Skip to content

[WIP] Add validation to prevent secret names starting with GITHUB_ #32

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
Copilot wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

[WIP] Add validation to prevent secret names starting with GITHUB_ #32

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
0f8f49a
Initial plan
Copilot Aug 25, 2025
6a84beb
Changes before error encountered
Copilot Aug 25, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions docs/DEPLOYMENT.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -431,6 +431,7 @@ export async function GET() {
### Pre-Deployment

- [ ] All environment variables are set correctly
- [ ] Environment variable names do not start with `GITHUB_` (reserved for GitHub Actions)
- [ ] JWT secrets are cryptographically secure (32+ characters)
- [ ] Database security rules are configured
- [ ] API rate limiting is enabled
Expand Down
10 changes: 9 additions & 1 deletion lib/config/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -227,6 +227,7 @@ The configuration system validates:
- **Secret strength** meets requirements
- **Environment-specific** requirements
- **Security best practices**
- **GitHub reserved names** are not used for environment variables

### Validation Errors

Expand All @@ -236,6 +237,7 @@ The system will exit with an error if:
- Variables have invalid formats
- Security requirements are not met
- Environment-specific requirements are not satisfied
- Environment variable names start with `GITHUB_` (reserved for GitHub Actions)

### Validation Warnings

Expand Down Expand Up @@ -266,6 +268,7 @@ The system will warn about:
- Use strong secrets even in development
- Don't commit real credentials
- Use test/development API keys
- Avoid environment variable names starting with `GITHUB_` to prevent conflicts with GitHub Actions

## Testing

Expand Down Expand Up @@ -301,11 +304,16 @@ The test suite covers:
- Generate a longer, more secure secret
- Use a password generator for strong secrets

4. **Configuration not loading**
4. **"Configuration not loading"**
- Ensure `initializeConfiguration()` is called on startup
- Check for syntax errors in environment files
- Verify file permissions on credential files

5. **"Environment variable 'GITHUB_X' starts with 'GITHUB_' prefix"**
- Rename the environment variable to avoid conflicts with GitHub Actions
- GitHub reserves all environment variables starting with `GITHUB_`
- Use an alternative prefix like `APP_`, `CUSTOM_`, or your application name

### Debug Mode

Enable debug logging to troubleshoot configuration issues:
Expand Down
44 changes: 44 additions & 0 deletions lib/config/__tests__/config.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -105,6 +105,50 @@ describe('Configuration System', () => {
result.warnings.some(warning => warning.includes('placeholder'))
).toBe(true)
})

it('should fail validation with GITHUB_ prefixed environment variables', () => {
// Add a GITHUB_ prefixed environment variable
process.env.GITHUB_SECRET = 'test-secret'
process.env.GITHUB_TOKEN = 'test-token'

const result = validateConfiguration()
expect(result.success).toBe(false)
expect(
result.errors.some(error =>
error.includes("Environment variable 'GITHUB_SECRET'") &&
error.includes("starts with 'GITHUB_' prefix")
)
).toBe(true)
expect(
result.errors.some(error =>
error.includes("Environment variable 'GITHUB_TOKEN'") &&
error.includes("starts with 'GITHUB_' prefix")
)
).toBe(true)

// Clean up
delete process.env.GITHUB_SECRET
delete process.env.GITHUB_TOKEN
})

it('should allow non-GITHUB_ prefixed environment variables', () => {
// Add some custom environment variables that should be allowed
process.env.CUSTOM_SECRET = 'test-secret'
process.env.MY_TOKEN = 'test-token'

const result = validateConfiguration()
// Should not fail due to these custom variables
expect(
result.errors.some(error => error.includes("CUSTOM_SECRET"))
).toBe(false)
expect(
result.errors.some(error => error.includes("MY_TOKEN"))
).toBe(false)

// Clean up
delete process.env.CUSTOM_SECRET
delete process.env.MY_TOKEN
})
})

describe('Environment-Specific Configuration', () => {
Expand Down
12 changes: 12 additions & 0 deletions lib/config/validator.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -225,6 +225,18 @@ function validateSecurityConfig(
result.errors.push('WEBHOOK_SECRET must be at least 16 characters long')
}

// Check for GitHub reserved environment variable names
const githubReservedNames = Object.keys(process.env).filter(name =>
name.startsWith('GITHUB_')
)
if (githubReservedNames.length > 0) {
githubReservedNames.forEach(name => {
result.errors.push(
`Environment variable '${name}' starts with 'GITHUB_' prefix which is reserved for GitHub Actions. Please rename this variable to avoid conflicts with GitHub's reserved environment variables.`
)
})
}

// Check for weak secrets in production
if (env === 'production') {
const weakPatterns = ['password', '123456', 'secret', 'admin']
Expand Down