Expand description
Env vars to strip from subprocess environments when running inside GitHub Actions. This prevents prompt-injection attacks from exfiltrating secrets via shell expansion (e.g., ${AI_API_KEY}) in Bash tool commands.
The parent claude process keeps these vars (needed for API calls, lazy credential reads). Only child processes (bash, shell snapshot, MCP stdio, LSP, hooks) are scrubbed.
GITHUB_TOKEN / GH_TOKEN are intentionally NOT scrubbed — wrapper scripts (gh.sh) need them to call the GitHub API. That token is job-scoped and expires when the workflow ends.
Statics§
- GHA_
SUBPROCESS_ SCRUB - Env vars to strip from subprocess environments when running inside GitHub Actions
Functions§
- register_
upstream_ proxy_ env_ fn - Called from init.ts to wire up the proxy env function after the upstreamproxy module has been lazily loaded. Must be called before any subprocess is spawned.
- subprocess_
env - Returns a copy of process.env with sensitive secrets stripped, for use when spawning subprocesses (Bash tool, shell snapshot, MCP stdio servers, LSP servers, shell hooks).