- 
                Notifications
    You must be signed in to change notification settings 
- Fork 1.2k
Prevent falling back to default token for onprem #3997
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Prevent falling back to default token for onprem #3997
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Pull Request Overview
This PR prevents GitHub Actions runners from falling back to default tokens when downloading actions from GitHub.com in on-premises environments, specifically for GitHub Enterprise Cloud with data residency scenarios.
- Adds logic to detect GitHub Enterprise Cloud environments with data residency
- Implements conditional token fallback that prevents using default tokens for external action downloads
- Introduces URL pattern validation to identify action downloads from GitHub.com
Reviewed Changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description | 
|---|---|
| src/Runner.Worker/ActionManager.cs | Adds GitHub URL detection and conditional logic to prevent default token fallback for on-premises scenarios | 
| src/Runner.Sdk/Util/UrlUtil.cs | Implements new utility method to detect GHEC data residency fallback scenarios with regex pattern matching | 
| // Default auth token | ||
| if (string.IsNullOrEmpty(actionDownloadInfo.Authentication?.Token)) | ||
| // Use default auth token unless falling back from OnPrem | ||
| if (string.IsNullOrEmpty(actionDownloadInfo.Authentication?.Token) && !UrlUtil.IsGHECDRFallbackToDotcom(gitHubUrl, actionDownloadInfo)) | 
    
      
    
      Copilot
AI
    
    
    
      Aug 21, 2025 
    
  
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The method IsGHECDRFallbackToDotcom is called with a potentially null gitHubUrl parameter. This will cause a null reference exception if both serverUrl and runnerSettings.GitHubUrl are null or empty.
| if (string.IsNullOrEmpty(actionDownloadInfo.Authentication?.Token) && !UrlUtil.IsGHECDRFallbackToDotcom(gitHubUrl, actionDownloadInfo)) | |
| if (string.IsNullOrEmpty(actionDownloadInfo.Authentication?.Token) && (gitHubUrl == null || !UrlUtil.IsGHECDRFallbackToDotcom(gitHubUrl, actionDownloadInfo))) | 
...