Skip to content

[WIP] Add validation to prevent secret names starting with GITHUB_ #32

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
Copilot wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

[WIP] Add validation to prevent secret names starting with GITHUB_ #32

Copilot wants to merge 2 commits into from
+66 −1

Conversation

Copy link
Contributor

Copilot AI commented Aug 25, 2025
edited
Loading

✅ Implementation Complete: GitHub Environment Variable Validation

Summary

Successfully implemented validation to prevent environment variable names starting with GITHUB_ to avoid conflicts with GitHub Actions reserved environment variables and follow security best practices.

Changes Made

🔒 Core Security Enhancement

  • Modified lib/config/validator.ts: Extended validateSecurityConfig() function to check all environment variable names for GITHUB_ prefix
  • Early Detection: Validation runs during application startup to catch conflicts before deployment
  • Clear Error Messages: Provides descriptive errors explaining the issue and suggesting solutions

🧪 Comprehensive Testing

  • Added 2 focused test cases in lib/config/__tests__/config.test.ts:
    • Test that validation fails when GITHUB_ prefixed variables are present
    • Test that validation allows non-GITHUB_ prefixed variables
  • All new tests passing

📚 Documentation Updates

  • Updated lib/config/README.md:
    • Added GitHub validation info to validation section
    • Added troubleshooting guide for GitHub prefix errors
    • Updated security considerations
  • Updated docs/DEPLOYMENT.md:
    • Added GitHub prefix check to pre-deployment security checklist

Implementation Details

Validation Logic:

const githubReservedNames = Object.keys(process.env).filter(name =>
  name.startsWith('GITHUB_')
)
if (githubReservedNames.length > 0) {
  githubReservedNames.forEach(name => {
    result.errors.push(
      `Environment variable '${name}' starts with 'GITHUB_' prefix which is reserved for GitHub Actions. Please rename this variable to avoid conflicts with GitHub's reserved environment variables.`
    )
  })
}

Security Impact

  • ✅ Prevents conflicts with GitHub Actions reserved environment variables
  • ✅ Follows security best practices for secret management
  • ✅ Early validation ensures misconfigured environments are detected during startup
  • ✅ Provides clear guidance for developers on proper naming conventions

Testing Verification

  • New validation tests pass with both positive and negative scenarios
  • Existing functionality preserved (pre-existing test failures are unrelated)
  • Type-safe implementation with no TypeScript errors
  • Manual testing confirms proper error messages and validation behavior

The validation is now active and will prevent deployment of applications with conflicting environment variable names, ensuring better security and compatibility with GitHub Actions workflows.

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot AI requested a review from code-craka August 25, 2025 23:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@code-craka code-craka Awaiting requested review from code-craka code-craka is a code owner

Assignees

@code-craka code-craka

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@code-craka