Prevent falling back to default token for onprem #3997
Conversation
There was a problem hiding this comment.
Pull Request Overview
This PR prevents GitHub Actions runners from falling back to default tokens when downloading actions from GitHub.com in on-premises environments, specifically for GitHub Enterprise Cloud with data residency scenarios.
- Adds logic to detect GitHub Enterprise Cloud environments with data residency
- Implements conditional token fallback that prevents using default tokens for external action downloads
- Introduces URL pattern validation to identify action downloads from GitHub.com
Reviewed Changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| src/Runner.Worker/ActionManager.cs | Adds GitHub URL detection and conditional logic to prevent default token fallback for on-premises scenarios |
| src/Runner.Sdk/Util/UrlUtil.cs | Implements new utility method to detect GHEC data residency fallback scenarios with regex pattern matching |
| #if OS_WINDOWS | ||
| if (downloadInfo.ZipballUrl != null && !Regex.IsMatch(downloadInfo.ZipballUrl.ToString(), pattern)) | ||
| #else | ||
| if (downloadInfo.TarballUrl != null && !Regex.IsMatch(downloadInfo.TarballUrl.ToString(), pattern)) |
There was a problem hiding this comment.
The regex pattern should be extracted as a private static readonly field to improve maintainability and avoid recompilation on each method call.
| if (downloadInfo.TarballUrl != null && !Regex.IsMatch(downloadInfo.TarballUrl.ToString(), pattern)) | |
| #if OS_WINDOWS | |
| if (downloadInfo.ZipballUrl != null && !GHECDRFallbackPattern.IsMatch(downloadInfo.ZipballUrl.ToString())) | |
| #else | |
| if (downloadInfo.TarballUrl != null && !GHECDRFallbackPattern.IsMatch(downloadInfo.TarballUrl.ToString())) |
Copilot uses AI. Check for mistakes.
| @@ -21,6 +22,28 @@ public static bool IsHostedServer(UriBuilder gitHubUrl) | |||
| gitHubUrl.Host.EndsWith(".ghe.com", StringComparison.OrdinalIgnoreCase); | |||
| } | |||
|
|
|||
| // For GitHub Enterprise Cloud with data residency, we allow fallback to GitHub.com for Actions resolution | |||
There was a problem hiding this comment.
This public method lacks XML documentation. Add a summary explaining the method's purpose, parameters, and return value to improve API clarity.
| // For GitHub Enterprise Cloud with data residency, we allow fallback to GitHub.com for Actions resolution | |
| /// <summary> | |
| /// Determines whether the given GitHub Enterprise Cloud with data residency (GHEC DR) URL should fall back to GitHub.com for Actions resolution. | |
| /// </summary> | |
| /// <param name="gitHubUrl">The base GitHub URL to check.</param> | |
| /// <param name="downloadInfo">The action download information containing tarball or zipball URLs.</param> | |
| /// <returns> | |
| /// True if the URL is for a GHEC DR instance that should fall back to GitHub.com for Actions resolution; otherwise, false. | |
| /// </returns> |
Copilot uses AI. Check for mistakes.
| // Default auth token | ||
| if (string.IsNullOrEmpty(actionDownloadInfo.Authentication?.Token)) | ||
| // Use default auth token unless falling back from OnPrem | ||
| if (string.IsNullOrEmpty(actionDownloadInfo.Authentication?.Token) && !UrlUtil.IsGHECDRFallbackToDotcom(gitHubUrl, actionDownloadInfo)) |
There was a problem hiding this comment.
The method IsGHECDRFallbackToDotcom is called with a potentially null gitHubUrl parameter. This will cause a null reference exception if both serverUrl and runnerSettings.GitHubUrl are null or empty.
| if (string.IsNullOrEmpty(actionDownloadInfo.Authentication?.Token) && !UrlUtil.IsGHECDRFallbackToDotcom(gitHubUrl, actionDownloadInfo)) | |
| if (string.IsNullOrEmpty(actionDownloadInfo.Authentication?.Token) && (gitHubUrl == null || !UrlUtil.IsGHECDRFallbackToDotcom(gitHubUrl, actionDownloadInfo))) |
Copilot uses AI. Check for mistakes.
...