[task] Add github-token secret validation #2463
Description
Objective
Prevent accidental secret leakage by validating that github-token field uses GitHub Actions secret expressions, not plaintext values.
Context
Related to discussion #2457 (Schema Consistency Audit).
The schema allows any string for github-token, with no pattern validation. Users could accidentally commit secrets:
github-token: ghp_actualSecretInPlainText # 😱 LEAKED!Approach
Option A (Recommended): Add compile-time warning in pkg/workflow/github_token.go:
func validateGitHubToken(token string) error {
// Check if token looks like a secret expression
if !strings.Contains(token, "${{") || !strings.Contains(token, "secrets.") {
return fmt.Errorf("github-token should use secret expression (e.g., ${{ secrets.GITHUB_TOKEN }}), not plaintext value")
}
return nil
}Option B: Add schema pattern validation in pkg/parser/schemas/main_workflow_schema.json:
{
"type": "string",
"pattern": "^\\$\\{\\{.*secrets\\..*\\}\\}$",
"description": "GitHub token expression using secrets",
"examples": ["${{ secrets.GITHUB_TOKEN }}"]
}Files to Modify
- Update:
pkg/workflow/github_token.go(add validation function) - Update:
pkg/workflow/compiler.go(call validation during compilation) - Update:
pkg/parser/schemas/main_workflow_schema.json(add pattern if using Option B) - Create:
pkg/workflow/github_token_validation_test.go(test validation)
Acceptance Criteria
- Valid secret expressions pass validation:
${{ secrets.GITHUB_TOKEN }} - Plaintext tokens trigger clear error/warning
- Error message suggests correct format
- Existing workflows with valid tokens continue to work
- Unit tests cover valid and invalid cases
Related to [Schema Consistency] 🔍 Schema Consistency Check - Security & Type Safety Audit (2025-10-25) #2457
AI generated by Plan Command for discussion #2457