Skip to content

Harden HF deploy: token via Authorization header, not URL#4

Open
Nickkoro21 wants to merge 1 commit into
mainfrom
harden-hf-workflow
Open

Harden HF deploy: token via Authorization header, not URL#4
Nickkoro21 wants to merge 1 commit into
mainfrom
harden-hf-workflow

Conversation

@Nickkoro21

Copy link
Copy Markdown
Owner

Low-severity workflow hardening from the security scan.

The Force-push ... to Hugging Face Space step embedded HF_TOKEN in the remote URL (https://user:token@huggingface.co/...), which exposes it in the runner's process arguments and can persist it in .git/config. This moves the token into an HTTP Authorization: Basic header via git -c http.extraheader=... — the same mechanism actions/checkout uses internally. The push target and behaviour are otherwise identical.

⚠️ Changes the auth mechanism of a working deploy. Because the workflow only runs on push to main, this branch won't run it. After merging, please trigger a workflow_dispatch run and confirm the HF Space still updates. If it fails for any reason, the previous one-line URL form can be restored.

The force-push embedded HF_TOKEN directly in the remote URL, exposing it in
the runner's process arguments and in .git/config. Move it into an HTTP
Authorization: Basic header via `git -c http.extraheader`, the same mechanism
actions/checkout uses. Push target and behaviour are unchanged.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant