fix: exclude Actions artifact token from agent container environment (#1915)

Copilot · lpcox · Copilot · web-flow · commit efe6bcaa6603 · 2026-04-11T12:30:45.000-07:00
* Initial plan * fix: exclude Actions artifact token from agent container env Agent-Logs-Url: https://github.com/github/gh-aw-firewall/sessions/85d33716-5b2a-4d34-b637-903b051ff017 * Update src/docker-manager.ts Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: Landon Cox <landon.cox@microsoft.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
diff --git a/src/docker-manager.test.ts b/src/docker-manager.test.ts
@@ -1382,6 +1382,78 @@ describe('docker-manager', () => {
       expect(env.ANOTHER_VAR).toBe('another_value');
     });
 
+    it('should never pass ACTIONS_RUNTIME_TOKEN to agent container', () => {
+      const originalToken = process.env.ACTIONS_RUNTIME_TOKEN;
+      process.env.ACTIONS_RUNTIME_TOKEN = 'test-runtime-token-value';
+
+      try {
+        // Should not be passed in default mode
+        const result = generateDockerCompose(mockConfig, mockNetworkConfig);
+        const env = result.services.agent.environment as Record<string, string>;
+        expect(env.ACTIONS_RUNTIME_TOKEN).toBeUndefined();
+      } finally {
+        if (originalToken !== undefined) {
+          process.env.ACTIONS_RUNTIME_TOKEN = originalToken;
+        } else {
+          delete process.env.ACTIONS_RUNTIME_TOKEN;
+        }
+      }
+    });
+
+    it('should never pass ACTIONS_RESULTS_URL to agent container', () => {
+      const originalUrl = process.env.ACTIONS_RESULTS_URL;
+      process.env.ACTIONS_RESULTS_URL = 'https://results-receiver.actions.githubusercontent.com/';
+
+      try {
+        // Should not be passed in default mode
+        const result = generateDockerCompose(mockConfig, mockNetworkConfig);
+        const env = result.services.agent.environment as Record<string, string>;
+        expect(env.ACTIONS_RESULTS_URL).toBeUndefined();
+      } finally {
+        if (originalUrl !== undefined) {
+          process.env.ACTIONS_RESULTS_URL = originalUrl;
+        } else {
+          delete process.env.ACTIONS_RESULTS_URL;
+        }
+      }
+    });
+
+    it('should exclude ACTIONS_RUNTIME_TOKEN from env-all passthrough', () => {
+      const originalToken = process.env.ACTIONS_RUNTIME_TOKEN;
+      process.env.ACTIONS_RUNTIME_TOKEN = 'test-runtime-token-value';
+
+      try {
+        const configWithEnvAll = { ...mockConfig, envAll: true };
+        const result = generateDockerCompose(configWithEnvAll, mockNetworkConfig);
+        const env = result.services.agent.environment as Record<string, string>;
+        expect(env.ACTIONS_RUNTIME_TOKEN).toBeUndefined();
+      } finally {
+        if (originalToken !== undefined) {
+          process.env.ACTIONS_RUNTIME_TOKEN = originalToken;
+        } else {
+          delete process.env.ACTIONS_RUNTIME_TOKEN;
+        }
+      }
+    });
+
+    it('should exclude ACTIONS_RESULTS_URL from env-all passthrough', () => {
+      const originalUrl = process.env.ACTIONS_RESULTS_URL;
+      process.env.ACTIONS_RESULTS_URL = 'https://results-receiver.actions.githubusercontent.com/';
+
+      try {
+        const configWithEnvAll = { ...mockConfig, envAll: true };
+        const result = generateDockerCompose(configWithEnvAll, mockNetworkConfig);
+        const env = result.services.agent.environment as Record<string, string>;
+        expect(env.ACTIONS_RESULTS_URL).toBeUndefined();
+      } finally {
+        if (originalUrl !== undefined) {
+          process.env.ACTIONS_RESULTS_URL = originalUrl;
+        } else {
+          delete process.env.ACTIONS_RESULTS_URL;
+        }
+      }
+    });
+
     it('should exclude system variables when envAll is enabled', () => {
       const originalPath = process.env.PATH;
       process.env.CUSTOM_HOST_VAR = 'test_value';
diff --git a/src/docker-manager.ts b/src/docker-manager.ts
@@ -581,6 +581,12 @@ export function generateDockerCompose(
     'SUDO_USER',      // Sudo metadata
     'SUDO_UID',       // Sudo metadata
     'SUDO_GID',       // Sudo metadata
+    // GitHub Actions artifact service tokens — excluded from inherited environment
+    // propagation to prevent agents from uploading arbitrary data as workflow artifacts
+    // (potential data exfiltration vector). These tokens are only needed by the
+    // Actions runner itself, not by the agent.
+    'ACTIONS_RUNTIME_TOKEN',
+    'ACTIONS_RESULTS_URL',
   ]);
 
   // When api-proxy is enabled, exclude API keys from agent environment
