Allow passing in GITHUB_TOKEN as an env var instead of a flag

[nitrocode]

In the official integration docs, it shows a custom workflow with the following.

          infracost comment github --repo $BASE_REPO_OWNER/$BASE_REPO_NAME \
                                   --pull-request $PULL_NUM \
                                   --path /tmp/$BASE_REPO_OWNER-$BASE_REPO_NAME-$PULL_NUM/'*'-infracost.json \
                                   --github-token $GITHUB_TOKEN \
                                   --behavior new

I'd much rather omit the --github-token and have infracost comment github subcommand read the token from an environment variable. Is this possible today? If so, can we update the docs accordingly? If not, could this gh issue serve as a feature request to enable that?

[alikhajeh1]

Hi @nitrocode great question! We probably need to communicate this in the docs better but $GITHUB_TOKEN here is the name of the env variable and not the actual token value. So in step 4 of this doc, you first create an env var with the token value, then whatever you call the env var is passed into the --github-token flag as the env var with the $. Does that make sense, or perhaps I'm missing something?

[nitrocode]

It does make sense, but if infracost comment github has the ability to read from the environment variable itself, why would the token need to be explicitly be passed in?

I'd prefer it to either read GITHUB_TOKEN or INFRACOST_GITHUB_TOKEN from the env var and simplify the command to

          infracost comment github --repo $BASE_REPO_OWNER/$BASE_REPO_NAME \
                                   --pull-request $PULL_NUM \
                                   --path /tmp/$BASE_REPO_OWNER-$BASE_REPO_NAME-$PULL_NUM/'*'-infracost.json \
                                   --behavior new

[alikhajeh1]

@nitrocode good point! We've learned from debugging lots of infracost user issues that explicit interfaces work best for them. So when users pass-in env vars it's clear (and self-documenting) which tokens are being used, and what env var in the user's env they map to. For example, some users already have GH_TOKEN in their github secrets setup, so they prefer to use --github-token=$GH_TOKEN.

[nitrocode]

Couldn't both be supported? The app could check for an environment variable to read and fill the value. If the flag is used, since it's explicit, it could take precedence.

I suppose it's not a big deal unless you're using set -x before the command.

[nitrocode]

@alikhajeh1

One other issue with passing in tokens from the cli is that if you run ps ax, the secrets can be exfiltrated. It's harder to exfiltrate the secrets if the command is run by a separate user with its own environment variable space.

I'd argue that both ways are explicit. One is more secure than the other. Please consider reopening this.

[alikhajeh1]

@nitrocode thanks - good point! BTW, last month we made the Infracost GH App free as it has several benefits, would you be interested in trying that? That removes the need for tokens altogether.

[nitrocode]

Ah that does seem like a very nice replacement for the infracost-atlantis tool. I'll give it a try. Thank you.

[alikhajeh1]

Great - thanks for trying it @nitrocode, feedback is welcome :)