Problem
GitHub PAT tokens split from env var (github.ts lines 36-41) without encryption. If .env file leaked, all tokens exposed.
Technical Details
File: lib/github.ts
Lines: 36-41
export function getGitHubTokens(): string[] {
const envToken = process.env.GITHUB_PAT || process.env.GITHUB_TOKEN || '';
return envToken.split(',').map((t) => t.trim()).filter((t) => t !== '');
}
Recommended Solution
Use token rotation service instead of env storage:
import { createHmac } from 'crypto';
const TOKENS_CACHE = new Map<string, { token: string; lastUsed: number }>();
export async function getGitHubToken(): Promise<string> {
// Load from secure vault, not env
const token = await getFromSecureVault('github_tokens');
TOKENS_CACHE.set(token, { token, lastUsed: Date.now() });
return token;
}
async function getFromSecureVault(key: string): Promise<string> {
// Use AWS Secrets Manager, Vercel KV, or similar
const secret = process.env[key];
if (!secret) throw new Error('Token not found');
return secret;
}
Program Template
Suggested Labels
security, secrets-management, tokens, gssoc-eligible
EOF
)
Problem
GitHub PAT tokens split from env var (github.ts lines 36-41) without encryption. If .env file leaked, all tokens exposed.
Technical Details
File:
lib/github.tsLines: 36-41
Recommended Solution
Use token rotation service instead of env storage:
Program Template
Suggested Labels
security, secrets-management, tokens, gssoc-eligible
EOF
)