From 53965e549a1c2f0e7c1b4d3b1691289bb6356cf1 Mon Sep 17 00:00:00 2001 From: Anand Patil Date: Tue, 7 Apr 2026 03:30:35 +0000 Subject: [PATCH] fix: read Bazel RBE auth tag from NGAT env instead of hardcoding The Bazel configure-remote action hardcodes the AES-256-GCM authentication tag in constants.ts, while the SauceLabs and BrowserStack actions correctly read it from the NGAT environment variable. This inconsistency means the embedded GCP service account credential can be decrypted using only publicly available parameters. This change aligns the Bazel action with the existing SauceLabs and BrowserStack patterns by reading the auth tag from process.env.NGAT. Note: The checked-in configure-remote.js bundle will need to be rebuilt by maintainers. The exposed credential should be rotated and gcp_token.data re-encrypted. --- github-actions/bazel/configure-remote/constants.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/github-actions/bazel/configure-remote/constants.ts b/github-actions/bazel/configure-remote/constants.ts index cdec15aa5f..a8e8757bbb 100644 --- a/github-actions/bazel/configure-remote/constants.ts +++ b/github-actions/bazel/configure-remote/constants.ts @@ -7,6 +7,6 @@ */ export const alg = 'aes-256-gcm'; -export const at = 'QwbjZ/z+yDtD+XZjKj9Ynw=='; +export const at = process.env.NGAT!; export const k = process.env.GITHUB_REPOSITORY_OWNER!.padEnd(32, '<'); export const iv = '000003213213123213';