17
M	`internal/runner/exec/render_test.go`	75	0

internal/actions/expr/eval.gomodified

  //
  // Tainted=true means the value transitively depends on an
  // untrusted-source reference (anything in the shithub.event.*
 -// namespace). The runner's exec layer (S41d) refuses to interpolate
 -// Tainted values into shell strings.
 +// namespace). Sensitive=true means the value transitively contains a
 +// secret. The runner's exec layer (S41d/S41e) never interpolates either
 +// class directly into shell strings.
  type Value struct {
 -	Kind    Kind
 -	S       string
 -	B       bool
 -	Tainted bool
 +	Kind      Kind
 +	S         string
 +	B         bool
 +	Tainted   bool
 +	Sensitive bool
+ }
  // Kind classifies a Value.
  // — we may extend in v2 if other namespaces grow user-controlled
  // fields.
  type Context struct {
 -	Secrets   map[string]string
 -	Vars      map[string]string
 -	Env       map[string]string
 -	EnvTaint  map[string]bool
 -	Shithub   ShithubContext
 -	Untrusted map[string]struct{} // namespace prefixes
 -	JobStatus JobStatus           // for success()/failure()/always()/cancelled()
 +	Secrets      map[string]string
 +	Vars         map[string]string
 +	Env          map[string]string
 +	EnvTaint     map[string]bool
 +	EnvSensitive map[string]bool
 +	Shithub      ShithubContext
 +	Untrusted    map[string]struct{} // namespace prefixes
 +	JobStatus    JobStatus           // for success()/failure()/always()/cancelled()
+ }
  // ShithubContext is the typed `shithub.*` slot. Event is a free-form
  		if err != nil {
  			return Value{}, err
+ 		}
 -		return Value{Kind: KindBool, B: !x.Truthy(), Tainted: x.Tainted}, nil
 +		return Value{Kind: KindBool, B: !x.Truthy(), Tainted: x.Tainted, Sensitive: x.Sensitive}, nil
  	case Binary:
  		return evalBinary(n, ctx)
+ 	}
  		if !ok {
  			return Value{}, fmt.Errorf("expr: secret %q not bound", path[1])
+ 		}
 -		// Secrets are NEVER tainted — they're operator-controlled.
 -		// The runner's log scrubber (S41e) replaces their values in
 -		// log output, but the shell-injection guard cares about
 -		// untrusted-source taint, not secret-vs-not.
 -		return Value{Kind: KindString, S: v}, nil
 +		// Secrets are never tainted because they're operator-controlled,
 +		// but they are sensitive. The runner render layer binds them
 +		// through env references rather than embedding plaintext in
 +		// `bash -c` argv.
 +		return Value{Kind: KindString, S: v, Sensitive: true}, nil
  	case "vars":
  		if len(path) != 2 {
  			return Value{}, fmt.Errorf("expr: vars.<name> requires exactly one member")
  		if !ok {
  			return Value{Kind: KindString, S: ""}, nil
+ 		}
 -		return Value{Kind: KindString, S: v, Tainted: ctx.EnvTaint[path[1]]}, nil
 +		return Value{Kind: KindString, S: v, Tainted: ctx.EnvTaint[path[1]], Sensitive: ctx.EnvSensitive[path[1]]}, nil
  	case "shithub":
  		return evalShithub(path[1:], ctx, tainted)
+ 	}
  		return Value{}, err
+ 	}
  	tainted := a.Tainted || b.Tainted
 -	return Value{Kind: KindBool, B: fn(a.String(), b.String()), Tainted: tainted}, nil
 +	return Value{Kind: KindBool, B: fn(a.String(), b.String()), Tainted: tainted, Sensitive: a.Sensitive || b.Sensitive}, nil
+ }
  func evalBinary(n Binary, ctx *Context) (Value, error) {
  		if err != nil {
  			return Value{}, err
+ 		}
 -		return Value{Kind: r.Kind, S: r.S, B: r.B, Tainted: l.Tainted || r.Tainted}, nil
 +		return Value{Kind: r.Kind, S: r.S, B: r.B, Tainted: l.Tainted || r.Tainted, Sensitive: l.Sensitive || r.Sensitive}, nil
  	case "||":
  		if l.Truthy() {
  			return l, nil
  		if err != nil {
  			return Value{}, err
+ 		}
 -		return Value{Kind: r.Kind, S: r.S, B: r.B, Tainted: l.Tainted || r.Tainted}, nil
 +		return Value{Kind: r.Kind, S: r.S, B: r.B, Tainted: l.Tainted || r.Tainted, Sensitive: l.Sensitive || r.Sensitive}, nil
+ 	}
  	r, err := Eval(n.R, ctx)
  	if err != nil {
  	tainted := l.Tainted || r.Tainted
  	switch n.Op {
  	case "==":
 -		return Value{Kind: KindBool, B: valuesEqual(l, r), Tainted: tainted}, nil
 +		return Value{Kind: KindBool, B: valuesEqual(l, r), Tainted: tainted, Sensitive: l.Sensitive || r.Sensitive}, nil
  	case "!=":
 -		return Value{Kind: KindBool, B: !valuesEqual(l, r), Tainted: tainted}, nil
 +		return Value{Kind: KindBool, B: !valuesEqual(l, r), Tainted: tainted, Sensitive: l.Sensitive || r.Sensitive}, nil
+ 	}
  	return Value{}, fmt.Errorf("expr: unknown binary operator %q", n.Op)
+ }

internal/actions/expr/eval_test.gomodified

+ 	}
+ }
 +func TestEval_SecretsAreSensitiveNotTainted(t *testing.T) {
 +	t.Parallel()
 +	ctx := defaultContext()
 +	v, err := evalString(t, `secrets.MY_SECRET`, ctx)
 +	if err != nil {
 +		t.Fatalf("eval: %v", err)
 +	}
 +	if v.Tainted {
 +		t.Fatal("secrets must not be tainted; they are operator-controlled")
 +	}
 +	if !v.Sensitive {
 +		t.Fatal("secrets must be sensitive so runner argv never contains plaintext secret values")
 +	}
 +}
++
 +func TestEval_EnvSensitivityPropagates(t *testing.T) {
 +	t.Parallel()
 +	ctx := defaultContext()
 +	ctx.Env["TOKEN"] = "hunter2"
 +	ctx.EnvSensitive = map[string]bool{"TOKEN": true}
 +	v, err := evalString(t, `env.TOKEN`, ctx)
 +	if err != nil {
 +		t.Fatalf("Eval: %v", err)
 +	}
 +	if !v.Sensitive {
 +		t.Fatal("env values resolved from secrets must remain sensitive")
 +	}
 +}
++
  func TestEval_TaintPropagatesThroughBinary(t *testing.T) {
  	t.Parallel()
  	ctx := defaultContext()

internal/runner/config/config.gomodified

  	DefaultPath            = "/etc/shithubd-runner/config.toml"
  	EnvPrefix              = "SHITHUB_RUNNER_"
  	defaultImage           = "ghcr.io/shithub/runner-nix:1.0"
 +	defaultNetwork         = "shithub-actions"
 +	defaultDNSServer       = "172.30.0.1"
  	defaultSeccompProfile  = "/etc/shithubd-runner/seccomp.json"
  	defaultContainerUser   = "65534:65534"
  	defaultContainerPIDMax = 512
  		Engine: EngineConfig{
  			Kind:           "docker",
  			DefaultImage:   defaultImage,
 -			Network:        "bridge",
 +			Network:        defaultNetwork,
  			Memory:         "2g",
  			CPUs:           "2",
  			SeccompProfile: defaultSeccompProfile,
  			User:           defaultContainerUser,
  			PidsLimit:      defaultContainerPIDMax,
 +			DNSServers:     []string{defaultDNSServer},
  		},
  		Log: LogConfig{
  			Level:  "info",

internal/runner/config/config_test.gomodified

  	if cfg.Engine.Kind != "docker" {
  		t.Fatalf("Engine.Kind: %q", cfg.Engine.Kind)
+ 	}
 +	if cfg.Engine.Network != "shithub-actions" {
 +		t.Fatalf("Engine.Network: %q", cfg.Engine.Network)
 +	}
  	if cfg.Engine.SeccompProfile != "/etc/shithubd-runner/seccomp.json" {
  		t.Fatalf("Engine.SeccompProfile: %q", cfg.Engine.SeccompProfile)
+ 	}
 +	if want := []string{"172.30.0.1"}; !reflect.DeepEqual(cfg.Engine.DNSServers, want) {
 +		t.Fatalf("DNSServers: got %#v want %#v", cfg.Engine.DNSServers, want)
 +	}
  	if cfg.Engine.User != "65534:65534" {
  		t.Fatalf("Engine.User: %q", cfg.Engine.User)
+ 	}

internal/runner/engine/docker.gomodified

+ )
  type CommandRunner interface {
 -	Run(ctx context.Context, name string, args []string, stdout, stderr io.Writer) error
 +	Run(ctx context.Context, name string, args []string, env []string, stdout, stderr io.Writer) error
+ }
  type ExecRunner struct{}
 -func (ExecRunner) Run(ctx context.Context, name string, args []string, stdout, stderr io.Writer) error {
 +func (ExecRunner) Run(ctx context.Context, name string, args []string, env []string, stdout, stderr io.Writer) error {
  	cmd := exec.CommandContext(ctx, name, args...)
 +	if len(env) > 0 {
 +		cmd.Env = append(os.Environ(), env...)
 +	}
  	cmd.Stdout = stdout
  	cmd.Stderr = stderr
  	return cmd.Run()
  	Stderr           io.Writer
  	Runner           CommandRunner
  	MaskValues       []string
 +	AllowRoot        bool
  	Logger           *slog.Logger
+ }
  	writer := d.newStepLogWriter(ctx, job.ID, step.ID, job.MaskValues)
  	out := io.MultiWriter(d.cfg.Stdout, writer)
  	errOut := io.MultiWriter(d.cfg.Stderr, writer)
 -	if err := d.cfg.Runner.Run(ctx, d.cfg.Binary, invocation.args, out, errOut); err != nil {
 +	if err := d.cfg.Runner.Run(ctx, d.cfg.Binary, invocation.args, invocation.env, out, errOut); err != nil {
  		d.logStep(ctx, "runner step completed", job, step, invocation, conclusionForError(err))
  		if closeErr := writer.Close(); closeErr != nil {
  			return fmt.Errorf("runner engine: step %q failed: %w", stepLabel(step), errors.Join(err, closeErr))
  type dockerInvocation struct {
  	args           []string
 +	env            []string
  	image          string
  	network        string
  	memory         string
  		return dockerInvocation{}, fmt.Errorf("runner engine: render step %q: %w", stepLabel(step), err)
+ 	}
  	user := d.cfg.User
 -	if permissionsRequestRoot(job.Permissions) {
 +	if d.cfg.AllowRoot && permissionsRequestRoot(job.Permissions) {
  		user = "0:0"
+ 	}
  	args := []string{
  	if err != nil {
  		return dockerInvocation{}, err
+ 	}
 +	processEnv := make([]string, 0, len(env))
  	for _, key := range sortedKeys(env) {
 -		args = append(args, "-e", key+"="+env[key])
 +		args = append(args, "--env", key)
 +		processEnv = append(processEnv, key+"="+env[key])
+ 	}
  	args = append(args, image, "bash", "-c", rendered.Run)
  	return dockerInvocation{
  		args:           args,
 +		env:            processEnv,
  		image:          image,
  		network:        d.cfg.Network,
  		memory:         d.cfg.Memory,
  		if !envNameRE.MatchString(k) {
  			return nil, fmt.Errorf("runner engine: invalid env name %q", k)
+ 		}
 +		if strings.ContainsRune(v, '\x00') {
 +			return nil, fmt.Errorf("runner engine: invalid env value for %q", k)
 +		}
  		out[k] = v
+ 	}
  	return out, nil

internal/runner/engine/docker_test.gomodified

  type recordingRunner struct {
  	name string
  	args []string
 +	env  []string
  	err  error
+ }
 -func (r *recordingRunner) Run(_ context.Context, name string, args []string, _, _ io.Writer) error {
 +func (r *recordingRunner) Run(_ context.Context, name string, args []string, env []string, _, _ io.Writer) error {
  	r.name = name
  	r.args = append([]string{}, args...)
 +	r.env = append([]string{}, env...)
  	return r.err
+ }
  type loggingRunner struct{}
 -func (loggingRunner) Run(_ context.Context, _ string, _ []string, stdout, stderr io.Writer) error {
 +func (loggingRunner) Run(_ context.Context, _ string, _ []string, _ []string, stdout, stderr io.Writer) error {
  	_, _ = stdout.Write([]byte("hello "))
  	_, _ = stderr.Write([]byte("world\n"))
  	return nil
  type secretLoggingRunner struct{}
 -func (secretLoggingRunner) Run(_ context.Context, _ string, _ []string, stdout, _ io.Writer) error {
 +func (secretLoggingRunner) Run(_ context.Context, _ string, _ []string, _ []string, stdout, _ io.Writer) error {
  	_, _ = stdout.Write([]byte("hun"))
  	_, _ = stdout.Write([]byte("ter2\n"))
  	return nil
  		"--user", "65534:65534",
  		"--workdir=/workspace/subdir",
  		"--mount", rec.args[23],
 -		"-e", "A=job", "-e", "B=step",
 +		"--env", "A", "--env", "B",
  		"runner-image", "bash", "-c", "echo hi",
+ 	}
  	if rec.name != "podman" {
  	if !strings.HasPrefix(rec.args[23], "type=bind,src=") || !strings.HasSuffix(rec.args[23], ",dst=/workspace,rw") {
  		t.Fatalf("workspace mount arg: %q", rec.args[23])
+ 	}
 +	if wantEnv := []string{"A=job", "B=step"}; !reflect.DeepEqual(rec.env, wantEnv) {
 +		t.Fatalf("env:\ngot  %#v\nwant %#v", rec.env, wantEnv)
 +	}
+ }
  func TestDockerExecute_RendersTaintedExpressionsThroughInputEnv(t *testing.T) {
  	if got := rec.args[len(rec.args)-1]; got != `echo "${SHITHUB_INPUT_0}"` {
  		t.Fatalf("rendered command: %q", got)
+ 	}
 -	if !containsArg(rec.args, "SHITHUB_INPUT_0="+malicious) {
 +	if !containsFlagValue(rec.args, "--env", "SHITHUB_INPUT_0") {
  		t.Fatalf("input binding missing from args: %#v", rec.args)
+ 	}
 +	if containsSubstring(rec.args, malicious) {
 +		t.Fatalf("tainted input leaked into argv: %#v", rec.args)
 +	}
 +	if !containsEnv(rec.env, "SHITHUB_INPUT_0="+malicious) {
 +		t.Fatalf("input binding missing from process env: %#v", rec.env)
 +	}
 +}
++
 +func TestDockerExecute_RendersSecretsThroughEnvWithoutArgvLeak(t *testing.T) {
 +	t.Parallel()
 +	rec := &recordingRunner{}
 +	d := NewDocker(DockerConfig{
 +		DefaultImage: "runner-image",
 +		Network:      "bridge",
 +		Memory:       "2g",
 +		CPUs:         "2",
 +		Runner:       rec,
 +	})
 +	const secret = "hunter2"
 +	if _, err := d.Execute(t.Context(), Job{
 +		ID:           1,
 +		RunID:        2,
 +		Secrets:      map[string]string{"TOKEN": secret},
 +		WorkspaceDir: t.TempDir(),
 +		Steps: []Step{{
 +			Run: `printf '%s\n' "${{ secrets.TOKEN }}"`,
 +		}},
 +	}); err != nil {
 +		t.Fatalf("Execute: %v", err)
 +	}
 +	if got := rec.args[len(rec.args)-1]; got != `printf '%s\n' "${SHITHUB_INPUT_0}"` {
 +		t.Fatalf("rendered command: %q", got)
 +	}
 +	if !containsFlagValue(rec.args, "--env", "SHITHUB_INPUT_0") {
 +		t.Fatalf("secret binding missing from args: %#v", rec.args)
 +	}
 +	if containsSubstring(rec.args, secret) {
 +		t.Fatalf("secret leaked into argv: %#v", rec.args)
 +	}
 +	if !containsEnv(rec.env, "SHITHUB_INPUT_0="+secret) {
 +		t.Fatalf("secret binding missing from process env: %#v", rec.env)
 +	}
+ }
  func TestDockerExecute_RootRequiresExplicitPermission(t *testing.T) {
  	}{
  		{name: "default", permissions: `{}`, wantUser: "65534:65534"},
  		{name: "write-all-does-not-root", permissions: `{"mode":"write-all"}`, wantUser: "65534:65534"},
 -		{name: "explicit-root", permissions: `{"per":{"shithub-runner-root":"write"}}`, wantUser: "0:0"},
 +		{name: "explicit-root-disabled-by-default", permissions: `{"per":{"shithub-runner-root":"write"}}`, wantUser: "65534:65534"},
  	} {
  		t.Run(tc.name, func(t *testing.T) {
  			t.Parallel()
+ 	}
+ }
 +func TestDockerExecute_AllowRootEnablesExplicitRootPermission(t *testing.T) {
 +	t.Parallel()
 +	rec := &recordingRunner{}
 +	d := NewDocker(DockerConfig{
 +		DefaultImage: "runner-image",
 +		Network:      "bridge",
 +		Memory:       "2g",
 +		CPUs:         "2",
 +		AllowRoot:    true,
 +		Runner:       rec,
 +	})
 +	if _, err := d.Execute(t.Context(), Job{
 +		ID:           1,
 +		Permissions:  []byte(`{"per":{"shithub-runner-root":"write"}}`),
 +		WorkspaceDir: t.TempDir(),
 +		Steps:        []Step{{Run: "id -u"}},
 +	}); err != nil {
 +		t.Fatalf("Execute: %v", err)
 +	}
 +	if got := argAfter(rec.args, "--user"); got != "0:0" {
 +		t.Fatalf("--user: got %q want %q in %#v", got, "0:0", rec.args)
 +	}
 +}
++
  func TestDockerExecute_AddsConfiguredDNSServers(t *testing.T) {
  	t.Parallel()
  	rec := &recordingRunner{}
  	return false
+ }
 +func containsFlagValue(args []string, flag, value string) bool {
 +	for i, arg := range args {
 +		if arg == flag && i+1 < len(args) && args[i+1] == value {
 +			return true
 +		}
 +	}
 +	return false
 +}
++
 +func containsSubstring(args []string, substr string) bool {
 +	for _, arg := range args {
 +		if strings.Contains(arg, substr) {
 +			return true
 +		}
 +	}
 +	return false
 +}
++
 +func containsEnv(env []string, want string) bool {
 +	for _, item := range env {
 +		if item == want {
 +			return true
 +		}
 +	}
 +	return false
 +}
++
  func argAfter(args []string, flag string) string {
  	for i, arg := range args {
  		if arg == flag && i+1 < len(args) {

internal/runner/exec/render.gomodified

+ }
  type ResolvedText struct {
 -	Text    string
 -	Tainted bool
 +	Text      string
 +	Tainted   bool
 +	Sensitive bool
+ }
  type RenderedStep struct {
 -	Run      string
 -	Env      map[string]string
 -	EnvTaint map[string]bool
 +	Run          string
 +	Env          map[string]string
 +	EnvTaint     map[string]bool
 +	EnvSensitive map[string]bool
+ }
  type StepInput struct {
  	ctx := cloneContext(&in.Context)
  	bindings := NewBindings("")
 -	env, taint, err := resolveEnv(in.JobEnv, &ctx)
 +	env, taint, sensitive, err := resolveEnv(in.JobEnv, &ctx)
  	if err != nil {
  		return RenderedStep{}, fmt.Errorf("render job env: %w", err)
+ 	}
 -	mergeContextEnv(&ctx, env, taint)
 +	mergeContextEnv(&ctx, env, taint, sensitive)
 -	stepEnv, stepTaint, err := resolveEnv(in.StepEnv, &ctx)
 +	stepEnv, stepTaint, stepSensitive, err := resolveEnv(in.StepEnv, &ctx)
  	if err != nil {
  		return RenderedStep{}, fmt.Errorf("render step env: %w", err)
+ 	}
  		} else {
  			delete(taint, k)
+ 		}
 +		if stepSensitive[k] {
 +			sensitive[k] = true
 +		} else {
 +			delete(sensitive, k)
 +		}
+ 	}
 -	mergeContextEnv(&ctx, stepEnv, stepTaint)
 +	mergeContextEnv(&ctx, stepEnv, stepTaint, stepSensitive)
  	run, err := RenderShell(in.Run, &ctx, bindings)
  	if err != nil {
  	for k, v := range bindings.Env() {
  		env[k] = v
+ 	}
 -	return RenderedStep{Run: run, Env: env, EnvTaint: taint}, nil
 +	return RenderedStep{Run: run, Env: env, EnvTaint: taint, EnvSensitive: sensitive}, nil
+ }
  func RenderShell(raw string, ctx *expr.Context, bindings *Bindings) (string, error) {
  		if err != nil {
  			return err
+ 		}
 -		if v.Tainted {
 +		if v.Tainted || v.Sensitive {
  			out.WriteString("${")
  			out.WriteString(bindings.Add(v.String()))
  			out.WriteString("}")
  func ResolveText(raw string, ctx *expr.Context) (ResolvedText, error) {
  	var out strings.Builder
  	tainted := false
 +	sensitive := false
  	if err := walkExpressions(raw, func(literal, body string) error {
  		if body == "" {
  			out.WriteString(literal)
  		if v.Tainted {
  			tainted = true
+ 		}
 +		if v.Sensitive {
 +			sensitive = true
 +		}
  		out.WriteString(v.String())
  		return nil
  	}); err != nil {
  		return ResolvedText{}, err
+ 	}
 -	return ResolvedText{Text: out.String(), Tainted: tainted}, nil
 +	return ResolvedText{Text: out.String(), Tainted: tainted, Sensitive: sensitive}, nil
+ }
 -func resolveEnv(raw map[string]string, ctx *expr.Context) (map[string]string, map[string]bool, error) {
 +func resolveEnv(raw map[string]string, ctx *expr.Context) (map[string]string, map[string]bool, map[string]bool, error) {
  	out := make(map[string]string, len(raw))
  	taint := make(map[string]bool, len(raw))
 +	sensitive := make(map[string]bool, len(raw))
  	for _, key := range sortedKeys(raw) {
  		if strings.HasPrefix(key, defaultBindingPrefix) {
 -			return nil, nil, fmt.Errorf("%s uses reserved runner input prefix %s", key, defaultBindingPrefix)
 +			return nil, nil, nil, fmt.Errorf("%s uses reserved runner input prefix %s", key, defaultBindingPrefix)
+ 		}
  		v, err := ResolveText(raw[key], ctx)
  		if err != nil {
 -			return nil, nil, fmt.Errorf("%s: %w", key, err)
 +			return nil, nil, nil, fmt.Errorf("%s: %w", key, err)
+ 		}
  		out[key] = v.Text
  		if v.Tainted {
  			taint[key] = true
+ 		}
 +		if v.Sensitive {
 +			sensitive[key] = true
 +		}
+ 	}
 -	return out, taint, nil
 +	return out, taint, sensitive, nil
+ }
  func eval(body string, ctx *expr.Context) (expr.Value, error) {
  	out.Vars = cloneStringMap(ctx.Vars)
  	out.Env = cloneStringMap(ctx.Env)
  	out.EnvTaint = cloneBoolMap(ctx.EnvTaint)
 +	out.EnvSensitive = cloneBoolMap(ctx.EnvSensitive)
  	out.Untrusted = cloneSet(ctx.Untrusted)
  	out.Shithub.Event = cloneAnyMap(ctx.Shithub.Event)
  	return out
+ }
 -func mergeContextEnv(ctx *expr.Context, env map[string]string, taint map[string]bool) {
 +func mergeContextEnv(ctx *expr.Context, env map[string]string, taint map[string]bool, sensitive map[string]bool) {
  	if ctx.Env == nil {
  		ctx.Env = map[string]string{}
+ 	}
  	if ctx.EnvTaint == nil {
  		ctx.EnvTaint = map[string]bool{}
+ 	}
 +	if ctx.EnvSensitive == nil {
 +		ctx.EnvSensitive = map[string]bool{}
 +	}
  	for k, v := range env {
  		ctx.Env[k] = v
  		if taint[k] {
  		} else {
  			delete(ctx.EnvTaint, k)
+ 		}
 +		if sensitive[k] {
 +			ctx.EnvSensitive[k] = true
 +		} else {
 +			delete(ctx.EnvSensitive, k)
 +		}
+ 	}
+ }

internal/runner/exec/render_test.gomodified

+ 	}
+ }
 +func TestRenderShell_SensitiveSecretUsesEnvBinding(t *testing.T) {
 +	t.Parallel()
 +	ctx := expr.Context{
 +		Secrets: map[string]string{
 +			"TOKEN": "hunter2",
 +		},
 +		Untrusted: expr.DefaultUntrusted(),
 +	}
 +	bindings := NewBindings("")
 +	got, err := RenderShell(`echo "${{ secrets.TOKEN }}"`, &ctx, bindings)
 +	if err != nil {
 +		t.Fatalf("RenderShell: %v", err)
 +	}
 +	if got != `echo "${SHITHUB_INPUT_0}"` {
 +		t.Fatalf("command:\ngot  %q\nwant %q", got, `echo "${SHITHUB_INPUT_0}"`)
 +	}
 +	if bindings.Env()["SHITHUB_INPUT_0"] != "hunter2" {
 +		t.Fatalf("bindings: %#v", bindings.Env())
 +	}
 +}
++
  func TestRenderStep_EnvTaintPropagatesToRunExpressions(t *testing.T) {
  	t.Parallel()
  	ctx := expr.Context{
+ 	}
+ }
 +func TestRenderStep_EnvSensitivityPropagatesToRunExpressions(t *testing.T) {
 +	t.Parallel()
 +	ctx := expr.Context{
 +		Secrets:   map[string]string{"TOKEN": "hunter2"},
 +		Untrusted: expr.DefaultUntrusted(),
 +	}
 +	got, err := RenderStep(StepInput{
 +		Context: ctx,
 +		JobEnv: map[string]string{
 +			"TOKEN": "${{ secrets.TOKEN }}",
 +		},
 +		Run: "echo ${{ env.TOKEN }}",
 +	})
 +	if err != nil {
 +		t.Fatalf("RenderStep: %v", err)
 +	}
 +	if got.Env["TOKEN"] != "hunter2" || !got.EnvSensitive["TOKEN"] {
 +		t.Fatalf("env/sensitive: env=%#v sensitive=%#v", got.Env, got.EnvSensitive)
 +	}
 +	if got.Run != "echo ${SHITHUB_INPUT_0}" {
 +		t.Fatalf("run: %q", got.Run)
 +	}
 +	if got.Env["SHITHUB_INPUT_0"] != "hunter2" {
 +		t.Fatalf("input binding: %#v", got.Env)
 +	}
 +}
++
  func TestRenderStep_ResolvesTrustedExpressionsInline(t *testing.T) {
  	t.Parallel()
  	got, err := RenderStep(StepInput{
+ 	}
+ }
 +func TestRenderStep_StepEnvOverrideClearsJobEnvSensitivity(t *testing.T) {
 +	t.Parallel()
 +	ctx := expr.Context{
 +		Secrets:   map[string]string{"TOKEN": "hunter2"},
 +		Untrusted: expr.DefaultUntrusted(),
 +	}
 +	got, err := RenderStep(StepInput{
 +		Context: ctx,
 +		JobEnv: map[string]string{
 +			"TOKEN": "${{ secrets.TOKEN }}",
 +		},
 +		StepEnv: map[string]string{
 +			"TOKEN": "trusted",
 +		},
 +		Run: "echo ${{ env.TOKEN }}",
 +	})
 +	if err != nil {
 +		t.Fatalf("RenderStep: %v", err)
 +	}
 +	if got.EnvSensitive["TOKEN"] {
 +		t.Fatalf("step override should clear sensitivity: %#v", got.EnvSensitive)
 +	}
 +	if got.Run != "echo trusted" {
 +		t.Fatalf("run: %q", got.Run)
 +	}
 +}
++
  func TestRenderStep_RejectsReservedInputEnv(t *testing.T) {
  	t.Parallel()
  	_, err := RenderStep(StepInput{

tenseleyflow/shithub / `841bff9`

8 changed files