Consider deprecating FORGEJO_TOKEN env var in favor of file-only token access #57
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
User story: So that I can choose credential handling with clear exposure tradeoffs,
forgeshould explicitly deprecate or document raw token environment variables instead of leaving that risk implicit.Part of the "Forge / workspace CLI tooling" arc.
FORGEJO_TOKENis visible in/proc/PID/environwith the same access model as/proc/PID/cmdline. PR #56 hardened curl argv, but the env var token source has similar exposure characteristics: it persists for the entire shell session, is inherited by every child process, and is readable by any process that can read/proc/PID/environ(same permission model as the argv we just fixed).This is not urgent — the primary threat model for forge is accidental exposure (logs, history, dotfile repos) rather than active process snooping, and the env var is convenient for CI and container contexts. But the inconsistency should be resolved explicitly rather than left as a silent gap.
Options:
Deprecate
FORGEJO_TOKENentirely. File-only token access. Simple, consistent, but breaks existing scripts and CI workflows that set the env var.Keep
FORGEJO_TOKENbut document the tradeoff. Acknowledge that env vars have proc visibility, recommend file-based access as the default, and position the env var as an opt-in convenience for contexts where proc visibility is acceptable (single-user VMs, CI runners).Replace
FORGEJO_TOKENwithFORGE_TOKEN_FILEoverride only. Instead of accepting a raw token in the environment, accept only a file path. This keeps the env-based override pattern without putting the token itself in the environment. Scripts that currently doFORGEJO_TOKEN=xxx forge ...would change to writing a temp file.Add a
FORGE_TOKEN_CMDcredential helper. A command that prints the token to stdout, invoked on demand. Similar to git'scredential.helperor AWS'scredential_process. This is the most composable option but the heaviest to implement.The right answer depends on whether we consider proc-visible env vars an acceptable exposure surface for this tool's threat model.