In buildExecutor.js:_clone (line 605-610), the GitHub access token is embedded directly in the git command as -c http.extraHeader="Authorization: Basic <base64-token>". This makes the full token visible in the server process list (ps aux) to any user on the host with permission to read process arguments, and may also appear in shell history and system logs.
In
buildExecutor.js:_clone(line 605-610), the GitHub access token is embedded directly in the git command as-c http.extraHeader="Authorization: Basic <base64-token>". This makes the full token visible in the server process list (ps aux) to any user on the host with permission to read process arguments, and may also appear in shell history and system logs.